Zcash bug threatens to reveal user IPs; no respite soon says core developer

A Zcash bug threatens to reveal the metadata that contains the complete nodes along with shielded IPs. This bug, if materializes, threatens the Zcash forks as well.

Duke Leto, the core developer at Komodo (KMD), announced the bug in his blog. He goes on to add that to track the issue, a ‘Common Vulnerabilities and Exposures’ (CVE) code is already underway. As of September 29, no positive progress has been reported.

Zcash bug will ultimately reveal user identities

Leto explains that ever since Zcash and its protocol begin operations, the bug threatening the security of all the shielded addresses has always been there. Moreover, every Zcash source code forks, too, have the same glitch. It can reveal every IP address who owns a shielded address (zaddr) along with the associated nodes.

For example, if ‘A’ hands over a zaddr to ‘B’ to pay him, ‘B’ could very well discover the IP address of ‘A.’ This is frightening since the very foundation of a cryptocurrency transaction is shielded IP addresses. It goes against the Zcash design protocols and every known crypto security regulation.

In theory, anyone whose zaddr is published is under threat of identity revelation due to their IP address being in public. This vulnerability can expose the personal IP addresses of millions of Zcash and Zcash protocol users. Geo-location and IP address are associated with zaddr and hence vulnerable. Zcash problems will increase further as recently Coinbase in the United Kingdom removed Zcash for its local customers.

Multiple cryptocurrencies affected by Zcash bug

People who have not used a zaddr ever or employed a Tor Onion routing will not be victims. Moreover, there are many more cryptocurrencies that will face severe blow due to the same bug. Leto has provided a detailed list of cryptocurrencies facing a similar issue.

A non-exhaustive list includes many prominent names including Pirate, Snowgem, Ycash, ZClassic, Verus, Safecoin, VoteCoin, Arrow, Anon, Zelcash and many more. Out of these names, many have taken preventive steps as well. For example, Komodo no longer offers shielded address feature and now uses Pirate chain for this feature, making it secure against the said Zcash bug.