Zcash Bug Could Expose Shielded Full Nodes’ IP Addresses
Zcash (ZEC) nodes with insulated addresses (zaddr) IPs are facing the risk of metadata leak because of a bug in the installed software. The information was revealed by Duke Leto, Komodo (KMD) core developer, through a blog post. To monitor the issue, a Common Vulnerabilities and Exposures (CVE) code has been allotted. Leto elaborated the manner in which the bug exposes IP address:
“A bug has existed for all shielded addresses since the inception of Zcash and Zcash Protocol. It is present in all Zcash source code forks. It is possible to find the IP address of full nodes who own a shielded address (zaddr). That is, Alice giving Bob a zaddr to be paid, could actually allow Bob to discover Alice’s IP address. This is drastically against the design of Zcash Protocol.”
The announcement indicates that all those who have revealed their zaddr or given it to a third party could have been exposed to the vulnerability. Leto asserts that users should look at their “IP address and geo-location information associated with it as tied to […] zaddr.”
As per Leto, users who never employed a zaddr for any other purpose other than over the Tor Onion Routing network or to remit funds are not impacted. Additionally, Leto, through a lengthy list of cryptos, has pointed out that Zcash is not the only crypto in trouble because of the bug.
The list includes cryptocurrencies such as Hush, Komodo and Pirate, in addition to Zcash, with zaddr activated in their smart chain on a default basis. Other cryptos in the list are Safecoin, Zero, Zelcash, Horizen, LitecoinZ, VoteCoin, BitcoinZ, Ycash, Snowgem. Leto also highlighted that Komodo has already made shielded address non-functional and moved it to the Pirate chain, which implies that KMD no longer has such vulnerability.
Electric Coin Company, which unveiled and backs the advancement of privacy-coin Zcash, has released a document explaining a trustless cryptographic mechanism dubbed Halo.