ZCash (ZEC) Sensitive Data Potentially Exposed by Bug
A de-anonymization bug could reveal the IP address of nodes that hold a shielded address, potentially affecting several anonymous coins.
The ZCash (ZEC) code holds a native bug that could de-anonymize a part of the network. The bug could reveal the IP address of a node that otherwise shields its blockchain address and processes anonymous transactions. The news of the bug follow a series of negative developments for the ZCash project, including a series of delistings and skepticism about financing the developer team.
The bug, reported by Jonathan “Duke” Letho, affects a whole list of widely distributed coins with shielding technology. Using a “zaddr” on those networks could actually reveal much more unintended information about the user:
“It is possible to find the IP address of full nodes who own a shielded address (zaddr). That is, Alice giving Bob a zaddr to be paid, could actually allow Bob to discover Alice’s IP address. This is drastically against the design of Zcash Protocol.”
The revelation arrives at a time when regulatory scrutiny of networks is increasing, with the potential to track blockchains themselves for information. Paradoxically, not using the anonymous feature protects from the bug. But sharing a zaddr with peers, social media, or exchanges, potentially exposes the user’s IP and possibly location. Users that never received funds from a zaddr are also unaffected.
The most prominent forks, Bitcoin Private (BTCP), ZClassic (ZCL), and Anon (ANON) are affected. Horizen (ZEN) is also at risk, along with a list of smaller coins. Bitcoin Gold (BTG), which uses only the hashing technology of ZCash, is not affected, as it is a direct fork of Bitcoin (BTC).
There is a still-untested bug fix in ZCash Core, but so far, users can only mitigate risks by creating a new wallet with a secret zaddr, and use Tor browser when sending digital coins. The bug reporter is working most closely with the Hush (HUSH) project, which is still working to fix the bug.
The metadata leakage bug has been active since 2016. It could potentially lead to attacks against known nodes and their peers, though it may not widely affect the entire network.