An important security vulnerability has just been discovered in the Zerocoin cryptographic protocol. It allows the attacker to burn the assets of honest users and create new ones from scratch. Cryptocurrencies using this protocol, such as ZCoin , PIVX , SmartCash , Zoin , and Hexxcoin are therefore vulnerable, but their teams have already reacted.
The Zerocoin cryptographic protocol was created to address the privacy issues raised by many cryptocurrencies based on a public blockchain, where it is possible to know the amount and addresses involved in a transaction. The cryptography researchers who created Zerocoin rely on a zero-disclosure proof system of knowledge , which hides the addresses involved in a transaction, while being able to prove that the issuer holds its corners. To avoid double-spending, each corner has a unique identifier.
However, researchers have recently published an article where they describe an attack . It aims to use this authentication system to spend the assets of honest users, by stealing the serial numbers of cryptos they want to spend, before they reach the network.
Although it is difficult to put into practice, the risk exists: the attacker must find a way to intercept and block the user’s network messages (for example at the level of his ISP or with a mischievous knot if he uses Tor). If it does not manage to intercept the transaction requests before the user broadcasts them on the blockchain, its corners will become unusable. The attack is complex, but real.
The solution is to use the public key from a new signature scheme to generate the serial number of the corners.
Other security vulnerabilities have been discovered in Zerocoin’s bookstores, and are also described in the article by the researchers. PIVX, SmartCash, and Hexxcoin responded by updating their client, but it looks like ZCoin and Zoin have not yet implemented a fix.