Zerocoin has a ‘denial of service’ bug that allows for attackers to burn honest users’ coins. This fact has been known for almost two months now, but remains unfixed.
Peter Todd tweeted in the aftermath that while ZCoin could prove that attackers can’t steal coins, but they couldn’t prove that attackers can’t destroy the coins they don’t own.
"A Tale of Zero Coins" #genesislondon
TIL the original Zerocoin protocol is broken, even though it was "proven secure". They proved an attacker couldn't steal coins, but they didn't prove the attacker couldn't destroy coins they didn't own.
— Peter Todd (@peterktodd) February 22, 2018
A research work published by four researchers in Germany including Ruffing, has now further proved this vulnerability.
We found an attack on Zerocoin leading to vulnerabilities in the cryptocurrencies @zcoinofficial, @zoinofficial, @_pivx , @scashofficial, and @hxxcoin (NOT Zcash); first two are still affected. Joint work with @aravind2112, Viktoria Ronge and @doschroeder.https://t.co/r3EYLxroNG
— Tim Ruffing (@real_or_random) April 12, 2018
The research paper shows how an attacker can force the network to reject an honest transaction as a ‘double-spend’:
In both of the proposed Zerocoin schemes, a minted zerocoin is represented by a public bitstring, which is a commitment to the serial number but hides the serial number at the time of minting. Users are supposed to choose a random serial number to ensure that it is unique (with very high probability). However, an attacker can, instead of taking a new random serial number, freely choose the serial number when he mints a zerocoin.
This leads to the following attack: An honest user tries to spend her (honestly generated) zerocoin and sends the spend transaction (including the serial number) to the network. An attacker, which is assumed to have control over the victim’s network, now blocks that message such that it never reaches the nodes of the cryptocurrency. Then the attacker mints a new malicious zerocoin with the exact same serial number. The attacker can now spend this maliciously zerocoin, revealing the serial number.
As soon as this spend transaction performed by the attacker is confirmed, the nodes in the cryptocurrency network record this serial number as used. As a result, the honest user cannot spend her zerocoin anymore. Whenever she tries, her spend transaction will be rejected as a double-spend, because the serial number has already been recorded as used. This effectively burns the zerocoin of the honest user!
ZCoin is based on the Zerocoin protocol introduced by authors Ian Miers, Christina Garman, Matthew Green, Aviel D. Rubin at The Johns Hopkin University, although none of them are involved with the project themselves.
There are other cryptocurrencies based on the Zerocoin protocol, and they have all had the same vulnerability at some point — but only ZCoin and Zoin still remain vulnerable to the bug, the research says.
When this bug was pointed out in February, ZCoin had said that they are aware of the vulnerability and they have a fix ready that is in internal testing.
The vulnerability is known to us and a patch is ready and in internal testing. It was set to release yesterday but found some minor bugs. We have been working with @real_or_random on this with our devs.
— Zcoin (@zcoinofficial) February 23, 2018
The bug was apparently being fixed with the help of Tim Ruffing, who is one of the authors of the latest research that highlighted the bug. As per Ruffing, the contract with ZCoin had ended soon after they delivered the patches for some of the bugs that they were supposed to fix.
More than one month later though, the bug remains unfixed, and ZCoin is still saying that the bug is already fixed and the fix just needs to be activated on the network. This time they went a little far ahead, and tried to downplay the bug saying that the attack is very hard to pull off anyway.
Our official statement on the "denial-of-spend" Zerocoin attack. In short, the attack is very hard to pull off practically often leading to the attacker losing money, no new coins are created, & the fix is already in place awaiting activation. $XZC#zcoinhttps://t.co/PUBeCm0Uz1
— Zcoin (@zcoinofficial) April 13, 2018
ZCoin has been running in trouble with technical glitches for a while. Another bug was discovered in February, when hackers managed to mint 370,000 coins out of nothing, Emin G Sirer, Cornell Professor, shared on Twitter.
Zerocoin gets hacked, hacker creates 370,000 coins out of thin air: https://t.co/qjfonljwdT
— Emin Gün Sirer (@el33th4xor) February 18, 2017
Such continuous bug discovery and fixing episodes have prompted Matt Odell to conclude that altcoins are just a free market bug bounty program to help improve Bitcoin.
Altcoins continue to be a testbed for future additions/changes to bitcoin.
A free market bug bounty program essentially. The best ideas will be merged into bitcoin. The failed ideas will be ignored. https://t.co/8a2iKPKhRe
— Matt Odell (@matt_odell) April 12, 2018