Further Disclosure on Zerocoin vulnerability

By April 26, 2019 No Comments

Update 20 January 2020:

The window of conversion of Zerocoin mints to Sigma has ended and we are now able to calculate the total damage from this attack.

While a total of 66,996 XZC was forged through this vulnerability, some of these coins were immediately reminted into Zerocoin. As the attack had a specific signature, we were able to blacklist these mints and did not allow them to be converted into Sigma mints.

As such the total damage from this attack is 54,321 XZC.

Following our earlier announcement, we wish to disclose further details on the Zerocoin vulnerability that we discovered to provide additional information on the situation as details have begun to emerge online.

9th April: Our warning systems alerted us of irregularities in the mint and spend patterns of the 100 XZC denomination. We immediately contacted pools to disable Zerocoin spends while we investigated the issue and informed exchanges as well.

On the same date, we informed PIVX, Veil, and Gravity Coin (projects that utilize Zerocoin) of these irregularities and that we recommended disabling Zerocoin until the root cause was found.

16th April: We posted an announcement on our blog informing users that Zerocoin was disabled.

17th April: We made disclosures to Navcoin (who was developing a Zerocoin variant called ZeroCT on their testnet) and NIX. We created a private Slack working group with Veil, PIVX, Navcoin, and NIX to work on finding the flaw.

19th April: Our core developer Peter Shugalev found the root cause of the issue and confirmed that it was a failure in the cryptography of the Zerocoin protocol and that it affected all Zerocoin implementations. We disclosed the part of the Zerocoin proof that was flawed to the above-mentioned  teams and how the forgery worked on a high level. We also informed Ian Miers, one of the authors of Zerocoin who also disclosed it to Matthew Green.

24th April: We released an emergency update to plug any remaining attack vectors, disclosed full details of how the attack was carried out to the other projects, and outlined a potential fix to the proof in the private Slack working group.

What we can tell you

  • Forged coins were created, but not exceeding 1% of the circulating supply. We will release further details on exact numbers when Sigma is released.
  • The issue was not from a coding error, but from a cryptographic flaw in one of the proofs in the Zerocoin protocol that has existed since its inception.
  • Although we believe that Zerocoin can be fixed given sufficient time, we have decided not to dedicate further resources to it. This is in line with our roadmap to transition away from Zerocoin to Sigma, which has no trusted setup, security proofs for all its proof systems, and it has a much simpler construction along with its performance benefits.

What we will tell you later, once projects have had time to secure themselves

  • Full description of the cryptographic flaw
  • The exact amount of damage (as mentioned above)
  • How to recover existing Zerocoin mints that remain unspent

What’s Next?

  • The Zcoin team has been working on replacing Zerocoin since early 2018 with Sigma and we are now in the final stages of releasing it on testnet. We aim to launch Sigma on main net in around 6 weeks
  • Sigma security proofs are fully documented with a much simpler construction making it easier to audit
  • Sigma’s construction does not suffer from the same flaw as the Zerocoin protocol
  • Sigma removes the trusted setup and brings down proof sizes from 25 kB to 1.5 kB

We held back on making a wider announcement earlier because:

  • Some projects still remain vulnerable, and it is not easy  for them to disable Zerocoin if they don’t have sporks
  • Disclosing that it’s a Zerocoin cryptographic flaw can give a potential attacker clues to where to look for the flaw in order to exploit it
  • Some projects are still exploring to see if Zerocoin can be fixed. Some have spent significant time in improving and expanding the Zerocoin protocol, and we wanted to give them time to evaluate their next steps before declaring Zerocoin broken

Premature public disclosure has necessitated a statement from us.

We strongly recommend that the full details of the attack that Zcoin disclosed to trusted projects and individuals to be kept private until projects utilizing the Zerocoin protocol have been given sufficient time to secure themselves. We recommend any Zerocoin projects who need further details on the flaw to contact us using their official project e-mail to [email protected] If you wish to communicate via PGP, Reuben’s PGP fingerprint is FE90742A2CEB91F1.

Special thanks to Peter Shugalev and the rest of the Zcoin team who worked tirelessly for more than week, sacrificing much sleep and rest to identify and mitigate the issue.