These past few weeks have been a roller coaster ride for SmartCash. The project got a lot of media exposure and attention, but at the same time we’ve been plagued by a series of issues that caused a lot of bitterness in our community and rightfully so.
We’ve been battling tiresome Zerocoin related node sync issues for the past few weeks. Most of the recent hiccups we’ve faced were Zerocoin related. Our October SmartRewards snapshot delay, exchange listing delays and deposit/withdrawal issues were all Zerocoin related.
Yesterday, another Zerocoin related incident happened. We found that our pool server nodes were running under high CPU load. Upon closer inspection every block had a renew transaction and that was taking up the CPU time with calculations. An attacker discovered a vulnerability in our Zerocoin code and was able to renew and reclaim 2.1 million new coins using this vulnerability. This was the was the straw that broke the camel’s back in terms of Zerocoin related issues, which forced us to turn off all Zerocoin related features. Had this been a legitimate user trying to renew coins, the network slowdown would have had same effect, which again tells us the Zerocoin code isn’t yet ready to be used.
A Zerocoin related supply bug issue was discovered earlier this year by the Zcoin project https://zcoin.io/important-announcement-zerocoin-implementation-bug/ It seems, however, not all security holes were plugged since this incident took place. The Zerocoin code seems to have other vulnerabilities which could be exploited by potential attackers. After doing some research, we have discovered that Zcoin, another project using Zerocoin tech suffered a similar exploit, even though they are yet to issue a statement. Over 14k Zcoins that shouldn’t exist have been created using this exploit between November 1st and November 4th. The attack on the SmartCash network took place after Zcoin got attacked and after their devs released a quick Sunday patch to stop the bleeding. The attack could have been prevented had they told us about it. Hopefully, we will all learn to work together in the future. We can’t say for sure if other Zerocoin based coins like PIVX also got attacked, but looking at the recent Zerocoin PIVX action, that may have been the case: During this 15 hours period, between Block 892275 2017-11-06 17:41:03 CET and Block 893145 2017-11-07 08:19:16 CET more than 260K PIVX were reclaimed/spent than minted/renewed.
In order to try and remedy some of the damage, we plan to burn a corresponding amount of SmartCash from the SmartHive address to make sure the current supply stays unchanged.
Furthermore, in order to create a stable environment for our users, we have decided to remove the Zerocoin code to give the developers the chance to improve it, since it’s clearly not ready for prime time yet. This will help immediately alleviate a lot of the frustration some people have been having when it comes to long sync times and sync freezes. Please go ahead and download our new client. This is a mandatory update! https://smartcash.cc/get-smartcash/