A $100 Twitter wager between crypto users seems to have exposed the vulnerabilities of Zcash. While the bet may have been a one-off lucky instance, there are other instances of breath that threatens the privacy of Zcash addresses.
Not a Bright Past
In May, another paper published by researchers at Carnegie Mellon University finds that Zcash privacy guarantees are flawed. In June, leading on-chain analytics firm, Chainalysis, claimed that they can trace Zcash and Dash privacy transactions. The report states that,
So even though the obfuscation on Zcash is stronger due to the zk-SNARK encryption, Chainalysis can still provide the transaction value and at least one address for over 99% of ZEC activity… Zcash’s shielded pools can provide stronger privacy than mixing transactions but shielding is not bulletproof.
Howard Chu, the CTO of Syman Corp and Chief Architect of Open DLAP project who shared the information on the breaches, notes that Zcash has been flawed since day one. She shared a tweet by Kyle Torpey, a leading crypto contributor, tweeted from Zooko’s response in July 2017 (as early as a year after the launch of Zcash),
“the suspension of Zcash deposits and withdrawals . . was due to a wallet corruption and performance problems . . . by the zcashd software”
The protocol has had many updates since then and the zero-knowledge proof is known to be the most promising privacy protocol. However, with another instance of a trace in 2018, Chu notes that repeated attacks are proof that “their engineers are incompetent, their management are liars.”
The Electric Coin Company which works on the development of Zcash was also allegedly found misreporting to the U.S. government for excessive gains on COVID-19 relief funds.
Therefore, there are ample to believe that this might be another leading to another large crypto scam. However, the founder continues to stand behind it and offers an explanation as well.
Find My Address
Twitter user @MoneyKnowledge0 announced a bounty of $100 to any user who could expose a Zcash address by backtracking a transaction to it. He tweeted,
Above is the tx-id to my donation. Please, if you are all sure of yourselves trace my T-address. Reward is $100 of a currency of your choice. If no one responds in the next 72 hours I’m led to believe all the privacy flawed Zcash tweets are just false information.
In hours, another twitter user, Byran Deep (alias), posted the correct address shocking the Zcash community. If a z-addresses of a Zcash transaction can be traced back to its public address, it shuns all privacy claims. However, this might have been a lucky instance or according to Zooko, the founder of Zcash misinterpretation of privacy.
The user sent ZEC from a public to a private address (Z ->T) and then proceeded with the private transactions. Moreover, the small-time gap between the transaction and the bet allowed the user to trace the address easily. Zooko notes that,
Until users make that mental leap that privacy doesn’t come from something you move your money through, it comes from *where you store your money at rest*, they’ll keep making this mistake.
He says it is a misconception that privacy comes from passing ‘money through something.’ He says that extends to privacy on other public to private transactions between Monero [XMR] and Bitcoin [BTC] as well. Moreover, he adds that if you want real privacy, ‘store ZEC in the shielded pool.’
Do you that it is safe to use Zcash for privacy transactions? Please share your views with us.