Security Affairs
FBI: TeamPCP Compromised Dev Tools to Steal Cloud Credentials|Pegasus Used Against MEP Investigating Pegasus, Citizen Lab Finds|JADEPUFFER: First End-to-End AI-Driven Ransomware Operation|The Anatomy of a Shadow AI Supply-Chain Breach: Lessons from the 2026 Vercel Incident|Law enforcememt operation disrupted Malicious Residential Proxy Networks NetNut|Government and Healthcare Are the Weakest Links in Global Email Security|Europe Confirms Record €4.1B Penalty Against Google for Android Practices|U.S. CISA adds a Microsoft SharePoint Server flaw to its Known Exploited Vulnerabilities catalog|430,000 FortiGate Devices Exposed in FortiBleed Ransomware Link|Adobe fixed multiple maximum-severity flaws in ColdFusion and Campaign Classic|Alleged Scattered Spider Hacker Extradited to U.S. to Face Cybercrime Charges|Oracle E-Business Suite Flaw Under Active Attack, 950 Systems Exposed|FBI: TeamPCP Compromised Dev Tools to Steal Cloud Credentials|Pegasus Used Against MEP Investigating Pegasus, Citizen Lab Finds|JADEPUFFER: First End-to-End AI-Driven Ransomware Operation|The Anatomy of a Shadow AI Supply-Chain Breach: Lessons from the 2026 Vercel Incident|Law enforcememt operation disrupted Malicious Residential Proxy Networks NetNut|Government and Healthcare Are the Weakest Links in Global Email Security|Europe Confirms Record €4.1B Penalty Against Google for Android Practices|U.S. CISA adds a Microsoft SharePoint Server flaw to its Known Exploited Vulnerabilities catalog|430,000 FortiGate Devices Exposed in FortiBleed Ransomware Link|Adobe fixed multiple maximum-severity flaws in ColdFusion and Campaign Classic|Alleged Scattered Spider Hacker Extradited to U.S. to Face Cybercrime Charges|Oracle E-Business Suite Flaw Under Active Attack, 950 Systems Exposed|
Advertisement

Ad Placeholder

Full Width × 90

Breaking News

A critical counterfeiting vulnerability addressed in Zcash

A critical counterfeiting vulnerability in Zcash cryptocurrency could have allowed coining an infinite number of Zcash (ZEC) cryptocurrency. Reading some news, investors could believe that cryptocurrencies are not a good investment. A few days ago, QuadrigaCX Bitcoin exchange announced to have lost USD 145 million worth of cryptocurrency because the only person with access to its cold […]

ZCash counterfeiting vulnerability

A critical counterfeiting vulnerability in Zcash cryptocurrency could have allowed coining an infinite number of Zcash (ZEC) cryptocurrency.

Reading some news, investors could believe that cryptocurrencies are not a good investment. A few days ago, QuadrigaCX Bitcoin exchange announced to have lost USD 145 million worth of cryptocurrency because the only person with access to its cold storage has died.

News of the day is that a critical vulnerability in Zcash cryptocurrency could have allowed coining an infinite number of Zcash (ZEC) cryptocurrency.

The Zcash development team have discovered and addressed the shocking critical flaw.

The Zcash cryptocurrency was presented i October 2016 and compared with the popular Bitcoin it ensures total anonymity because each participant in a transaction remains hidden.

With this premise, the Zcash has immediately attracted great interest from investors, miners and of course cybercriminals.

ZCash counterfeiting vulnerability

The Zerocoin Electric Coin Company who developed Zcash disclosed the
counterfeiting flaw that was discovered by its cryptographer Ariel Gabizon.
Gabizon discovered the flaw in its Zcash code on 1st March 2018 just before a talk at the Financial Cryptography conference.

Gabizon immediately reported the flaw to Sean Bowe, a Zcash Company’s cryptographer, the development team decided did not disclose the issue avoid abuses.

Zcash revealed that the flaw was known only by four Zcash employees before it addressed the issue with a patch implemented in the Zcash network on 28th October 2018.

“To exploit the counterfeiting vulnerability, an attacker would have needed to possess information found in the large MPC protocol transcript that was made available shortly after the launch of Zcash.” reads the post published by the company.

“This transcript had not been widely downloaded and was removed from public availability immediately upon discovery of the vulnerability to make it more difficult to exploit.”

Experts at ZCash explained that the exploitation of the vulnerability would have required a high level of technical and cryptographic sophistication, and only a few people have it. The company excluded that attackers have already exploited the counterfeiting flaw.

The counterfeiting vulnerability affected a variant of zk-SNARKs, the implementation of zero-knowledge cryptography Zcash used to encrypt and protect the transactions. zk-SNARKs was also implemented in other different projects.

Komodo blockchains and Horizen were affected by the same flaw and reportedly addressed it after being informed of the issue by Zcash experts in mid-November 2018.

The vulnerability was the result of a “parameter setup algorithm” that allowed “a cheating prover to circumvent a consistency check” and thereby transformed “the proof of one statement into a valid-looking proof of a different statement.”

Experts pointed out that an attacker with access to the multi-party computation (MPC) ceremony transcript (used to set up the privacy features for Zcash) would have been able to create false proofs that falsely convince the original Sprout zk-SNARK verifier of the correctness of a transaction.

The Zcash development team confirmed that the flaw had existed in the cryptocurrency scheme for years.

“The vulnerability had existed for years but was undiscovered by numerous expert cryptographers, scientists, third-party auditors, and third-party engineering teams who initiated new projects based upon the Zcash code.” reported the company.

“The Zcash Company has seen no evidence that counterfeiting has occurred as might be discovered by monitoring the the total amount of Zcash held in Sprout addresses (i.e., the Sprout shielded pool). As long as the value in the shielded pools are greater than zero, no counterfeiting has been detected.”

[adrotate banner=”9″] [adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – ZCash counterfeiting vulnerability, hacking)

[adrotate banner=”5″] [adrotate banner=”13″]