On August 22, 2020, Reuben Yap, the COO of Zcoin, revealed that his team had detected and patched a critical bug that allowed for inflation.
In an official blog post, Yap explained that the vulnerability was a result of a major core upgrade from Bitcoin core 0.13 to core 0.14. The inflation bug found its way into the Zerocoin protocol after the upgrade was finalized on June 3, 2020.
The inflation bug in core 0.14 was first reported in a common vulnerabilities and exposures (CVE) report released by Bitcoincore.org in 2018. At the time, Zcoin wasn’t affected as it was still running on the older Bitcoin core 0.13.
After the June 3 upgrade that merged the bug into Zcoin’s protocol, a rogue character mined a block that exploited this bug on14 August 2020 (20:16:42 UTC).
The miner managed to forge 384,400.82 XZC out of thin air before the Zcoin team moved in to patch the vulnerability. To prevent inflation on the Zcoin network, Yap and his team then froze part of the created coins (173,269.86 XZC) with the help of the mining pools such as 2Miners, Mintpond, and F2Pool.
Most of the other forged funds (161,664.24 XZC) that hadn’t been traded yet were sent to top exchanges like Binance Huobi and Bittrex, where they remain locked down.
According to today’s disclosure by Reuben Yap, discussions are underway over what to do with the inflated XZC created from the attack.
ZCoin Faced an Earlier Exploit
The exploit on Zcoin comes just over a year after a similar attack occurred on the network. On April. 9, 2019, the XZC team discovered a vulnerability in the Zcoin protocol that enabled hackers to forge zero-knowledge proofs and create new coins out of thin air.
Following the exploit, the Zcoin dev team contacted all pools, exchanges, and projects that utilized the protocol and advised them to discontinue normal operations. At the same time, an emergency update was released on April 24.
Following investigations, the Zcoin team discovered that the core issue was an underlying cryptographic flaw. This vulnerability allowed malicious actors to create new coins illegitimately and inflate the cryptocurrency.
And now, the August 14 exploit highlights more underlying vulnerabilities on the XZC network. Following the latest attack, Zcoin has implemented an early public release of Zcoin v0.14.0.5, which restores the ability to do Sigma privacy transactions.
Mr. Yap now advises other projects to act early to preempt such occurrences:
“We hope other projects using a Bitcoin core do take heed of this experience and double-check their implementations,” he asserted.
He added that exchanges would reopen deposits and withdrawals to users after secure transactions on the network are re-enabled on August 26, 2020.
Inflation Bugs Found in Stellar and Ravencoin
Stellar and its token XLM faced a similar attack to Zcoin when an inflation bug was exploited, and 2.25 billion XLM tokens were created in 2019.
A report by Messari revealed that the XLM team didn’t disclose the attack to the public at the time and quietly fixed the inflation bug before burning the created tokens.
More recently, on June 3, 2020, Ravencoin faced a similar inflation bug attack that saw 1.5% of the total supply of its coins minted by hackers.
As per a medium post, the hackers walked away with around 315 million RVN tokens ($5.7M). All miners and nodes have since upgraded to a newer version of the network to preempt further attacks.