Zcash bug could leak metadata revealing the information of the full nodes’ with shielded (zaddr) IP Addresses.
Duke Leto, Komodo (KMD), core developer published a blog post on his personal website. The issue has been assigned to track on September 27th, by assigning Common Vulnerabilities and Exposure Code.
“A bug has existed for all shielded addresses since the inception of Zcash and Zcash Protocol. It is present in all Zcash source code forks. It is possible to find the IP address of full nodes who own a shielded address (zaddr). That is, Alice giving Bob a zaddr to be paid, could actually allow Bob to discover Alice’s IP address. This is drastically against the design of Zcash Protocol.” Duke Leto, Komodo (KMD) Core developer
The vulnerability could be affected by everyone who provided their zaddr to a third party or published their zaddr.
Leto claims that users should consider their “IP address and geo-location information associated with it as tied to […] zaddr.”
Duke Leto claims that users who used only the Tor Onion Routing network or those who never used a zaddr are not affected by the bug. He added that Zcash is not the only cryptocurrency who has been affected by the bug while providing a ‘non-exhaustive list.’
The cryptocurrencies included in the list are:-
Zcash
Hush
Pirate
Komodo smart chains with zaddr enabled by default
Safecoin
Horizen
Zero
VoteCoin
Snowgem
BitcoinZ
LitecoinZ
Zelcash
Ycash
Arrow
Verus
Bitcoin Private
ZClassic
Anon
Duke Leto adds that the shielded address has been disabled while being transitioned into the Pirate Chain which no longer contains the bug.
Comments