A bug has been identified in zencashjs, a npm library used in several light client Horizen wallets. So far we have discovered only one user affected by this bug. Users should not send any transactions to addresses starting with “zt” on mainnet until updated releases of the affected wallets are made available. A solution has already been created and distributed to all affected wallets.

It is recommended for everyone relying on the library in their software to upgrade to the latest version v1.2.0 which includes a fix for this bug.

Zencashjs versions prior to v1.2.0 rely on a string comparison of the first two characters of a Horizen address to determine the destination address type of a transaction (P2PKH or P2SH). Due to the base58 address prefixes chosen in Horizen there exists the possibility of a clash of address prefixes for testnet P2PKH and mainnet P2SH addresses, testnet P2PKH addresses start with “zt” while a subset of mainnet P2SH addresses can also start with “zt”.

Zencashjs versions prior to v1.2.0 interpret transactions sent to a “zt” P2SH address on mainnet as P2PKH transactions erroneously. Any funds sent to a mainnet P2SH multisignature address starting with “zt” will be sent to the wrong address and be lost.

Affected wallets by Horizen:

Sphere by Horizen in light client mode <= 1.0.1-beta

Zen Mobile Wallet <= v0.0.14

Updated versions of Horizen maintained wallets are expected over the next few days.

Wallets by Horizen not affected by this bug:

Horizen Desktop GUI Wallet “Swing Wallet”

Sphere by Horizen in full node mode

Arizen

Horizen command line client

Myzenwallet.io already patched

Mitigation Strategies

Until updated releases of the affected wallets are made available users should not send any transactions to addresses starting with “zt” on mainnet. Updated versions of Horizen maintained wallets are expected over the next few days.

For exchanges making use of multisignature addresses for deposits it is recommended to either only use P2SH addresses starting with “zs” or “zr” and discard any newly generated addresses that start with “zt”. Or to suspend deposits until fixed versions of the affected wallets have been widely adopted by users to prevent loss of funds of their customers.