ZenCash Update noon on Friday Jun 9, 2017
ZenCash is still under the threat of a replay attack, and the ZenCash team is getting closer to having a solution to the problem. Here is a brief update to keep everyone in the loop.
The nature of the replay attack threat for ZenCash right now is that a transaction that was completed on Zclassic can be accepted into the mempool, then placed into a block on the ZenCash blockchain. Because of the similar nature of the blockchain and addresses, this would then be broadcast on the Zen blockchain.
There are some ways to mitigate against the attack for anyone who has control of their wallet. The best thing to do, if you have not done any Zclassic transactions on your wallet so far, is to wait to make any Zclassic or ZenCash transactions until the issue is fixed. Another way to mitigate the problem is to create a second ZenCash address and send the ZenCash to the second address. At that point there are no ZenCash UTXO’s that can be replayed with a Zclassic transaction. Although the replay is vulnerable to older Zclassic transactions as well, so it depends on your transaction history as to how well this would work. We are uncertain if ZenCash transactions can be replayed back to Zclassic, so holding off on transactions might be best.
The replay protection was originally put in place in the ZenCash node software, and was set to expire after 4096 blocks. In the update, this protection is extended to all blocks going forward.
If everyone were running the latest ZenCash node software, there would not be a problem, because all the mining pool operators and solo miners whose software has the ability to accept transactions into the mempool would have software that protected the blockchain. Right now that upgrade is non-mandatory, and older versions of the software are still vulnerable.
The Zen team is discussing the best course of action to take, and encourage all mining pool operators and solo miners to stay abreast of the latest announcements.
There is currently funds accumulating in the ZenCash treasury, at the rate of 8.5% of every block mined. These funds will be used by the Zen leadership to bootstrap the building of a complete development, operations, and communications team.
With the ability to hire and contract talented contributors, Zen will be able to continue working through the goals outlined in the Zen White Paper.
Future ZenCash communications will be based on a new domain name, zensystem.io. Look for us there!
New ZenCash website – https://www.horizen.io/
New ZenCash blog – https://blog.horizen.io
New ZenCash Github – https://github.com/HorizenOfficial
Also published on Medium.
June 9, 2017 @ 4:35 pm
I understand the particular developer in question claims he hasn’t been paid since November. Wether or not that’s true, it doesn’t change how irresponsible and unprofessional it is to publicly announce 0-days (by him.)
The ZenCash team should communicate how it wishes to receive security vulnerabilities and the policy surrounding that. Industry standard practices asks security researchers for a 90-day timeline to fix affected systems before the researchers can announce, unless an attack is in the wild or the information is already being passed around.
It should’ve been clear that announcing security vulnerabilities should only be communicated through official channels like this blog or twitter and not by individuals front of 100 people on slack.