Stories
Slash Boxes
Comments

SoylentNews is people

posted by on Monday February 20 2017, @07:55PM   Printer-friendly
from the Zerocoin-day-vulnerability dept.

The Zcoin project announced yesterday that a typo in the Zerocoin source code allowed an attacker to steal 370,000 Zerocoin, which is about $592,000 at today's price. Zerocoin, also known as Zcoin or XZC, is a cryptocurrency protocol built on top of Bitcoin that implements Zero-Knowledge proofs to guarantee complete financial privacy and anonymity. Zerocoin is the precursor of Zcash and Monero, two similar cryptocurrencies that provide extra anonymity for their users, much more than the standard Bitcoin currency can provide.

According to the Zcoin team, one extra character left inside Zerocoin's source code caused a bug that an unknown attacker discovered and used to his advantage in the last few weeks. "The bug from the typo error allowed the attacker to reuse his existing valid proofs to generate additional Zerocoin spend transactions," the Zcoin team said yesterday. This allowed the crook to initiate one transaction but receive the money multiple times over.

According to the Zcoin team, the attacker (or attackers) was very sophisticated and took great care to hide his tracks. They say the attacker created numerous accounts at Zerocoin exchanges and spread transactions across several weeks so that traders wouldn't notice the uneven transactions volume. Nonetheless, as transactions piled up, the Zcoin team saw that the two sides of their blockchain weren't adding up.

The Zcoin team says they worked with various exchanges to attempt and identify the attacker but to no avail. Out of the 370,000 Zerocoin he stole, the attacker has already sold 350,000. The Zcoin team estimates the attacker made a net profit of 410 Bitcoin ($437,000).

Source:

https://www.bleepingcomputer.com/news/security/a-source-code-typo-allowed-an-attacker-to-steal-370-000-zerocoin-592-000-/


Original Submission

 
This discussion has been archived. No new comments can be posted.
Display Options Threshold/Breakthrough Mark All as Read Mark All as Unread
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.
  • (Score: 0) by Anonymous Coward on Monday February 20 2017, @10:18PM

    by Anonymous Coward on Monday February 20 2017, @10:18PM (#469464)

    and then sit on it until the statute of limitations expires or you've moved to some special location.

    John Doe indictment filed. Statute of limitations no longer applies. Statute of limitations would only apply if the theft happened, X time goes by, and no charges were filed.

    Special locations... Some do apparently exist. The trick is to continue to have enough money such that you can't find yourself extraordinarily rendered either (a la Dog the Bounty Hunter....)