A bug on the Zcash network could lead to most users having their information leaked, claims Duke Leto, a community member who has occasionally contributed to the project, on a blog post on his own website.
The post summarizes the following:
“A bug has existed for all shielded addresses since the inception of Zcash and Zcash Protocol. It is present in all Zcash source code forks. It is possible to find the IP address of full nodes who own a shielded address (zaddr). That is, Alice giving Bob a zaddr to be paid, could actually allow Bob to discover Alice’s IP address. This is drastically against the design of Zcash Protocol.”
A fatal Zcash flaw
L1eto goes on, stating that anyone who has given out their zaddr on social media, in a bug report, to an exchange, or as a reply to a memo may very well be affected. However, if a user has never used a zaddr, they should be fine.
A list of assets that have been affected:
- Zcash (ZEC)
- Hush (HUSH)
- Pirate (ARRR)
- All Komodo (KMD) smart chains with zaddrs (enabled by default)
- Horizen (ZEN)
- Zero (ZER)
- VoteCoin (VOT)
- Snowgem (XSG)
- BitcoinZ (BTCZ)
- LitecoinZ (LTZ)
- Zelcash (ZEL)
- Ycash (YEC)
- Arrow (ARW)
- Verus (VRSC)
- BitcoinPrivate (BTCP)
- ZClassic (ZCL)
- Anon (ANON)
Overall, those that have been affected can use this link to track the goings-on of the flaw.
