A post on the official Zcash blog revealed that the company has fixed a catastrophic code bug late last year, that could have permitted attackers to print infinite coins.
According to the post the vulnerability was discovered by Ariel Gabizon, an engineer at the Zerocoin Electric Coin Company. The bug was found the night before his talk at the Financial Cryptography conference in March 2018, and was reported to a cryptographer at the Zcash Company on the same day.
The bug would have allowed attackers to coin infinite amount of Zcash tokens (ZEC) if left alone, and did not affect user privacy in any way. The post revealed that a fix for the vulnerability was implemented on Oct. 28 last year, with the large Sapling network upgrade. The “subtle” bug was contained in zk-SNARKS, a novelty cryptography used by the cryptocurrency to shield Zcash transactions, which has been independently implemented by other projects.
After an analysis of the market, the Zcash company found that they could reach two-thirds of the affected capital with only two disclosures. The companies in question, Horizen (previously known as ZenCash) and Komodo, recieved a PGP encrypted email containing the impact of the bug and its fixpath on Nov. 13 last year.
The team does not believe any counterfeiting occurred on Zcash for several reasons, including that “discovery of the vulnerability would have required a high level of technical and cryptographic sophistication that very few people possess,”. The company has found no evidence of counterfeiting after monitoring the total amount of Zcash held in Sprout addresses.