Security Announcement 2016-11-22

Synopsis: A cache invalidation bug may allow an attacker to trigger a chain fork causing pre-1.0.3 nodes to follow an invalid chain. A fix is implemented in zcashd release 1.0.3.

ZcashCo, and several exchanges, wallet vendors, and miners have already deployed a mitigation as well as detectors for this attack vector. No attacks have been detected.

Who is at Risk: Users are at risk only when two conditions are met simultaneously:

  1. They rely on zcashd releases older than 1.0.3, including 1.0.0, 1.0.1, and 1.0.2, AND
  2. A network-wide attack is executed to trigger a chain fork. This requires a majority of miners to run vulnerable software.

Users who rely on third party services should inquire if those services have mitigated this issue. We have collaborated with major exchanges, wallet providers, and miners and they have already mitigated this issue for their services.

Who is not at Risk: Users who meet either of the following two conditions are not at risk:

  1. they have upgraded to zcashd 1.0.3, or rely on a service which has done so, OR
  2. no network-wide attack has succeeded (for example, because a sufficient portion of miners have mitigated the vulnerability).

In other words: individuals and services are protected as soon as they upgrade, and the entire network is protected as soon as a sufficient portion of miners upgrade.

How can at-risk users protect themselves?

  1. Upgrading to zcashd release 1.0.3 is the most certain protection.
  2. For users of third party services (such as exchanges, wallets, or mining pools), check if the service has announced upgrading to zcashd 1.0.3. If it hasn’t, consider pausing use of that service until they announce an upgrade.

How can I tell if an attack is occurring? ZcashCo and several large exchanges, wallet providers, and miners have deployed sensors which detect attacks against this vector. In the event that an attack is detected, the ZcashCo will take the following actions:

  • The Zcash developers will issue an in-band alert, causing all zcashd nodes to announce the potential attack.

  • ZcashCo will always announce known ongoing attacks in these places:

  • ZcashCo will coordinate in private channels with major exchanges, wallet vendors, and mining outfits to alert them of the attack and to post their own announcements.

Note: The major exchanges, wallet vendors, and miners we are in communication with are already protected against such an attack.

Impact: If a network attack is successfully executed (which requires a majority of mining capacity to be vulnerable) then only users running vulnerable clients will follow a chain fork that is invalid. Transactions on that fork will be rolled back as more miners upgrade to the valid fork.

Technical Background: Due to a cache invalidation bug, some nodes on the Zcash network will accept particular invalid transactions as valid [1]. If a majority of the network hashrate accepts an invalid transaction as valid, there could be a chain fork.

Followup Announcements:

  • See the security notifications page for further updates on this issue, and any future security issue.
  • Continue to check this blog.
[1] Note that transaction validity is well specified by our protocol specification, Zcash protocol specification, v2016.0-beta-1.10; It is unambiguous that this security flaw is an implementation bug.