The developers behind the privacy-minded Zcash cryptocurrency have recently discovered and patched a highly dangerous vulnerability in the most secretive way that could have allowed an attacker to coin an infinite number of Zcash (ZEC).
Yes, infinite… like a never-ending source of money.
Launched in October 2016, Zcash is a privacy-oriented cryptocurrency that claims to be more anonymous than Bitcoin, as the sender, recipient, and value of transactions remain hidden.
In a blog post published today, the Zerocoin Electric Coin Company—the startup behind Zcash—revealed that one of its employees, Ariel Gabizon, discovered the vulnerability in its code on 1st March 2018, the night prior to his talk at the Financial Cryptography conference almost a year ago.
Gabizon contacted Sean Bowe, a Zcash Company’s cryptographer, immediately after discovering the counterfeiting vulnerability, as dubbed by the team, and the team decided to keep the flaw secret in order to avoid the risk of attackers exploiting it.
According to the company, only four Zcash employees were aware of the issue before a fix was covertly included in the Zcash network on 28th October 2018.
Besides this, since “discovering this vulnerability would have required a high level of technical and cryptographic sophistication that very few people possess,” the company believes that no one else was aware of this flaw and that no counterfeiting occurred in Zcash.
Now, the Zcash team detailed all about the vulnerability on its official site to inform the broader public, which if exploited, would have allowed an attacker to print an infinite amount of Zcash tokens.
images from Hacker News