Crypto Bug Hunting by Zcash, EOS, Tron, and a Backdoored Coin
Following the Cryptopia hack, the crypto community is understandably wary of any talk about security issues. However, those exist, and several have recently been unveiled: from privacy coin Zcash fixing a severe vulnerability that could have allowed malicious actors to counterfeit an infinite number of tokens, over five critical vulnerabilities discovered in smart contract platform EOS since the start of the year, to a backdoored cryptocurrency called Denarius that has been found to serve malware.
The Zcash fix was a top-secret operation
The team behind privacy coin Zcash ran into a vulnerability so severe that only four people even knew about it before a patch was released at the end of October 2018 to fix it. According to a report published Tuesday, Zcash cryptographer Ariel Gabizon discovered a “subtle” bug a little less than a year ago in zk-SNARKS, the cryptography that the project uses to shield balances and user identities. Although it has since presented no risk at all, the team has kept quiet about the bug until now, writing, “Prior to its remediation, an attacker could have created fake Zcash without being detected. The counterfeiting vulnerability has been fully remediated in Zcash and no action is required by Zcash users.”
“We have found no evidence that the vulnerability was discovered by anyone else or that counterfeiting occurred,” the report further added. In their opinion, this is because “discovery of the vulnerability would have required a high level of technical and cryptographic sophistication that very few people possess.”
The team was applauded for the way they handled the issue, perhaps most notably by infamous NSA whistleblower Edward Snowden, who tweeted: “A lot of people wonder why I like #Zcash despite the Founder’s Reward. Here’s a reason: that tax funds a quality team that catches and kills serious bugs in-house, before they get exploited. Some other projects learn about bugs like this only AFTER people have lost money.”
Not everyone agrees, however:
Basically, there may very well be more Sprout coins in existence then there should be. The only way we can know is via the "turnstile audit", and that audit only works by people moving coins from Sprout to Sapling or unshielded.
— Peter Todd (@peterktodd) February 5, 2019
Zchash price chart:
Bug bounties seem to be a lucrative hobby
Smart contract and dapp (decentralized application) platform EOS is famed for their bug bounties, in which the community gets paid for helping the team find bugs and resolve them. Since the beginning of this year, they have handed over bounties for five critical vulnerabilities, according to public activity on breach disclosure platform HackerOne, which also revealed the bounties.
On January 10th, USD 40,750 was awarded to five white hat hackers on the platform by EOS.io, and the day after, another researcher received a USD 10,000 bounty. Five of a total of eight bounties are equivalent to USD 10,000 each, which is the highest possible payout reserved by the company only for the most critical vulnerabilities.
EOS, however, was not the only platform to pay out their community for bug disclosure this year. Another one of them is blockchain-based protocol TRON, which has awarded four bounties for a total of USD 22,700 in January.
The effort made by projects to stay secure while employing the help of their community is certainly commendable – but the fact that bug bounties can still make their recipients insomuch richer goes to show that these projects still have a way to go.
EOS price chart:
Why you should not reuse your password
Hackers have compromised the GitHub, a web-based hosting service that is most often used for code, account of the Denarius cryptocurrency project lead and have backdoored the Windows client with the AZORult infostealer malware, according to ZDNet. They add that they have also independently confirmed the findings. According to top developer of Denarius, Carsen Klock, the incident occurred because he reused an older password to secure his GitHub account.
Once installed on a user’s computer, this malware AZORult can steal a vast array of user data, such as browser passwords, browser cookies, passwords for FTP clients, chat histories, and most importantly, wallet database files from popular cryptocurrency clients. One security researcher who goes by the Twitter handle @prsecurity_ claims that around 3,200 users were infected. Fortunately, there have not been any 51% attacks against the Denarius blockchain yet.
The most likely scenario, ZDNet reports, is that the hackers have simply emptied users’ wallets of the cryptocurrency. However, as of the time of writing, there have been no indications of how much might have been lost this way.