Monday, February 20, 2017

A Typo in Zerocoin's Source Code helped Hackers Steal ZCoins worth $585,000


Are you a programmer? 

If yes, then you would know the actual pain of... "forgetting a semicolon," the hide and seek champion since 1958. 

Typos annoy everyone. Remember how a hacker's typo stopped the biggest bank heist in the history, saved $1 billion of Bangladesh bank from getting stolen. 

But this time a typo in the Zerocoin source code costs the company more than $585,000 in losses. 

Zerocoin cryptocurrency protocol is designed to add true cryptographic anonymity to Zcoin transactions that take full advantage of "Zero-Knowledge proofs" to ensure the complete financial privacy of users. 

Zcoin announced Friday that " a typographical error on a single additional character" in the Zerocoin source code helped an attacker to steal 370,000 Zerocoin, which is over $585,000 at today's price. 

"We estimate the attacker has created about 370,000 Zcoins which has been almost completely sold except for about 20,000+ Zcoin and absorbed on the market with a profit of around 410 BTC," the Zcoin team said.


The team said the bug was created due to one extra character left inside Zerocoin source code that allowed the unknown attacker to reuse his/her existing valid proofs to generate additional Zerocoin spend transactions. 

In short, by initiating one transaction, the attacker received Zcoins multiple times over. 

The Zerocoin team explicitly mentioned that the bug wasn't due to any weakness in its cryptographic protocol, and anonymity of Zcoin or its users has not been compromised. 

"We knew we were being attacked when we saw that the total mint transactions did not match up with the total spend transactions," the team said. "If our total supply were not verifiable due to hidden amount transactions, we would not have been able to discover this bug."


According to the Zerocoin team, the attacker or group of attackers were very sophisticated in hiding their tracks through the generation of lots of exchange accounts and carefully by spreading out deposits and withdrawals over several weeks. 

The team is set to release an urgent fix within the next 24 hours. So, all pools and exchanges are advised to update their software as soon as the release is out.

0 comments:

Post a Comment