A new analysis, titled ‘Burning Zerocoins for fun and profit,’ exposes several flaws in Zerocoin, a technology that aims to improve anonymity and used by several cryptocurrencies. The study was published by the Chair of Applied Cryptography on April 12, 2018. The German authors said, “We identified critical coding issues in a software library implementing Zerocoin, allowing an attacker to create money out of thin air and stealing coins from honest users.”
What is Zerocoin?
Zerocoin was originally touted as a cryptographic extension to enable fully autonomous cryptocurrency transactions. It was proposed by a team of cryptographers from The John Hopkins University Department of Computer Science, Baltimore. The team included Ian Miers, Christina Garman, Matthew Green and Aviel D. Rubin.
The original Zerocoin research paper described it as, “A distributed e-cash system that uses cryptographic techniques to break the link between individual bitcoin transactions without adding trusted parties.” Zerocoin primarily works on two operations, mint and spend. Users can convert the number of digital coins they wish to spend to equivalent zerocoin, and this process is called minting.
During the process of minting, each coin is generated using a randomized minting algorithm. The minted coin is allocated a unique serial number which is then released during the spending of the coin. This unique number is validated by the algorithm to prevent double spending using zero-knowledge proofs.
Denial of Spending Attack
Out of the two major flaws highlighted by the paper, the more worrisome one is the denial of spending attack. The unique serial number required to validate zerocoin during spending is a string. Users are required to select a random serial number during initialization.
In the event that an attacker gains access to an honest user’s account, they may then be able to select the same serial number of the target instead of selecting a new serial number. The attacker can spend Zerocoins on the network or transfer them to some other account. Given that nodes would have now validated this unique serial number, they will not recognize a second legitimate transaction with the same matching serial number.
A solution to this problem, as highlighted in the research paper, is to use a new random public key of a signature scheme rather than the serial number. Also, since transactions will need to be signed with a private key, it will become more difficult for hackers to gain access to random Zerocoin.
The researchers also discovered a programming bug in Libzerocoin which was developed as a research prototype by the developers of Zerocoin. They pointed out a programming error that allowed inflation, stating:
“The same zerocoin could be spent multiple times using different representation of the essentially same serial number. This made it possible for attackers to create money out of thin air and inflate the currency.”
Smartcash and Zcoin were two cryptos affected by the inflation bug with both of these altcoins printed out of thin air. For the Smartcash, 2.1 million were generated, whereas for Zcoin, the number is estimated at 17,000. However, these numbers have not been verified by the researchers themselves.
Reply from Zerocoin, Advice for Users
Zerocoin-based zcoin released a statement April 13, 2018, in response to the research paper. The stated that while the inflation bug and the problem of improperly signed transactions did exist previously, the team has already patched the bug. “We were made aware of this flaw by Tim Ruffing who discovered the flaw while he was engaged by us to improve the Zerocoin library and we implemented the necessary code to patch it. We had also disclosed this bug together with Tim Ruffing to several other projects using Zerocoin including PIVX and Zoin.”
For users of the affected cryptocurrencies, it is recommended that you run the latest software only, which can be found on the cryptocurrency’s official website. Secondly, for users of Zcoin and Zoin, it is suggested that if you have unspent minted zerocoins, it is best not to spend them until additional patches and fixes have been applied.