Zcash Ecosystem Security Overview
This page serves as an overview of the Zcash ecosystem from a security auditor’s point of view. It lists all of the projects that are intended to fall under the scope of the ZecSec project, as well as past audit reports, notable security bugs, and open security/privacy challenges in the Zcash ecosystem. You can think of this page as “a security auditor’s guide to Zcash.”
This page is updated quarterly. The last update was on 2023-01-01.
So far, the ZecSec project has completed the following security audits:
- Ywallet Security and Privacy Analysis
- zecwallet-lite-cli and adityapk00’s modifications to lightwalletd: report forthcoming.
Highlighting Open Problems and Challenges
There are several “big picture” security and privacy challenges for Zcash that are on ZecSec’s radar. These are not necessarily being worked on as part of ZecSec, but are being spotlighted here as our recommendations for ecosystem-wide priorities.
Scalable Privacy For Wallets
A challenge faced by all cryptocurrencies that aim to offer strong, formal privacy guarantees is: how can wallets’ find their funds and make their funds spendable quickly and efficiently?
At present, Zcash uses “trial decryption”, where the wallet must try to decrypt every transaction on the blockchain to find the ones that belong to it. There are many alternatives to this design with varying levels of privacy and scalability. We’ve surveyed them in our post, Scalable Private Money Needs Scalable Anonymous Messaging.
Unintentional and/or Forced Use of Transparent Transactions
Usage of transparent transactions on the Zcash blockchain remains high. Transparent addresses and transactions offer users the ability to transact transparently, with consent, whenever they wish to do so. However, the high transparent usage might be a sign that some users misunderstand the privacy level provided by transparent transactions, or that users are forced into making parts of their transactions transparent by third-parties who do not fully support shielded addresses.
I know of at least one anecdote where someone put themselves at risk by using a transparent address, because they thought “Zcash is private.”
In our view, this problem should be tackled with (a) research into how frequently users misunderstand the privacy properties of using transparent addresses, (b) UX design within wallets that communicates privacy levels clearly and simply, (c) support requests from the community to third parties and extra engineering effort to increase shielded adoption, (d) an eventual removal of transparent addresses, replaced by the use of viewing keys.
Secure Messaging with the Memo Field
A popular use case for Zcash’s memo field is sending messages. However, Zcash’s memo field currently lacks several properties that are required for secure messaging. For example, it is not signed, so wallets cannot be sure of messages' origins, and it is not forward-secure, so if keys are compromised, all past messages can be decrypted.
We would like to see the memo field extended with more features so that it is easy to build messengers on top of it with Signal-like security properties.
Mitigating C++ Memory Corruption Bug Risk in Zcashd
The main fullnode implementation of Zcash is written in C++, which puts it at
risk of entire classes of security vulnerabilities that cannot exist within
projects that are written in safer languages, like Rust. Deprecating the legacy
zcashd codebase should be a priority, to be replaced by
risks could also be mitigated with better fuzzing of
zcashd’s code, but it’s
probably better to get rid of the C++ code entirely.
Easing Consensus Rule Security Review
A security engineer entering the Zcash ecosystem for the first time is faced with the daunting task of finding the code that implements Zcash’s consensus rules. As a result, a large portion of audit time is used inefficiently, spent finding and understanding consensus rule code.
The efficiency of future consensus rule audits can be improved by labeling the locations of all consensus rules in the code. Electric Coin Company has already started on this project. Labeling more consensus rules is on ZecSec’s 2023 roadmap, but hopefully all maintainers of consensus rule code will be able to contribute to this project.
Projects In Scope (alphabetical order)
ZecSec aims to eventually provide security support for all Zcash-tangential projects that are currently used, are in development, or run important infrastructure for the community. Listed below are all of the projects that are potentially in scope.
Note that security support has not yet been “rolled out” to most of these projects yet! For more details on prioritization, see our 2023 roadmap. If your Zcash-related project is missing from the list below, send us a note.
Arti is a Tor library written in pure Rust. It may soon be adopted by various Zcash wallets to improve wallet privacy in various ways.
CoinPayments Zcash Integration
A grant was funded to add Zcash support into CoinPayments. Unfortunately the work was never picked up by CoinPayments:
Hi everyone, CoinPayments has informed us that they are scrapping their plans for the new platform which was the driver behind this grant to add shielded support. They are going to continue to support Zcash payments on the platform, but this means the work @hanh has done toward the integration will not be implemented.
The work done for this grant is to be repurposed to support BTCPay instead.
- https://forum.zcashcommunity.com/t/coinpayments-integration/39094 (superseded by the BTCPay grant)
The Edge Wallet supports shielded Zcash.
Electric Coin Company Projects
Electric Coin Company maintains many essential parts of the Zcash ecosystem:
- librustzcash (and many of its cryptographic dependencies)
- iOS Wallet SDK
- Android Wallet SDK
- “Secant” Wallet iOS
- “Secant” Wallet Android
- Wallet App Threat Model
- and many more…
A grant was funded to make a fork of the Electrum wallet with support for Zcash.
Elemental ZEC - Zcash UI Component Kit and Payment
This grant aims to build frontend code making it easier for merchants to interact with Zcash. They are also building a watch-only wallet in node.js to serve as a backend in place of proper BTCPay integration.
Free2Z is a blogging and donation platform built around Zcash.
Ledger support for Transparent Zcash
Ledger maintains support for transparent Zcash in their hardware wallet offerings. See “Zondax” below for support for shielded Zcash on Ledger.
Moeda.casa is some kind of crypto<->fiat exchange platform targeting Brazil. It’s unclear what their current status is (the website is throwing SSL errors).
Nighthawk is an Android and iOS app for Zcash, originally built off of Electric Coin Company’s demo (“dogfooding”) app codebases, which uses Electric Coin Company’s SDKs.
Nighthawk has a number of components that are security-relevant:
- Production lightwalletd instances for wallets to connect to.
- zcashblockexplorer.com is running nighthawk-apps/zcash-explorer
- nighthawk-apps/nighthawk-wallet-android is the android wallet.
- nighthawk-apps/zcash-ios-wallet is the iOS wallet.
- Various forks of Electric Coin Company repos: nighthawk-apps/bip39, nighthawk-apps/zcash-android-wallet-sdk, nighthawk-apps/lightwalletd.
Oblivious Message Retrieval (OMR)
Oblivious Message Retrieval is a homomorphic-encryption based approach to the “trial decryption” transaction scanning problem. A grant was awarded to build a prototype of the system.
Payment Gateway with BTCPay
BTCPay is a self-hosted server for accepting cryptocurrency payments. A grant was approved to integrate Zcash.
A list of stores and services that accept Zcash is maintained at paywithz.cash.
Proof of Stake Design
Electric Coin Company has proposed that Zcash transitions to Proof of Stake (PoS) in the near future. It is an open question which PoS design will be selected and what its security properties will be.
Quiet (formerly known as Zbay)
Quiet, formerly known as Zbay, was a project that attempted to use the memo field as a secure communication layer. The project ended up moving to Tor out of a need for better performance.
The ZcashLightClientKit SDK is packaged into a React Native library here.
Ren is a project that bridges between blockchains, producing, for example, renZEC as an ERC20 token representing units of ZEC on the Ethereum Blockchain. A currently-centralized bridge holds funds and is used to maintain the peg between chains. A grant was approved to bootstrap liquidity for trading renZEC.
Stagnum (Zcash Node Hardware)
Stagnum is a team that was approved for a grant to build a hardware device for easily running a Zcash fullnode.
Telegram Anti-Scam Bot
This is a bot that can be used within Telegram channels to kick out accounts that are obvious scammers. It uses simple matching against the accounts' usernames to kick out accounts that follow common scam patterns.
Thorchain is a decentralized exchainge (DEX). A grant was approved to integrate Zcash into Thorchain and their wallets.
Trezor Support for Transparent & Shielded Zcash
Trezor has long maintained support for transparent Zcash in their hardware wallets. More recently, they were awarded a grant to integrate with shielded Zcash.
The code for shielded Zcash is in this pull request.
Ywallet is a Zcash and Ycash wallet built independently from the Electric Coin Company SDKs.
Zboard is a reddit-like social media platform built on Zcash’s memo field. At the time of writing, the website is not functional, presenting an error on the homepage.
Zcash Blockchain Infrastructure Grant
This is a grant to write containers and deployment infrastructure for Zcash full notes. The project’s github is zbitech.
Zcash Community Forums
The Zcash Community Forums are hosted by the Zcash Foundation, they are a central hub of discussion among the Zcash community.
Zcash Foundation Projects
The Zcash Foundation maintains several projects central to the Zcash ecosystem:
Zcash Media is a project by 37 Laines (37L) that produces interviews and educational videos on the topic of Zcash.
Zcash Observatory is a project to augment zcashd with code for observing and reporting telemetry on the p2p network topology and other data.
Zcash Protocol Specification
The Zcash Protocol Specification describes the Zcash protocol and its consensus rules. It is maintained by Electric Coin Company.
ZECPages is a public message board built on Zcash’s memo
field. It runs a production lightwalletd server at
lightwalletd.zecpages.com:443 and its code is on github at
Michael Harms has also received a grant to run a testnet faucet, linked below.
ZecWallet and ZecWallet-Lite
ZecWallet is a UI+fullnode package for Windows, Mac, and Linux. ZecWallet-Lite is a Zcash light wallet. The authors of the wallets maintain a fork of lightwalletd with additional features such as a price API and transaction spam filtering. They also run production lightwalletd instances for ZecWallet-Lite wallets.
- Many others (to be listed!)
ZecWear is a Zcash clothing and merch store.
ZEGA describes itself as “a command line encrypted-file-sharing CLI using ZecWallet light client.” The code lives at wh00hw/ZEGA.
Zeme Team is a website for sharing Zcash-related memes.
Zemo is a proposed messaging app that would be built on the Zcash blockchain.
Zephyr is a still-in-development metamask-like browser extension for Zcash.
- https://forum.zcashcommunity.com/t/project-zephyr-update/40657 (update thread)
Ziggurat is a security-focused project investigating Zcash’s peer-to-peer network. Their main offering is a fuzzer of the p2p protocol which has proven successful at finding bugs and inconsistencies in the zcashd node’s behavior. The project is being expanded from single-node testing into a tool that can actually crawl the network, and their latest grant proposes “red team” tests of testnet.
ZingoLabs’ wallet (zingolabs on github):
ZingoLabs is a team in the process of developing Zcash software, including a wallet. Their notable GitHub repos are:
- zingolib – a library and command-line interface
- zingo-mobile – the mobile apps themselves.
- zingo – a fork of zecwallet-lite
Changes to the Zcash protocol are described using Zcash Improvement Proposals.
Zondax (Zcash Ledger App)
Zcash Shielded Assets (ZSAs) is an extension to the Zcash protocol that, once implemented, will allow shielded transactions to support different asset types, e.g. BTC-on-ZEC. The designs and implementations are being provided by QEDIT, funded through a grant.
Links to the draft ZIP specifications and the implementation code can be found in this forum comment.
List of Security Audits
The initial implementation of Zcash was audited by NCC Group and Coinspect. The audits were announced here, the completed reports are linked here, and some discussion of the issue mitigations is here.
Zcash’s first parameter generation ceremony was also audited by NCC Group.
In 2018, audits were performed by Least Authority, Coinspect, NCC Group, Kudelski Security, and QEDIT. The audit results are discussed here, but unfortunately the links to many of the audit reports are now broken.
QEDIT’s audit of Sapling is available here.
In 2021, NU5 was audited by NCC Group and QEDIT.
ZecSec performed an audit of Ywallet (report forthcoming) and zecwallet-lite-cli (report forthcoming).
Notable Security Bugs and Other Security Research
Secure systems can only be built by learning from mistakes. Here is a list of notable bugs and other security research that we can learn from to make Zcash a more robust platform.
Viewing key disclosure bug
The ECC wallets and Nighthawk accidentally leaked the wallet’s viewing key where the reply address should been within the “Reply-To” component of the memo field.
A mistake in the BCTV14 paper, which carried over to its implementation, made it possible to violate the soundness property of the zero-knowledge proving system originally used by Zcash. If this bug was exploited, it would have allowed for the forgery of Zcash funds, limited by the turnstile design that was built as a defense-in-depth measure against these kinds of attacks.
This bug was assigned CVE-2019-7167.
Side-Channel Attacks on Zcash Node Transaction Receivers
In an academic paper, Florian Tramèr, Dan Boneh, and Kenneth G. Paterson explored the use of timing, traffic analysis, and error-message side-channels to de-anonymize nodes in receipt of transactions.
They found that when a Zcash node successfully decrypted a transaction, but the note commitment check failed, the node would send an error message back to the attacker, indicating to the attacker that the node had the key required to decrypt the transaction. Additionally, since the P2P message processing all happened on the same thread, an attacker could measure the response time of a “ping” message to determine if the note commitment check was happening; another way to confirm the node had the correct decryption key. Through either of these approaches, it was possible for an attacker to conclude that a known shielded address belonged to the victim node.
The vulnerability in Zcash was assigned CVE-2019-16930, and there is a corresponding security announcement.
“Sapling Woodchipper” is a name given to the concept that as long as transaction fees are cheap, it is inexpensive to fill up blocks on the Zcash blockchain. It was assigned CVE-2019-1636 by its initial reporter. It is currently being mitigated by the rollout of a new transaction fee structure, specified in ZIP-317.
Faerie Gold Attack
In the original design of Zerocash, it was possible for an attacker to send a victim user two notes with identical nullifiiers. As a result, the victim’s wallet would be tricked into thinking it could spend both notes, when in fact it would only be able to spend one of them. The details of the attack and the fix are described in the Zcash protocol specification.
InternalH Collision Vulnerability
In the original Zerocash paper that Zcash was based on, a 128-bit hash was used to build a commitment scheme. This was vulnerable to a birthday attack, which would have made it possible to counterfeit funds. The bug was identified and fixed prior to Zcash’s launch.
ZecWallet-Lite TLS Authentication Bug
Sarah Jamie Lewis discovered that a previous version of ZecWallet-Lite was not properly authenticating TLS connections, so that its communications with the lightwalletd server could be intercepted by an attacker.
ZecWallet Nonce Reuse Replay Attack
ZecWallet optionally uses a “wormhole” service to allow a companion smartphone app to connect to the user’s full node. The encryption used by the wormhole protocol was vulnerable to a replay attack that allowed for nonce reuse. This was reported by Sarah Jamie Lewis. See also a further bug in the fix to the issue.
zcashd with Kubernetes
Electric Coin Company engaged in a project to fuzz
zcashd’s C++ codebase in an
automated way using
Miscellanious Bugs & Security Announcements
Academic Papers Analyzing Zcash
Zcash has been investigated in several academic works, linked below:
- Privacy Aspects and Subliminal Channels in Zcash
- Privacy and Linkability of Mining in Zcash
- Blockchain Access Privacy: Challenges and Directions
- Security and privacy of mobile wallet users in Bitcoin, Dash, Monero, and Zcash
- A Look into Privacy-Preserving Blockchains
- On the linkability of Zcash transactions (Electric Coin Company’s response)
- An Empirical Analysis of Anonymity in Zcash
- Extending the Anonymity of Zcash
- Deanonymization and Linkability of Cryptocurrency Transactions Based on Network Analysis
- Map-Z: Exposing the Zcash Network in Times of Transition
- A Refined Analysis of Zcash Anonymity
- Attacking Zcash For Fun and Profit
- Anonymity Analysis of Bitcoin, Zcash, and Ethereum
- An Analysis of Anonymity in the Zcash Cryptocurrency
- Modeling the Block Verification Time of Zcash
- A Comparative Study of Privacy-Preserving Cryptocurrencies: Monero and ZCash
- Exploring the use of Zcash cryptocurrency for illicit or criminal purposes
- PING and REJECT: The Impact of Side-Channels on Zcash Privacy
- A Review of Zcash as a Cryptocurrency Platform Aimed Towards Maintaining Privacy Between All Parties
If you know of Zcash-related security research that’s missing from this list, please send us a note.