SmartCash Zerocoin related issues and the path forward


#1

These past few weeks have been a roller coaster ride for SmartCash. The project got a lot of media exposure and attention, but at the same time we’ve been plagued by a series of issues that caused a lot of bitterness in our community and rightfully so.

We’ve been battling tiresome Zerocoin related node sync issues for the past few weeks. Most of the recent hiccups we’ve faced were Zerocoin related. Our October SmartRewards snapshot delay, exchange listing delays and deposit/withdrawal issues were all Zerocoin related.

Yesterday, another Zerocoin related incident happened. We found that our pool server nodes were running under high CPU load. Upon closer inspection every block had a renew transaction and that was taking up the CPU time with calculations. An attacker discovered a vulnerability in our Zerocoin code and was able to renew and reclaim 2.1 million new coins using this vulnerability. This was the was the straw that broke the camel’s back in terms of Zerocoin related issues, which forced us to turn off all Zerocoin related features. Had this been a legitimate user trying to renew coins, the network slowdown would have had same effect, which again tells us the Zerocoin code isn’t yet ready to be used.

A Zerocoin related supply bug issue was discovered earlier this year by the Zcoin project https://zcoin.io/important-announcement-zerocoin-implementation-bug/ It seems, however, not all security holes were plugged since this incident took place. The Zerocoin code seems to have other vulnerabilities which could be exploited by potential attackers. After doing some research, we have discovered that Zcoin, another project using Zerocoin tech suffered a similar exploit, even though they are yet to issue a statement. Over 14k Zcoins that shouldn’t exist have been created using this exploit between November 1st and November 4th. The attack on the SmartCash network took place after Zcoin got attacked and after their devs released a quick Sunday patch to stop the bleeding. The attack could have been prevented had they told us about it. Hopefully, we will all learn to work together in the future. We can’t say for sure if other Zerocoin based coins like PIVX also got attacked, but looking at the recent Zerocoin PIVX action, that may have been the case: During this 15 hours period, between Block 892275 2017-11-06 17:41:03 CET and Block 893145 2017-11-07 08:19:16 CET more than 260K PIVX were reclaimed/spent than minted/renewed.

In order to try and remedy some of the damage, we plan to burn a corresponding amount of SmartCash from the SmartHive address to make sure the current supply stays unchanged.

Furthermore, in order to create a stable environment for our users, we have decided to remove the Zerocoin code to give the developers the chance to improve it, since it’s clearly not ready for prime time yet. This will help immediately alleviate a lot of the frustration some people have been having when it comes to long sync times and sync freezes. Please go ahead and download our new client. This is a mandatory update! https://smartcash.cc/get-smartcash/


Restructure SmartRewards to discourage Exchanges from holding deposits
#2

This is what I love about the SmartCash team, very upfront and honest every step of the journey. Keep up the great work guys!!!


#3

Glad you guys discovered this so quickly! Good job on being first to disclose this. Interesting to see how the market reacts…


#4

This explains the sell-off we’ve been experiencing in the past two weeks or so. Good to know it’s over.


#5

I appreciate how you handle this.


#6

Good work guys, this seems like a very reasonable decision on your part!


#7

How does removing the ZeroCoin code impact SmartCash? Is there something lost or gained in terms of security and/or features? I wish I had waited until this update. The wallet sync on 0.10 took over 12 hours from scratch… and I had gotten only to 48 hours left. Had to let it run overnight to fully sync. That was painful.


#8

@SmartSun Zerocoin (renew/reclaim) is the privacy feature implemented into SmartCash, and will not be available for the time being.
While a select few from the development team will be tasked to improve upon the code, disabling the feature will in the mean time give us stability and less sync issues, so that the remaining development team can spend more time on new features, accessibility and tools, instead of support.


#9

Yes, I see what you mean.

171107-3820T-00


#10

How many coins will be burned and when ?

Thanks dev team great work :wink:


#11

As much as I love our forum, we should have a way to display the most important threads in a way nobody can miss them. I bet there’s a lot of people who’ll miss the client update.


#12

:smile:GO GO GO Smartcash go to the moon, thanx Dev


#13

Its a shame what happened, but I want to thank SmartCash team for doing the right thing and being open and honest in this situation. Thank you guys, onwards and upwards!


#14

my Reclaim Uncomfirmed Form 3 day How long will it be Comfiemed 00110


#15

I think it has been done, that is why the market cap went down while the price went up.


#16

Please contact dev team


#17

Actually I was wrong, it apparead Coinmarketcap decided to add a circulating supply which is equivalent to
the community funds. They have substracted it to the total supply and use it as market capitalization for SmartCash.


#18

So, apparently Cryptopia just disabled Smartcash wallet. Instead of updating to the latest version currently available, it seems like they’re going to wait for another version with Zerocoin issues fixed:

“New Zerocoin protocol exploit found. Wallet offline until a protocol fix is developed”.

So that means what, that we might have to wait another week or two, or a year, before that fix is developed? Cause from the posts in this thread I’ve got the impression that the Smartcash team isn’t developing any fixes and it’s up to Zerocoin team to do the fixing. Or am I wrong (I hope so)?


#19

We gave all exchanges 2 days notice to upgrade and had the new version ready at that time. We also sent several reminders by every channel of communication possible. The only thing that was necessary was to close the daemon, replace with new file, and start up.

This new version puts zerocoin transactions on hold to stop any further zerocoin exploits. Exchanges don’t use the zerocoin features anyway, so this shouldn’t be an issue for them. Normal transactions are still active and syncing works better with the latest version.

We are working on a fix to activate zerocoin features again. But understand this isn’t an easy task and it isn’t likely to be a 1 week fix.


#20

Do you have a list of exchanges where SMART is listed? Cryptopia looks a bit unreliable.