Over its 7-year history, Zerocoin displayed a turbulent history, with several security flaws and twists.
This report covers some of the most significant ones, with a greater focus on 2019's incidents and their consequences from the perspective of different projects.
The Zerocoin protocol allows transactions to be anonymized without the need to go through any trusted third-party (e.g., Bitcoin mixers). Instead, the mixing process occurs at the protocol level.
It was developed in 2013 by cryptographer Matthew D. Green and his students at the Johns Hopkins Information Security Institute.
At its core, the Zerocoin works in a similar fashion as a mixing pool, with the notable difference that users do not have to trust any third parties; the tumbler is implemented directly at the protocol level.
This system relies on two tokens: the basecoin (e.g., Bitcoin) and the zerocoin. Coins are minted by burning used ones up, and subsequently redeeming for new coins with no transaction history. Owing to this redemption/minting process, the history of basecoins cannot be traced back to their original users.
For instance, Alice wants to send Bob 1 BTC. Using the zerocoin protocol, she would mint a zerocoin, which is essentially a cryptographic proof of possession, and send the zerocoin to Bob. Meanwhile, 1 BTC is transferred to a token reserve that is not spendable. Whenever Bob wishes to spend part of his 1 BTC, he can use his zerocoin as a zero-knowledge proof.
Sources: Zerocoin Project, Binance Research
The Zerocoin protocol relies on an initial trusted set-up; i.e., it is required to trust someone to generate initial parameters and then destroy those parameters. For instance, ZCoin relied on RSA accumulators, which need the generation of two large prime numbers. Specifically, it relied on RSA-2048 parameters, generated from the RSA factoring challenge1.
Thought to be an extension to the Bitcoin protocol, Zerocoin was not approved by Bitcoin developers for several reasons, namely bloated computation times, some controversy over the validity of the end-result, and whether the proposed changes were too radical of a deviation from the original Bitcoin whitepaper.
Instead, ZCoin was created in late 20152 (under the name "Moneta") as the first stand-alone cryptocurrency implementing the Zerocoin protocol (see next subsection).
In late 2013, the scope of the Zerocoin protocol was extended in an upgrade called Zerocash.
Aiming to provide full privacy, Zerocash introduced efficiency improvements (i.e., smaller proof size and faster verification) and enhanced privacy (with added encryption of the amount and both sender & receiver addresses). The most widely known implementation of Zerocash is ZCash.
Despite some key advantages, several reasons explained why Zerocash did not replace Zerocoin. Among them, the most prominent3 ones are:
As a result, the Zerocoin protocol has remained independent from Zerocash. Hence, the rest of this report focuses solely on the Zerocoin algorithm and its core implementation, defined in the library libzerocoin.
|ZCoin||Hybrid PoW/PoS (w/ Master Nodes) blockchain||Removed the Zerocoin protocol and adopted Sigma in 2019.||2016|
|PIVX||PoS (w/ Master Nodes) blockchain||Relies on PoS Time Protocol v2 and looking to replace Zerocoin protocol. |
It used to rely on ZPoS (Zerocoin Proof of Stake) after an early phase as a PoW cryptocurrency (Quark algorithm).
|SmartCash||PoW (w/ Master Nodes) blockchain||Removed the Zerocoin protocol in late 2017.||2016|
|NavCoin||LPoS blockchain||New research is being conducted to find an alternative to Zerocoin for private transactions.||2016|
|Noir (ex-Zoin)||PoS (w/ Master Nodes) blockchain||Removed the Zerocoin protocol and adopted Sigma in 2019. It used to rely on PoW.||2016|
|Gravity Coin (ex- Hexxcoin)||PoW blockchain (with Master Nodes)||Removed the zerocoin protocol and adopted Sigma in 2019||2017|
|NIX||LPoS blockchain||Its protocol layer relies on Lease Proof-of-Stake (LPoS) consensus on the latest Bitcoin Core Protocol (currently 0.17). The Zerocoin protocol was incorporated in its "Ghost privacy protocol" but got disabled in April 2019. NIX adopted Sigma in May 2019.||2018|
|Veil||Hybrid PoW/PoS blockchain||Staking rewards are currently paid in zerocoin. Since July 2019, it has been de-anonymized, but zerocoin mints/spends are still possible. It is looking to shift away from the Zerocoin protocol.||2019|
Source: Binance Research
Despite all these implementations relying on the Zerocoin protocol, these cryptocurrencies have many differences that are not the focal point of this report4, but some of their underlying designs are still discussed in this report.
ZCoin is a cryptocurrency, launched in September 2016, as the first stand-alone implementation of the Zerocoin protocol (as described in the previous section).
ZCoin’s core characteristics include:
Sources: CoinMarketCap, Binance Research.
PIVX is a cryptocurrency designed to achieve “fungibility, transaction privacy, community governance, network scalability, and real-world utilization" for online purposes, which started in 2016.
Before zerocoin minting got disabled (in early 2019), PIVX relied on:
Sources: CoinMarketCap, Binance Research.
Veil is a cryptocurrency, created in early 2018 by James Burden (also known as 4x13), an expert in crypto-privacy who was also a lead for PIVX (see subsection 1.2).
Veil aims at providing "full-time privacy without compromising the strength of anonymity".
At its core, Veil relies on:
Other characteristics include:
Veil also uses multi-transaction Zerocoin spends, owing to multi-block transactions. As computing resources are expensive (and the zerocoin protocol only allows up to 20 zerocoin denominations in one transaction), this multi-transaction spend feature is split across two or more blocks automatically.
Sources: CoinMarketCap, Binance Research.
In 2017, an incident occurred, a few months after ZCoin revealed that a typo in its source-code was exploited to mint 370,000 additional ZCoins6.
Following this 2017 incident, ZCoin teams announced that 18,171 coins were generated through this exploit. Specifically, someone was capable of generating fake spends, hence inflating the supply of ZCoin.
As an immediate fix, the team released immediately an emergency update to prevent additional zerocoin spends. As an end-result, the libzerocoin v2 was released, which led to a hardfork of ZCoin, and the reintroduction of zerocoin spends.
Conversely, other projects like SmartCash deactivated Zerocoin and subsequently decided not to re-adopt it, officially abandoning it in early 20187.
Another potentially exploitable flaw was publicly disclosed in 2017, by researchers at Friedrich-Alexander-Universität in Germany. Its attack commonly referred to as a denial-of-spending attack, which could have allowed a malicious user to destroy the money of honest users.
The attack would work as follows:
As a result, the malicious user would burn the zerocoin ahead of the honest user, usurping the new, “no-history" coins of the honest user.
Source: Binance Research.
However, the rewards from this type of attack were not limited to on-chain effects.
A larger potential profit from this exploit would be to create a short panic where users would sell upon hearing about the attack on the protocol, while the attacker would be holding a short position on the asset itself (e.g., Zcoin). However, in 2017, it was relatively hard to construct a short position in ZCoin, hence making this type of attacks hard to conduct.
Furthermore, as mentioned by the ZCoin team itself, the risk of the attack failing remained high, and a malicious individual could also become a victim of its own attack8.
On March 6th 2019, the PIVX team disclosed elements about an attack detected on the PIVX network zerocoin protocol (i.e., zPIV).
This vulnerability allowed a malicious individual to fake serials and to spend zerocoins that were not minted in the first place. Unlike the attack described in subsection 1.4, it would not result in user funds being stolen or getting lost. However, it would have an impact on inflation as the circulating supply could increase independently of the designated inflation schedule of PIVX.
Following the discovery of invalid blocks, PIVX team discovered that an implementation flaw was being gamed by malicious individuals, while the Zerocoin protocol had been precautiously deactivated (based on sporks9).
According to the PIVX team, two main elements led to the exploitability of this flaw:
For a full detail along with the implementation, please visit the comprehensive explanation provided by the PIVX team, which includes on-chain analysis of the impact of this exploit. Other details are provided there.
This vulnerability did not impact ZCoin but impacted a wide variety of PIVX forks that were mostly low-cap cryptocurrencies.
In April 2019, ZCoin experienced an attack based on cryptographic flaws of Zerocoin’s core protocol design.
The full detail of the attack was disclosed on April 30th 2019 by ZCoin in a blog post.
Based on the disclosure provided by ZCoin, an attacker with at least one legitimately minted coin could create as many spends as he wants out of it, in any Zerocoin-based cryptocurrency. None of these fake spendings would be indistinguishable from authentic ones.
Source: Binance Research.
From a cryptographic perspective, it turned out possible to create one of the wrong proofs, with only one zerocoin being minted.
The next subsection discusses the impact on ZCoin, PIVX, and Veil from this recent attack.
As an urgent fix, the team decided to disable zerocoin mints and prevent any zerocoin spend to be conducted. Hence, they effectively froze the funds in the accumulator until the release of Sigma.
Following the end of the window to convert the zerocoin on January 20th, the total damage from the attack was assessed: a total of 66,996 XZC was forged through this vulnerability.
Owing to a specific signature from the attack, the team was also able to blacklist some mints, hence preventing the attackers from converting some zerocoins into Sigma mints. As a result, the total damage was estimated at 54,321 XZC, according to ZCoin's recent update.
In July 2019, the team officially removed the Zerocoin protocol and replaced it by Sigma, also bypassing the need for any trusted set-up. Indeed, ZCoin had started working on deprecating the Zerocoin protocol since early 2018.
After its migration to Sigma, ZCoin introduced a feature to “remint" zerocoins, i.e., transfer zerocoins to Sigma mints.
As a response to the incident described in subsection 2.1.3, the PIVX team had deactivated the privacy features from Zerocoin, through a spork. Since then, zerocoins have been used in a public mode i.e., in a similar fashion as normal UTXO transactions.
Specifically, zerocoin minting has been disabled while zerocoin spending remains enabled (with full links to the original basecoin). Furthermore, the team relies on Schnorr Signatures to ensure that zerocoins could be spent back to basecoins, without any exposure to the pre-existing vulnerability.
On January 5th 2020, PoS Time Protocol v2 was introduced with the 4.0 release (along with Cold Staking). Following this hardfork, PIVX is expected to announce its next privacy protocol very soon.
For cryptographic details, please visit this link.
Following the flaw discovery by ZCoin on April 17th 2019, the Veil team decided to deactivate the anonymizing feature from the Zerocoin protocol. It initially prevented the attack from being conducted on the Veil chain.
For Veil, staking rewards can only be paid in zerocoin (and not in basecoin). Hence, the initial fix did not rely on deactivating the complete reliance on the zerocoin protocol through an immediate hardfork.
This initial fix consisted of the addition of a patch to require all zerocoin spends to have a signature attached that links the spend to the mint. In other words, the zero-knowledge proof required to prevent a double spend was replaced by a single signature, leading to the removal of the anonymity feature but solved the exploit nonetheless.
Unfortunately, the attack “evolved", and the initial fix did not protect attackers from stealing funds from the accumulator. As an urgent solution, Veil's team decided to:
Furthermore, the team disabled zero-knowledge proof making zerocoins behaving in a similar fashion to other (normal) UTXO transactions. However, unlike PIVX, minting and issuing zerocoins were not disabled (as staking was only possible in zerocoin), but privacy features have been non-existent since then.
In the medium and long term, the team decided to adopt several solutions:
So far, the most prominent solution to consider has been RingCT staking in order to stake anonymously again. In addition, the team has also been working on a new protocol using Supersonic proofs.
Unlike previous incidents, the latest Zerocoin flaw had a broad impact on the existing landscape of privacy coins.
ZCoin, its first implementation (and largest by marketcap), has moved away from the protocol and has successfully activated Sigma since August 2019. As the team had started working on an alternative to the Zerocoin protocol since early 2018, its transition was possible within a very short timeframe (following the incident).
PIVX deactivated privacy features from the Zerocoin protocol but has still not revealed the full scope of its plans beyond disclosing its desire to replace the use of Zerocoin entirely. Since the 2019 incidents, zerocoins have been used in a public mode, i.e., in a similar fashion as normal UTXO transactions.
Veil suffered a massive inflation shock, but its team managed to save the project through cooperation with trading venues and giving up a significant part of the founders’ allocation. As a result, its team decided that the Zerocoin protocol shall be fully replaced moving forward, and has since then been working on alternative propositions (e.g., RingCT staking).
This recent incident may mark the end of one of the most emblematic blockchain privacy solutions, hence, accelerating the transformation of the privacy coin landscape. However, Zerocoin, as a protocol, will likely continue to be improved based on various design propositions (e.g., from Equihash co-creator Dmitry Khovratovich), which could potentially solve its most recently discovered cryptographic flaws.
This report greatly contributed from discussions with members from teams working on the privacy coins mentioned in this report.