ZecSec: Zcash Ecosystem Security

ZecSec's Q4 2022 Transparency Report

In order to ensure accountability and to help the Zcash community understand how its funds are being spent, the ZecSec project will be posting quarterly transparency reports.

Note that some of these reports may be delayed, and some information may be redacted, in order to prevent the disclosure of unresolved security bugs.

The currently-approved grant allows me to bill $1000 USD per day, up to a maximum of $17,000 per month, up to 12 total months. The sections below break down and explain my invoices for Q4 2022.

September & October

In September and October my focus was on auditing Ywallet. Ywallet was a priority because it had not yet received any security review and it was one of the only wallets that functioned in the face of the high transaction load problem. The report from this audit is available here.

1Setting up build environments, skimming over grants/projects, staying up to date on the forums.
1Reviewing various Zcash wallets for a potential DoS bug reported by ZingoLabs.
8Auditing Ywallet’s zcash-sync library.
5Auditing Ywallet itself.
1Delivering the Ywallet audit report and answering questions.
0.5Setting up this website.
0.5Reviewing ZIP 317 for security and privacy.

Total days: 17, Total paid: $17,000.


In November, I audited zecwallet-lite-cli, the transaction processing library used by ZecWallet-Lite. This paves the way for a future audit of ZecWallet-Lite itself. I also looked at the customizations that were made to the version of lightwalletd that ZecWallet-Lite uses.

1Catching up on forums, planning, setting up Calendly for office hours.
8Auditing zecwallet-lite-cli.
1Reviewing changes to lightwalletd in aditapk00/lightwalletd.
1Helping debug zcashd v5.3.0 build issues and getting the Arch Linux package maintainer to update the package.
0.5Writing Scalable Private Money Needs Scalable Anonymous Messaging.

Total days: 11.5, Total paid: $11,500.


In December, I focused on planning for the new year. I quickly surveyed every Zcash-related project that I could find and collected a list of past security audits, research, and notable bugs. I published the first edition of the Zcash Ecosystem Security Overview and a tentative roadmap for 2023.

8Surveying all Zcash-related projects, preparing the ecosystem security overview and roadmap.
2Checking the Ywallet bug fixes and publishing the Ywallet audit report.

Total days: 10, Total paid: $10,000.


In Q4 of 2022, I completed two major audits of Ywallet and zecwallet-lite-cli. I also contributed to a number of other security efforts such as performing shorter security reviews of various projects, helping to investigate bugs, collecting past security research, and writing up my research into options for privately scaling Zcash.

In total, I invoiced for 38.5 days and was paid $38,500 in ZEC.

If you have questions about the work that was done or have suggestions for future priorities, you can either email me at zecsec@defuse.ca or ask on the grant’s forum thread.