Zcash Company, behind the development of Zcash cryptocurrency, revealed the details of the vulnerability that allowed attackers to create an unlimited number of non-existent ZEC coins.
According to a company blog report, March 1, 2018, Zcash cryptographer Ariel Gabizon discovered a vulnerability in the zk-SNARKS protocol, which Zcash uses to hide balances and user data.
Cryptocurrency developers decided not to disclose the details of the problem by including a patch in the update of the Zcash Sapling protocol, which was activated in late October. And only now the project team has publicly disclosed the circumstances of the incident.
The vulnerability was specific to counterfeiting and did not affect user privacy in any way. Prior to its remediation, an attacker could have created fake Zcash without being detected. The counterfeiting vulnerability has been fully remediated in Zcash and no action is required by Zcash users.
Also, developers note that the detection of vulnerability required an advanced level of technical and cryptographic knowledge that few possess.
After the discovery of the vulnerability, Zcash Company took "exceptional measures" to minimize the possibility of its operation, and also notified other cryptocurrency teams using the zk-SNARKS protocol, including Horizen and Komodo, about its existence.