The developers of the popular cryptocurrency Zcash, Zcash Company, published a press release , which revealed the details of the vulnerability that allowed hackers to create an unlimited number of fake ZEC coins.
As stated in the document, the vulnerability was discovered on March 1, 2018 by Zcash cryptographer Ariel Gabizon. The hole was in the zk-SNARKS protocol, which is used in Zcash to hide balances and user data. After this, the development team decided not to inform the public about the vulnerability and focus on eliminating it.
Only at the end of October, with the next patch, the Zcash Sapling protocol update was released. After the developers were convinced of fixing the problem, they finally decided to talk about it.
“Vulnerability was related solely to the creation of non-existent coins and did not affect the privacy of users. Until it was eliminated, the attacker could create counterfeit Zcash coins, while remaining unnoticed … The vulnerability was completely eliminated, and no action by Zcash users is required, ”the message says.
The Zcash team assures that most likely no one managed to take advantage of the bug, since even the detection of a vulnerability required an advanced level of technical and cryptographic knowledge that few people possess. Numerous experts, auditors and even startups who have used the Zcash blockchain for their projects have not been able to reveal this security hole for many years.
The crypto-community ambiguously perceived this news – who praises the team to solve the problem "quietly", someone on the contrary condemns for having so long fixed such a serious vulnerability and reported it only now.