A team of academics has identified an issue with the Zerocoin protocol, along with two security flaws in libzerocoin, the software library used for building actual cryptocurrencies around protocol.
Researchers said they found these three issues to affect at least five cryptocurrencies based on Zerocoin, each in varying degrees. The five are SmartCash, Zoin, Zcoin, Hexxcoin, and PIVX.
The four-man team of academics from Saarland University and the Friedrich-Alexander-Universität Nürnberg-Erlangen in Germany, have published their findings in a research paper titled "Burning Zerocoins for Fun and for Profit."
According to researchers, the Zerocoin protocol is affected by a denial-of-spending issue that allows attackers to halt a victim's legitimate transaction, and issue a "spend" operation before the legitimate request. This results in the approval of the attacker's "spend" and the rejection of the legitimate transaction —which is marked as a "double spend" operation/bug/attack.
Researchers say this protocol scheme issue affects SmartCash, Zoin, Zcoin, Hexxcoin, and PIVX. Three of the five —PIVX, SmartCash, and Hexxcoin— have disabled the Zerocoin protocol inside their respective cryptocurrency source code, following the disclosure of this issue.
The immediate result of such an action was that all the altcoins mined via the Zerocoin protocol became stuck in users' wallets.
The SmartCash team told researchers they intend to refund owners of unspent coins, while the Hexxcoin and PIVX teams said they plan to re-enable Zerocoin support after the issue has been fixed.
Researchers said that Zoin and Zcoin remain vulnerable to the Zerocoin protocol issue, and recommended that users do not spend funds until the issue they discovered is fixed, albeit, to be fair, exploiting such a flaw would require an attacker to gain a network position capable of intercepting the victim's "spend" transactions.
Besides issues in the protocol itself, academics also found two issues affecting libzerocoin, a proof-of-concept C++ library for implementing the Zerocoin protocol.
Here, researchers found an "inflation" bug that allowed an attacker to generate new coins and an issue where the library improperly signed transactions.
These two bugs affected the Zcoin, SmartCash, Zoin, and Hexxcoin currencies, but according to researchers, they have been fixed after the initial report.
All of the three issues are not surprising, as the Zerocoin protocol and libzerocoin library have been left for dead for years.
The Zerocoin protocol has been replaced by the Zerocash protocol that now powers the Zcash cryptocurrency, while the libzerocoin library has been abandoned and has featured big, bold security warnings in its README file for years, which have also made it into the Zoin, Zcoin, SmartCash, and Hexxacoin projects.
Users shouldn't be investing in outdated tech to begin with, and as the the academics team reasonably recommends —Don’t use libraries that come with big bold security warnings.