
Zerocoin implementation bug - marksamman
https://zcoin.io/language/en/important-announcement-zerocoin-implementation-bug/
======
josu
The current market cap of Zcoin is 1,538 BTC [0], so this person created 1/4
of all the coins in circulation (410 BTC), and these guys are saying: "We knew
we were being attacked when we saw that the total mint transactions did not
match up with the total spend transactions". It took them way too long to
realize that they were being outsmarted.

EDIT: u/aftbit also posted this on the thread: "They even cited the ability to
detect hacks like this as a key advantage over Zcash. [1]"

[0]
[https://coinmarketcap.com/currencies/zcoin/](https://coinmarketcap.com/currencies/zcoin/)

[1] [http://blog.zcoin.tech/zcoin-and-zcash/](http://blog.zcoin.tech/zcoin-
and-zcash/)

~~~
desdiv
Or alternatively, the developers designed this hard-to-find typo/bug years ago
and have now just quietly cashed out.

~~~
meowface
Seems very unlikely since it would inevitably cause many to lose faith in the
currency. If they really want to cash out, they can just do what almost every
other upstart cryptocurrency founder does and make it clear they're taking
some of the pie.

~~~
GrinningFool
If they just want out, the things that happen to the currency don't matter to
them - they're already gone.

~~~
meowface
That's true, but if this was the epic exit scam they were planning for so many
years, it's a bit disappointing.

~~~
dnautics
410 BTC is half a million dollars.

~~~
meowface
True, but many of these currency founders are looking for millions.

Not saying it's impossible this is a scam, but I still doubt it.

------
fpgaminer
Let me get this straight. Zerocoin has a bug, money gets stolen, the bug is
fixed. Everyone in the comments lose their shit and call doom and gloom for
all cryptocurrencies. The experiment is failed, centralization was right all
along!

Meanwhile, centralized systems like credit cards are stolen en masse, identity
theft abounds, anybody can file your taxes with the IRS and collect your
refund, and an ACH can be initiated against your bank account using all the
information helpfully printed on every check you hand to strangers... and no
one bats an eye?

I don't get it.

~~~
kentonv
Stating the obvious here, but...

Fiat financial security is based on monitoring, paper trails, and legal
consequences for fraud. Yes, you can initiate a fraudulent ACH knowing only
the numbers printed on a check you received, but you'll probably end up in
jail for it. It's far from perfect but it mostly works.

Cryptocurrency intentionally doesn't have any paper trails. Anonymity is the
selling point. If you find a bug in the code and exploit it, the anonymity
protects you and you likely won't be caught. That means that security depends
entirely on the code (and the theory!) being correct.

So yes, when bugs in fact lead to massive amounts of money being lost... some
point are going to argue that cryptocurrency may not be a good idea.

(Note: My personal opinion is mixed.)

> Zerocoin has a bug, money gets stolen, the bug is fixed.

You say this as if it isn't a big deal. Sure, the bug is fixed, but the
attacker essentially stole 25% of everyone else's zcoin (via inflation), and
fixing the bug doesn't bring any of it back. That seems like a big deal to me.

~~~
tdfx
Actually the whole point of the distributed blockchain is that there's a very
public paper trail. The only hope for anonymity is obfuscating the movement of
value through the blockchain, which can be accomplished to varying degrees
depending on the sophistication of who is trying to track you. If your theft
is high profile enough then you'll have a good deal of trouble liquidating
your funds anonymously.

~~~
rtpg
it's the ultimate irony. It feels like anonymity because you decouple the "get
a bunch of BTC" from "cash out to USD", so it's the worst of both worlds.

It's anonymous at first, so fraud can't easily be reversed. But it's
"eventually completely public", so people who might want to use it for
anonymity are sitting on a ticking time bomb. Eventually, their identities
will be revealed.

~~~
blunte
Indeed, but people just don't seem to get this. As long as people are
converting fiat to crypto at the front end, and then crypto back to another
fiat at the back end, then there is no anonymity. There may be a lot of
obfuscation in the middle, but ultimately the guy who converts back to fiat
will be asked the question by his government, "Where did this money come
from?" Then he needs a provable paper trail.

Maybe someday enough goods and services will be available to be purchased by
cryptocurrency that fiat use will be diminished or eliminated. But at that
point, the companies that are accepting cryptocurrency as payment for services
will have to keep their own accounting in order to show their governments
where their money is coming from. And then again the anonymity breaks down.
The customer records, with email, ip, and shipping addresses are part of the
audit trail.

~~~
legohead
"I found a printout of the bitcoin key."

------
wmf
What's better that stealing magic Internet money? Creating anonymous magic
Internet money out of thin air, then selling it. Brilliant.

But seriously, I'm not sure which is worse: Watching your stolen money move
around the blockchain knowing you are helpless to do anything about it, or
being provably unable to even tell the difference between "real" and
"counterfeit" coins.

~~~
brilliantcode
Blockchain and Cryptocoins will face the same fate HYIP forums / Liberty
Reserves went through-regulatory enforcement and social stigmatization.

~~~
wyager
> regulatory enforcement

The only place regulatory enforcement could hit Bitcoin is at the fiat
exchanges, which are already beholden to KYC/AML.

> social stigmatization

People have already tried that; "Bitcoin is only for illegal drugs and guns!"
Didn't work.

~~~
obstinate
It didn't?

~~~
dwaltrip
Have you checked the charts? Usage and price are essentially at all time
highs, and are creeping higher.

~~~
wcummings
People like drugs.

~~~
petre
Or the Chinese, Venezuelans and Indians are buying BTC because either somebody
else is in control of their currency or their currency is out of control.

------
arez
all these blockchain currencies seem to have really good bug bounty programs,
this one gave out almost half a million dollars (410BTC)

~~~
brilliantcode
Ethereum takes the record for paying out $53 million dollars (943 BTC X 53 =
lots). Technically, it wasn't even theft or a bug since Ethereum & DAO proudly
claimed "Code is Final Law".

I almost feel like cryptocoin and blockchains are set out to do 1 thing really
well-show how superior centralized systems are and how easy it is to trick
people with pseudo academic jargon-just read Vitalik's writing peppered with
superficial pseudo-academia-charlatan pendant language it's zealots gladly eat
up-with little to know effort to dissect and analyze fact from fiction.

~~~
guard-of-terra
> how superior centralized systems are

Tell us? Because around here, I saw a huge number of bank fraud basically
unpunished. "Yes those guys duplicated your SIM and stole all your funds. Too
bad for you since we're not going to even try to catch them."

Centralized systems might be efficient but the rule is, they don't care about
you, so it's not your problems that they're going to solve. At least I can
have some faith in the code, which is the final law.

~~~
rtpg
wait a sec.

Someone steals my credit card, and if I notice within 2 months, I can get
everything back. Another advantage is that it doesn't take several hours (and
huge amounts of wasted electricity) for a transaction to go through. My bank
hasn't been siphoning my funds either. I wouldn't trust any cryptocurrency
exchange with holding even 10% of my monthly salary.

Sure, governments can get my bank records. But my bank records aren't
literally inscribed on a public ledger! I don't have to make a bunch of fake
bank accounts to protect my privacy from the random data scientist with the
blockchain, because if I use my main account and my identity gets leaked from
some random service I used, then now everyone knows who I am.

It doesn't matter if they don't care about me. Nobody cares about me. But the
incentives are partially aligned: systems with higher trust require less
friction. And things like credit cards prove that you can build protections.

And "code is law" is not really extendable across society. We have contracts,
of course. But almost all contracts include a "Use common sense"-style clause,
which is the whole point lawyers and judges exist in the first place.

How can you build "force majeur" clauses into code without some third party
arbitrator?

Of course, having a decentralized backbone is neat. A long time ago, anyone
could make gold coins! It wasn't like some evil cabal was like "Oh, we shall
unify all the currencies and CONTROL EVERYTHING!" Centralization happened
because it was kinda useful.

Half of cryptocurrency stories are "techies discover why banks do the things
they do". For example: I imagine more and more exchanges will partner up to do
off-chain transactions. At one point, a lot of stuff will happen off-chain.
Question: what do you think Visa does?

I do not see a decentralized currency ever becoming big enough to be a real
fraction of economic transactions without it becoming what most of what we
have. Competition is good! But I think some cryptocurrency enthusiasts are in
for disappointment if they want critical mass

~~~
mrb
_" Someone steals my credit card, and if I notice within 2 months, I can get
everything back."_

No. You may still be liable for $500 if you fail to report it within 48 HOURS:
[http://consumer.findlaw.com/credit-banking-finance/are-
you-l...](http://consumer.findlaw.com/credit-banking-finance/are-you-liable-
for-unauthorized-credit-card-charges.html)

 _" Another advantage is that it doesn't take several hours"_

You hold a common misconception of how transactions work. Bitcoin transactions
are transmitted/notified instantly (like credit cards). Transactions will be
confirmed and spendable by the recipient within 10min on average (with CCs it
takes 1-3 days until the merchant gets the money). Finally transactions are
considered irreversible/definitely non-fraudulent after 6 blocks or 60min on
average (with CCs it takes 60 days since charge backs are possible for 60
days).

So if you compares apples to apples, Bitcoin is always faster than credit
cards.

 _" huge amounts of wasted electricity"_

This is not wasteful: [http://blog.zorinaq.com/bitcoin-mining-is-not-
wasteful/](http://blog.zorinaq.com/bitcoin-mining-is-not-wasteful/)

~~~
rtpg
that argument about bitcoin mining not being wasteful just shows it's not
wasteful compared to other decentralized, trustless currencies. It still loses
out to traditional payment methods.

"It will only use 1% of the world's electricity consumption". We can only do
that for 100 things. Does "decentralisation of currency" belong in the top 100
things to devote electricity generation to?

EDIT: do you have a link to a fuller explanation about transaction speeds? I
do not understand how transfers can happen so quickly without introducing a
risk of double spend

~~~
mrb
Why would the argument be only valid when compared to other decentralized,
trustless currencies? The benefits indirectly extracted from Bitcoin mining
($1B invested in 729 companies, thousands of jobs created, etc) exist
precisely because Bitcoin has advantages over other _traditional_ payment
systems.

 _" Does "decentralisation of currency" belong in the top 100 things to devote
electricity generation to?"_

I think so. If (big if) Bitcoin ever becomes so successful that 1% of the
energy is spent on it, think about the massive scale of positive social and
economic changes it means it will have brought: freeing people from economic
censorship and persecution, reducing international payment friction hence
increasing economic trade, etc.

But I think neither you nor I can envision the scale of such potential social
and economic changes. It is like asking a random person from the 1890s how
much do they think automobiles will change the world, and almost nobody would
have predicted automobiles are a major enabler of the economic expansion of
the 20th century.

Transaction speeds: zero-conf txs are at risk of a double-spend, but in
practice this happens extremely rarely.

------
ianmiers
what went wrong: TLDR probably Ctrl-C,Ctrl-V.

(Just to be clear, this is about Zcoin, not Zcash/Zerocash. The two are
completely different)

The fix is here.
[https://github.com/zcoinofficial/zcoin/commit/33796c839f7d4d...](https://github.com/zcoinofficial/zcoin/commit/33796c839f7d4df4fb89c2775ec971982cfc8996)
What happened?

First, some stylized facts about ZCoin:

0) ZCoin is a fork of Bitcoin that uses a 4 year old academic research
library, libzerocoin, to make anonymous payments using the Zerocoin protocol.

1) Unlike Zcash/Zerocash, the Zerocoin protocol has only fixed value coins.

2) To get multiple denominations, you have completely separate instances of
the anonymous currency that just happen to live on the same blockchain as the
other denominations.

3) Zerocoin has its own bitcoin like non anonymous base currency. Call it
basecoin.

4) You spend basecoins to get zerocoins.

5) When you spend zerocoins, you get basecoins.

6) ZQ_WILLIAMSON and ZQ_PEDERSEN are denominations, worth 100 and 50
respectively, defined in libzerocoin.

So what went wrong?

When you convert a zerocoin into 100 basecoin, the ZCoin code forked from
bitcoin checked if the coin was a valid instance of ZQ_PEDERSEN (worth 50 )
not ZQ_WILLIAMSON (worth 100). So you paid 50 for the zcoin,got it into the
instance for ZQ_PEDERSEN, but got back 100. Free money.

Why did this happen? Well, it looks like in order to support the multiple
denominations libzerocoin offers, the ZCoin developers wrote some code for one
denomination and then duplicated it for each remaining denomination. There are
five in total, ZQ_LOVELACE=1,ZQ_GOLDWASSER=10, ZQ_RACKOFF = 25, ZQ_PEDERSEN =
50,ZQ_WILLIAMSON = 100.

But on the last one, ZQ_PEDERSEN was not changed to ZQ_WILLIAMSON in a few
places. This caused the bug.

Caveat: I have nothing to do with ZCoin. However, I am an author of the
zerocoin protocol, libzerocoin, the zerocash protocol, and am involved with
Zcash.

~~~
skolsuper
Another major bug caused by copy+paste. I seem to remember a security
researcher article months (years?) ago that identified this theme, showed a
way to grep a codebase for likely c+p errors and found a load of bugs in real
production code that had remained hidden for years. I think I landed there
from HN, but my google-fu is failing me now, can anyone else remember it?

~~~
wuschel
Interesting.

How would you minimize these type of errors by design or best practice?

I guess languages with a lack of higher order abstractions and no strong type
system might be more prone to this type of errors.

~~~
daira
This isn't a subtle or difficult-to-find case. It's a case of "why the heck
would anyone write code like that, in any language, in the first place?" The
only language-level abstraction needed to avoid this particular kind of
duplicated code, is a loop.

------
desdiv
Anyone know which line of code they're talking about?

I took a glance at their Github bug tracker and couldn't find any references
to this bug.

[0]
[https://github.com/zcoinofficial/zcoin/issues?q=is%3Aissue+i...](https://github.com/zcoinofficial/zcoin/issues?q=is%3Aissue+is%3Aclosed)

~~~
ycmbntrthrwaway
Better look at commits.

I am not familiar with their code base, but latest commit seems like a bugfix:
[https://github.com/zcoinofficial/zcoin/commit/33796c839f7d4d...](https://github.com/zcoinofficial/zcoin/commit/33796c839f7d4df4fb89c2775ec971982cfc8996)

~~~
notimetorelax
So... were's a unit test to make sure this never happens again?

~~~
edsouza
I rather actually see a real comment if there is no time to create a unit
test.

Why does changing ZQ_PEDERSEN to ZQ_WILLIAMSON fix the bug?

Having meaningful named constants would make much more sense.

Edit: On full view of the code, the bug could be avoid if they broke out the
if <demoninationX> blocks into their own function, and to prevent "typo"
errors, it would be good to have a local variable named current_demoniation =
demoniationX, and then reference that local variable instead of referencing
the constant everytime.

~~~
Rangi42
Apparently those are names for 50 and 100 BTC.

From this presentation[1] or the source code[2]:

    
    
        1 Lovelace = 1 Bitcoin
        1 Goldwasser = 10 Bitcoin
        1 Rackoff = 25 Bitcoin
        1 Pedersen = 50 Bitcoin
        1 Williamson = 100 Bitcoin
    

But yes, those are meaningless names in themselves. Metric prefixes like
"hectobitcoin" would be better.

[1]: [https://sar.informatik.hu-
berlin.de/teaching/2013-w/2013-w%2...](https://sar.informatik.hu-
berlin.de/teaching/2013-w/2013-w%20Electronic%20Identity/slides/Anonymit%C3%A4t_in_Bitcoin_.pdf)
[2]:
[https://github.com/Zerocoin/libzerocoin/blob/master/Coin.h#L...](https://github.com/Zerocoin/libzerocoin/blob/master/Coin.h#L19-L27)

------
ng12
> A typographical error on a single additional character in code

Really wonder what this was.

~~~
epmatsw
== vs = perhaps?

~~~
emmelaich
Yeah that seems quite possible.

(And people mock me for putting constants first! i.e. if (someconstant ==
somevar) { ...

[edit: nope, looks like this is it]

[https://github.com/zcoinofficial/zcoin/commit/b20c177032de3c...](https://github.com/zcoinofficial/zcoin/commit/b20c177032de3c4bfae62b5ada768a5dc2b4fa67)

~~~
daira
No, that is not the bug. See Ian Miers' comments.

------
Cyph0n
Exploiting such a tiny bug is damn impressive if you ask me. The bloke who
pulled this off deserves the cash.

~~~
nemo1618
Unless the "bug" was inserted by a developer...

I'm really curious to see the "single character" in question and assess
whether it might have been intentional.

------
hueving
>trading will resume once pools and exchanges have had time to update their
code. A new release will be pushed out pretty soon.

Does this imply this company has the power to stop all trading on the
currency? If so, why would anyone ever want to use this?

~~~
tlrobinson
No, it implies they can nicely ask the exchanges to stop all trading, and the
exchanges can make that decision or not.

------
Entalpi
Finally money can have bugs.

------
koolba
So who eats the loss for this?

~~~
thinkloop
Every owner eats a tiny bit of it with the downward pressure on value caused
by the artificially increased supply. Also, decreased trust reduces demand
pressure further lowering value for everyone.

~~~
oh_sigh
It's not really a tiny bit... ~30% of the networks value was fabricated.

~~~
alvarosevilla95
And every coin owner took a tiny bit of that loss.

~~~
Tepix
The currency is down more than 12%.

~~~
maxamar
So they've made 18% value huh?

------
aftbit
Hmm, I know about Zcash and Monero, but I haven't read much about Zerocoin.
I'll be staying away, especially after a 410 BTC hack. They even cited the
ability to detect hacks like this as a key advantage over Zcash.

[http://blog.zcoin.tech/zcoin-and-zcash/](http://blog.zcoin.tech/zcoin-and-
zcash/)

~~~
Gaelan
That's the point. ZCash could have a bug if the same magnitude, and we'd be
none the wiser.

