ZecSec: Zcash Ecosystem Security

Zcash Ecosystem Security Overview

This page serves as an overview of the Zcash ecosystem from a security auditor’s point of view. It lists all of the projects that are intended to fall under the scope of the ZecSec project, as well as past audit reports, notable security bugs, and open security/privacy challenges in the Zcash ecosystem. You can think of this page as “a security auditor’s guide to Zcash.”

This page is updated quarterly. The last update was on 2023-01-01.

Table Of Contents

ZecSec Audits

So far, the ZecSec project has completed the following security audits:

Highlighting Open Problems and Challenges

There are several “big picture” security and privacy challenges for Zcash that are on ZecSec’s radar. These are not necessarily being worked on as part of ZecSec, but are being spotlighted here as our recommendations for ecosystem-wide priorities.

Scalable Privacy For Wallets

A challenge faced by all cryptocurrencies that aim to offer strong, formal privacy guarantees is: how can wallets’ find their funds and make their funds spendable quickly and efficiently?

At present, Zcash uses “trial decryption”, where the wallet must try to decrypt every transaction on the blockchain to find the ones that belong to it. There are many alternatives to this design with varying levels of privacy and scalability. We’ve surveyed them in our post, Scalable Private Money Needs Scalable Anonymous Messaging.

Unintentional and/or Forced Use of Transparent Transactions

Usage of transparent transactions on the Zcash blockchain remains high. Transparent addresses and transactions offer users the ability to transact transparently, with consent, whenever they wish to do so. However, the high transparent usage might be a sign that some users misunderstand the privacy level provided by transparent transactions, or that users are forced into making parts of their transactions transparent by third-parties who do not fully support shielded addresses.

I know of at least one anecdote where someone put themselves at risk by using a transparent address, because they thought “Zcash is private.”

In our view, this problem should be tackled with (a) research into how frequently users misunderstand the privacy properties of using transparent addresses, (b) UX design within wallets that communicates privacy levels clearly and simply, (c) support requests from the community to third parties and extra engineering effort to increase shielded adoption, (d) an eventual removal of transparent addresses, replaced by the use of viewing keys.

Secure Messaging with the Memo Field

A popular use case for Zcash’s memo field is sending messages. However, Zcash’s memo field currently lacks several properties that are required for secure messaging. For example, it is not signed, so wallets cannot be sure of messages' origins, and it is not forward-secure, so if keys are compromised, all past messages can be decrypted.

We would like to see the memo field extended with more features so that it is easy to build messengers on top of it with Signal-like security properties.

Mitigating C++ Memory Corruption Bug Risk in Zcashd

The main fullnode implementation of Zcash is written in C++, which puts it at risk of entire classes of security vulnerabilities that cannot exist within projects that are written in safer languages, like Rust. Deprecating the legacy zcashd codebase should be a priority, to be replaced by zebra. These risks could also be mitigated with better fuzzing of zcashd’s code, but it’s probably better to get rid of the C++ code entirely.

Easing Consensus Rule Security Review

A security engineer entering the Zcash ecosystem for the first time is faced with the daunting task of finding the code that implements Zcash’s consensus rules. As a result, a large portion of audit time is used inefficiently, spent finding and understanding consensus rule code.

The efficiency of future consensus rule audits can be improved by labeling the locations of all consensus rules in the code. Electric Coin Company has already started on this project. Labeling more consensus rules is on ZecSec’s 2023 roadmap, but hopefully all maintainers of consensus rule code will be able to contribute to this project.

Projects In Scope (alphabetical order)

ZecSec aims to eventually provide security support for all Zcash-tangential projects that are currently used, are in development, or run important infrastructure for the community. Listed below are all of the projects that are potentially in scope.

Note that security support has not yet been “rolled out” to most of these projects yet! For more details on prioritization, see our 2023 roadmap. If your Zcash-related project is missing from the list below, send us a note.

Arti

Arti is a Tor library written in pure Rust. It may soon be adopted by various Zcash wallets to improve wallet privacy in various ways.

Approved Grants

Proposed Grants

CoinPayments Zcash Integration

A grant was funded to add Zcash support into CoinPayments. Unfortunately the work was never picked up by CoinPayments:

Hi everyone, CoinPayments has informed us that they are scrapping their plans for the new platform which was the driver behind this grant to add shielded support. They are going to continue to support Zcash payments on the platform, but this means the work @hanh has done toward the integration will not be implemented.

The work done for this grant is to be repurposed to support BTCPay instead.

Approved Grants

Edge

The Edge Wallet supports shielded Zcash.

Electric Coin Company Projects

Electric Coin Company maintains many essential parts of the Zcash ecosystem:

ElectrumZ

A grant was funded to make a fork of the Electrum wallet with support for Zcash.

Approved Grants

Elemental ZEC - Zcash UI Component Kit and Payment

This grant aims to build frontend code making it easier for merchants to interact with Zcash. They are also building a watch-only wallet in node.js to serve as a backend in place of proper BTCPay integration.

Project website (docs)

Approved Grants

https://grants.zfnd.org/proposals/648795356-elemental-zec-zcash-ui-component-kit-and-payment-processor

Free2Z

Free2Z is a blogging and donation platform built around Zcash.

Approved Grants

https://zcashgrants.org/gallery/25215916-53ea-4041-a3b2-6d00c487917d/24075557/

FROST

FROST is a multiparty signature scheme, in the process of being standardized, that one day can be used to implement shielded multisig for Zcash. Its development is supported by the Zcash Foundation.

Ledger support for Transparent Zcash

Ledger maintains support for transparent Zcash in their hardware wallet offerings. See “Zondax” below for support for shielded Zcash on Ledger.

Moeda.casa

Moeda.casa is some kind of crypto<->fiat exchange platform targeting Brazil. It’s unclear what their current status is (the website is throwing SSL errors).

Approved Grants

Nighthawk

Nighthawk is an Android and iOS app for Zcash, originally built off of Electric Coin Company’s demo (“dogfooding”) app codebases, which uses Electric Coin Company’s SDKs.

Nighthawk has a number of components that are security-relevant:

Approved Grants

Oblivious Message Retrieval (OMR)

Oblivious Message Retrieval is a homomorphic-encryption based approach to the “trial decryption” transaction scanning problem. A grant was awarded to build a prototype of the system.

Approved Grants

Payment Gateway with BTCPay

BTCPay is a self-hosted server for accepting cryptocurrency payments. A grant was approved to integrate Zcash.

Approved Grants

paywithz.cash

A list of stores and services that accept Zcash is maintained at paywithz.cash.

Proof of Stake Design

Electric Coin Company has proposed that Zcash transitions to Proof of Stake (PoS) in the near future. It is an open question which PoS design will be selected and what its security properties will be.

Quiet (formerly known as Zbay)

Quiet, formerly known as Zbay, was a project that attempted to use the memo field as a secure communication layer. The project ended up moving to Tor out of a need for better performance.

Approved Grants

react-native-zcash

The ZcashLightClientKit SDK is packaged into a React Native library here.

renZEC

Ren is a project that bridges between blockchains, producing, for example, renZEC as an ERC20 token representing units of ZEC on the Ethereum Blockchain. A currently-centralized bridge holds funds and is used to maintain the peg between chains. A grant was approved to bootstrap liquidity for trading renZEC.

Approved Grants

Stagnum (Zcash Node Hardware)

Stagnum is a team that was approved for a grant to build a hardware device for easily running a Zcash fullnode.

Approved Grants

Telegram Anti-Scam Bot

This is a bot that can be used within Telegram channels to kick out accounts that are obvious scammers. It uses simple matching against the accounts' usernames to kick out accounts that follow common scam patterns.

Approved Grants

Thorchain Integration

Thorchain is a decentralized exchainge (DEX). A grant was approved to integrate Zcash into Thorchain and their wallets.

Approved Grants

Trezor Support for Transparent & Shielded Zcash

Trezor has long maintained support for transparent Zcash in their hardware wallets. More recently, they were awarded a grant to integrate with shielded Zcash.

The code for shielded Zcash is in this pull request.

Approved Grants

Ywallet

Ywallet is a Zcash and Ycash wallet built independently from the Electric Coin Company SDKs.

Approved Grants

Zboard

Zboard is a reddit-like social media platform built on Zcash’s memo field. At the time of writing, the website is not functional, presenting an error on the homepage.

Approved Grants

Zcash Blockchain Infrastructure Grant

This is a grant to write containers and deployment infrastructure for Zcash full notes. The project’s github is zbitech.

Approved Grants

Zcash Community Forums

The Zcash Community Forums are hosted by the Zcash Foundation, they are a central hub of discussion among the Zcash community.

Zcash Foundation Projects

The Zcash Foundation maintains several projects central to the Zcash ecosystem:

Zcash Media

Zcash Media is a project by 37 Laines (37L) that produces interviews and educational videos on the topic of Zcash.

Approved Grants

Proposed Grants

Zcash Observatory

Zcash Observatory is a project to augment zcashd with code for observing and reporting telemetry on the p2p network topology and other data.

Approved Grants

Zcash Protocol Specification

The Zcash Protocol Specification describes the Zcash protocol and its consensus rules. It is maintained by Electric Coin Company.

ZECPages

ZECPages is a public message board built on Zcash’s memo field. It runs a production lightwalletd server at lightwalletd.zecpages.com:443 and its code is on github at michaelharms6010/zecpages. Michael Harms has also received a grant to run a testnet faucet, linked below.

Approved Grants

ZecWallet and ZecWallet-Lite

ZecWallet is a UI+fullnode package for Windows, Mac, and Linux. ZecWallet-Lite is a Zcash light wallet. The authors of the wallets maintain a fork of lightwalletd with additional features such as a price API and transaction spam filtering. They also run production lightwalletd instances for ZecWallet-Lite wallets.

Approved Grants

ZecWear

ZecWear is a Zcash clothing and merch store.

ZEGA

ZEGA describes itself as “a command line encrypted-file-sharing CLI using ZecWallet light client.” The code lives at wh00hw/ZEGA.

Zeme Teme

Zeme Team is a website for sharing Zcash-related memes.

Approved Grants

Zemo

Zemo is a proposed messaging app that would be built on the Zcash blockchain.

Proposed Grants

Zephyr

Zephyr is a still-in-development metamask-like browser extension for Zcash.

Approved Grants

ZGo

ZGo is a point-of-sale tool for Zcash. The project’s twitter account is ZGoCashApp.

Approved Grants

Ziggurat

Ziggurat is a security-focused project investigating Zcash’s peer-to-peer network. Their main offering is a fuzzer of the p2p protocol which has proven successful at finding bugs and inconsistencies in the zcashd node’s behavior. The project is being expanded from single-node testing into a tool that can actually crawl the network, and their latest grant proposes “red team” tests of testnet.

Approved Grants

ZingoLabs’ wallet (zingolabs on github):

ZingoLabs is a team in the process of developing Zcash software, including a wallet. Their notable GitHub repos are:

  • zingolib – a library and command-line interface
  • zingo-mobile – the mobile apps themselves.
  • zingo – a fork of zecwallet-lite

Approved Grants

ZIPs

Changes to the Zcash protocol are described using Zcash Improvement Proposals.

Zondax (Zcash Ledger App)

Zondax is the team building shielded support for Ledger hardware wallets. Their code lives in the zondax GitHub Org, with the main implementation being in zondax/ledger-zcash.

Approved Grants

ZSAs

Zcash Shielded Assets (ZSAs) is an extension to the Zcash protocol that, once implemented, will allow shielded transactions to support different asset types, e.g. BTC-on-ZEC. The designs and implementations are being provided by QEDIT, funded through a grant.

Links to the draft ZIP specifications and the implementation code can be found in this forum comment.

Approved Grants

List of Security Audits

2016

The initial implementation of Zcash was audited by NCC Group and Coinspect. The audits were announced here, the completed reports are linked here, and some discussion of the issue mitigations is here.

Zcash’s first parameter generation ceremony was also audited by NCC Group.

2017

N/A

2018

In 2018, audits were performed by Least Authority, Coinspect, NCC Group, Kudelski Security, and QEDIT. The audit results are discussed here, but unfortunately the links to many of the audit reports are now broken.

Least Authority’s audit reports are available here: summary, Overwinter audit, Overwinter+Sapling audit, Sapling RPC audit.

QEDIT’s audit of Sapling is available here.

2019

In 2019, TrailOfBits audited ZecWallet and Zcash Blossom was audited by Coinspect and NCC Group.

2020

In 2020, TrailOfBits audited Zcash Heartwood, NCC Group audited Zcash Canopy, and Electric Coin Company performed an internal audit of their wallets.

2021

In 2021, NU5 was audited by NCC Group and QEDIT.

2022

In 2022, the design of the Halo2 proving system was audited by Mary Maller.

ZecSec performed an audit of Ywallet (report forthcoming) and zecwallet-lite-cli (report forthcoming).

Notable Security Bugs and Other Security Research

Secure systems can only be built by learning from mistakes. Here is a list of notable bugs and other security research that we can learn from to make Zcash a more robust platform.

Viewing key disclosure bug

The ECC wallets and Nighthawk accidentally leaked the wallet’s viewing key where the reply address should been within the “Reply-To” component of the memo field.

Disclosure Blog Post

Counterfeiting vulnerability

A mistake in the BCTV14 paper, which carried over to its implementation, made it possible to violate the soundness property of the zero-knowledge proving system originally used by Zcash. If this bug was exploited, it would have allowed for the forgery of Zcash funds, limited by the turnstile design that was built as a defense-in-depth measure against these kinds of attacks.

This bug was assigned CVE-2019-7167.

Disclosure Blog Post

Side-Channel Attacks on Zcash Node Transaction Receivers

In an academic paper, Florian Tramèr, Dan Boneh, and Kenneth G. Paterson explored the use of timing, traffic analysis, and error-message side-channels to de-anonymize nodes in receipt of transactions.

They found that when a Zcash node successfully decrypted a transaction, but the note commitment check failed, the node would send an error message back to the attacker, indicating to the attacker that the node had the key required to decrypt the transaction. Additionally, since the P2P message processing all happened on the same thread, an attacker could measure the response time of a “ping” message to determine if the note commitment check was happening; another way to confirm the node had the correct decryption key. Through either of these approaches, it was possible for an attacker to conclude that a known shielded address belonged to the victim node.

The vulnerability in Zcash was assigned CVE-2019-16930, and there is a corresponding security announcement.

Sapling Woodchipper

Sapling Woodchipper” is a name given to the concept that as long as transaction fees are cheap, it is inexpensive to fill up blocks on the Zcash blockchain. It was assigned CVE-2019-1636 by its initial reporter. It is currently being mitigated by the rollout of a new transaction fee structure, specified in ZIP-317.

Faerie Gold Attack

In the original design of Zerocash, it was possible for an attacker to send a victim user two notes with identical nullifiiers. As a result, the victim’s wallet would be tricked into thinking it could spend both notes, when in fact it would only be able to spend one of them. The details of the attack and the fix are described in the Zcash protocol specification.

InternalH Collision Vulnerability

In the original Zerocash paper that Zcash was based on, a 128-bit hash was used to build a commitment scheme. This was vulnerable to a birthday attack, which would have made it possible to counterfeit funds. The bug was identified and fixed prior to Zcash’s launch.

ZecWallet-Lite TLS Authentication Bug

Sarah Jamie Lewis discovered that a previous version of ZecWallet-Lite was not properly authenticating TLS connections, so that its communications with the lightwalletd server could be intercepted by an attacker.

ZecWallet Nonce Reuse Replay Attack

ZecWallet optionally uses a “wormhole” service to allow a companion smartphone app to connect to the user’s full node. The encryption used by the wormhole protocol was vulnerable to a replay attack that allowed for nonce reuse. This was reported by Sarah Jamie Lewis. See also a further bug in the fix to the issue.

Fuzzing zcashd with Kubernetes

Electric Coin Company engaged in a project to fuzz zcashd’s C++ codebase in an automated way using Kubernetes.

Miscellanious Bugs & Security Announcements

Academic Papers Analyzing Zcash

Zcash has been investigated in several academic works, linked below:

If you know of Zcash-related security research that’s missing from this list, please send us a note.