TL;DR: Zerocoin, a privacy protocol proposed to obscure the origin of transactions and maintain high levels of anonymity when transacting, has been compromised, with Zcoin and other projects implementing it now advising to replace it with other solutions. While the extent of the flaw has not been described, it seems it is a cryptographic bug that lets an attacker forge fake currency in some way. Enthusiasts are suggesting all privacy coin projects in general should pay close attention.

More Spice: Bitcoin White Paper Webcomic by Comics Legend Scott McCloud

Zerocoin Protocol Compromised

Zcoin developers, those who work on the popular Zerocoin protocol, discovered a flaw in the cryptography system they use to obscure and anonymize transactions. The issue started 9 April 2019, when the engineers of Zcoin detected an irregular mint/spend pattern on their 100 XZC denomination. Immediately, they took action and disabled spending, advising pools and exchanges about the subject and started researching more.

After creating a group between all the cryptocurrencies using this protocol to research the issue, they discovered it was indeed a cryptography flaw in the very protocol that would affect all the implementations. The discovery was made by Peter Shugayev, a Zcoin core developer, who disclosed it to the protocol’s original creators.

The effect of the flaw supposedly lets attackers mint forged currency and affect the market cap of the coin. The attack managed to forge less than 1% of the market cap of the currency in this case, and the attacking party was not disclosed.

Zerocoin Status, zPIV Spends No Longer Private

While the Zcoin team states in one of their blog posts explaining the issue they “believe that Zerocoin can be fixed given sufficient time,” they have decided to not spend more resources to try to fix it, abandoning the protocol for a new one called Sigma. This new development has accelerated that substitution. Sigma resolves several problems Zerocoin presented, and improves the blockchain security, they claim.

However, electing not to wait, developers released a new mandatory security update that disables Zerocoin mints and spends in anticipation of the Sigma release. Zcoin was not the only cryptocurrency impacted. PIVX, another project that uses Zerocoin to implement privacy spends as a feature on their network, has also decided to abandon it and convert all their zPIV (the currency minted using Zerocoin) to a non-privacy coin and disable privacy spends.

“Now that the issue has been confirmed,” a zPIV developer posted, “we will no longer wait for the soft-fork to complete and will release a new wallet that will allow conversion of all zPIV held in the wallet to PIV. This will mean that all users will be able to fully access their funds immediately once released. This new release will be mandatory, and the zPIV spends **will no longer be private** in light of this new vulnerability.” At press time, there has not been a public statement from the original creators of the compromised protocol.

CONTINUE THE SPICE and check out our piping hot VIDEOS. Our podcast, The CoinSpice Podcast, has amazing guests. Follow CoinSpice on Twitter. Join our Telegram feed to make sure you never miss a post. Drop some BCH at the merch shop — we’ve got some spicy shirts for men and women. Don’t forget to help spread the word about CoinSpice on social media.