Auditing Zcash

Our mission is to make the first open financial technology with zero-knowledge privacy, for every person in the world to use. To that end we are commissioning multiple security audits and design evaluations, and will publish the results in full.

Audit Strategy

Zcash combines novel cryptography with blockchain consensus, and our reference implementation is a C++ networking application. Our auditing strategy is to engage experts with different specializations to focus on different aspects of the system, including: cryptography, cryptocurrency (esp. Bitcoin), C++, networking, and traditional application security.

Auditors and Consultants

Given our strategy, we’ve initiated two audits and one design analysis with leading experts in different areas. Each consultant will have their own distinct scope and focus, which will be clearly delineated in their respective reports.

NCC Group – From working alongside NCC Group as the Least Authority auditing team, we were impressed with their abilities as skilled security auditors for cryptographic software.

Coinspect – When we wanted to find cryptocurrency specialists, Coinspect quickly came to mind. They’ve published many innovative protocol designs, as well as insightful analyses.

Solar Designer – We chose Solar Designer because he is a famous old school hacker, developed return to libc (ret2libc), which started the move from injected code (shellcode) to borrowed code, and developed the first generic heap-based buffer overflow exploitation technique (by
attacking “unlink”, an operation that coalesces adjacent chunks when an
allocation is freed).

We are proud to work with teams that, like us, value open source, and aim to create accessible and secure systems for everyone.

Scope

We are focusing our audits on specific components:

  • zkSNARK cryptography (eg: libsnark)
  • Zcash cryptographic construction (our “zk-SNARK circuit”)
  • Proof of Work algorithm – Equihash
  • Consensus changes (from Bitcoin)
  • Specification adherence
  • C++, race conditions, networking, buffer overflows, dependency management

We have a limited budget and schedule so we must be selective in our focus. In selecting the audit scope, we’re relying on a few assumptions that we believe mitigate security risk:

  • Bitcoin Core has survived for ~7 years, controlling billions of dollars worth of funds and is thus well tested in the wild. We will focus primarily on our changes from Bitcoin, although we are doing some auditing for memory safety problems in code that hasn’t changed from Bitcoin Core and its dependencies.
  • The zkSNARK cryptographic technique is peer reviewed, so we won’t look for breakthroughs there.
  • We use only a subset of libsnark, so we’ll ignore the parts we don’t use [1].
  • The Zcash circuit is modified from the peer-reviewed Zerocash circuit, so we will focus more on the changes than the whole construction.

Schedule

The first audits have already begun, and we may schedule future audits to gain further confidence in our security at launch. With proper and thorough auditing the aim is to mitigate all vulnerabilities and lessen risk–this thoroughness is one reason for our launch delay. We described this schedule change in our Zcash Sprout Launch post.

Understanding Risk

For an open, permissionless system to be viable, users must be able to justifiably rely on its security and robustness. Ensuring that this a daunting task. The best service we can provide for potential users of Zcash is to ensure they understand the associated risks as well as possible.

Security audits and algorithm analyses are not guarantees of safety or correct operation. Each consultant is focused on a specific kind of analysis and cannot vouch for the entire system, nor do they necessarily endorse Zcash as a whole.

Conclusion

Zcash is based on peer-reviewed cryptographic research, and built by a security-specialized engineering team on an open source platform based on Bitcoin Core’s battle-tested codebase. Publishing multiple security audits is yet another example of our best effort at deploying a system designed to withstand the demands of world-wide financial infrastructure.

— Nathan Wilcox, 2016-08-17

[1] We have created a libsnark fork which removed portions unused by Zcash.