- Zcash vulnerability discovered 11 months ago and fixed 3 months ago was just announced today
- The Team claims the bug was kept secret to avoid hackers from exploiting it, but the situation raises ethical questions about lack of transparency in publicly trading crypto projects
- Zcash had decreased 0.5% and currently trading at $48.25 for ZEC. Total market cap of $281 million.
Zcash reported today that a ‘counterfeiting vulnerability’ was discovered by their development team 11 months ago, on March 1st, 2018. The vulnerability would have allowed hackers to create fake Zcash coins. Fortunately, it was fixed during a recent Zcash network upgrade on October 28th 2018.
It is not uncommon to discover vulnerabilities in the code of blockchain protocols. However, what is strange about this story is the fact that we’re just hearing about it today even though it occurred eleven months ago, and also the fact that the vulnerability wasn’t fixed until three months ago.
This means that for eight months, basically any hacker who discovered the vulnerability could have produced fake Zcash coins.
The Zcash team stated that the reason why the vulnerability wasn’t made public was because they believed that a public announcement would lead to the vulnerability being exploited before they had the chance to fix it. The team set about trying to repair the broken code on the core blockchain as well as on other project that are connected to Zcash.
During that while, stringent operational security measures were taken to keep the vulnerability secret, even to some of their own engineers.
In fact, upon deeper analysis of the code, Zcash discovered that the vulnerability had actually existed for years but was undiscovered by numerous expert cryptographers and engineers from the team.
The company claims that no one ever exploited the vulnerability, but it doesn’t seem like there’s any way for the public to verify this info.
Been kept secretly due to fears of market reaction?
Another possible reason why the team kept this vulnerability secret is because of fears that exposing the truth without a remedy to fix would have caused the price of Zcash to crash.
After all, if fake versions of a coin can be created, there’s no reason to hold on to the real ones because you assume they will drop in value as the unofficial circulating supply starts to increase and inflation causes the value of ZEC to decrease.
If the vulnerability were revealed when it was discovered in March, we would have likely seen the price of Zcash drop way more than it did during the 2018 bear market.
Ultimately, although the situation was resolved and no parties were negatively affected (as claimed by Zcash), it does raise many ethical questions around transparency and whether projects whose tokens are publicly trading should be obligated to reveal such discoveries, rather than waiting months to fix the issue then letting investors know after the fact.