ZeroCoin issued a statement regarding a bug in the implementation of Zerocoin yesterday. The company elaborated on the breach and said that a typographical error on a single additional character in code had allowed an attacker to create Zerocoin and spend transactions without a corresponding mint.
Zerocoin stated that they have identified the error and are pushing the fix urgently within the next 24 hours. They also urged all pools and exchanges to update once the release is out.
The statement informed that the attacker is (or attackers) believed to be very sophisticated according to the company’s investigations. Several measures were taken by the attacker to camouflage their tracks, like generation of lots of exchange accounts and carefully spreading out deposits and withdrawals over several weeks.
As per Zerocoin’s estimation, the attacker has created about 370,000 Zcoins which have been almost completely sold except for about 20,000+ Zcoin and absorbed in the market with a profit of around 410 BTC. So, the damage has already been mostly absorbed by the markets.
Zerocoin also clarified its position by explaining that the breach occurred due to the bug in the code and does not by any means signifies any weakness in the cryptography. The bug allowed the attacker to reuse their existing valid proofs to generate additional Zerocoin spend transactions and this is how the attack unfolded.
Another record they set straight was regarding the anonymity of Zerocoin. The report maintained that the anonymity of Zerocoin has not been compromised. It was for the fact that their total supply is verifiable and there are no hidden amount transactions, they were able to discover this bug.
Zerocoin did admit to the severity of the hack but refused to forfeit or blacklist any coins in the same vein. Trading of the coins will resume once pools and exchanges update their code.
The exchanges were already informed about the hack in order for them to assist in the investigations.
The statement ended with an apology to the users for the silence on the issue before releasing the statement as they wanted to make sure of all the relevant facts before going public with the news. Further, they thanked all the users for understanding and also thanked the people who assisted them on this matter.
More details regarding the hack will be posted in a later update according to the statement.