Michael del Castillo,
A venture-backed cryptocurrency with the promise to provide truly anonymous transactions is scheduled to launch in beta today, a move that will mark the latest in a detailed and expensive process to help ensure as many bugs as possible are removed before its blockchain supports real transactions.
Created from a fork of the bitcoin blockchain, Zcash is designed to cloak the addresses of both the counterparties participating in a transaction as well as the amount transacted.
If successful, the privacy-oriented, public blockchain could eventually form the foundation of an ecosystem of distributed applications built by both consumers and big banks looking for a more private means to transact.
Not only are the eyes of the cryptocurrency community closely watching this development, but so are would-be hackers looking for a high-value target.
So, to help ensure the soundness of this new protocol, the currency’s creators, Zcash Electric Coin Company, are spending a quarter of their recent $1m venture capital investment to hire three separate auditing firms. The high-stakes environment where even competing cryptocurrencies might stand to benefit calls for a higher standard of due diligence, according to veteran cryptographer Zooko Wilcox, one of Zcash’s founders.
In an interview with CoinDesk, Wilcox explained the difficulties of balancing the almost impossible task of perfectly audited code, with limited financial resources.
He said:
“The sad, unfortunate fact is that with a large codebase it’s impossible to find all the bugs. When you’re doing this kind of security process, you have to choose a scope of what’s most dangerous.”
To the address the problem, Wilcox focused the auditors’ attentions on the changes his team has made to the bitcoin protocol’s code.
After seven years of running without a hack, that part at least, can be set aside with at least some confidence.
In particular, Zcash narrowed its scope to six components, including the zkSNARK cryptography built on libsnark, the cryptographic construction of the “zk-SNARK circuit” and the Equihash proof-of-work algorithm.
“There isn’t any way to look at a big codebase and know it is safe in general,” said Wilcox. “You have to look at a big gray area that’s more safe or less safe.”
A moving target
The first step in performing an audit is to select the auditors. While this may seem obvious, the actual process of making the selection isn’t always easy, as the collaboration requires a lot of trust and could include difficult conversations.
For Zcash’s first audit, which has been under way since August, Wilcox called in London-based NCC Group, a partner from a previous audit he conducted with his own security firm, Least Authority.
The publicly traded NCC Group’s principal security consultant, Alex Balducci, was tasked to analyze third-party dependencies such a libsnark. Specifically, Balducci broke down the analysis into two categories: reviewing the implementation of the Zcash protocol and an audit of the source code.
Early conclusions of the audit resulted in multiple recommendations involving the way Zcash is developed. Specifically, he has advocated for the inclusion of tools to help identify coding issues during development.
“This process should be something that touches all aspects of a company,” Balducci told CoinDesk. “Developers should have an awareness of the various security issues, policies should be set in place to enhance and adapt to changing security threats, audits should be performed and plans for worst-case scenarios formed.”
Guns and Frappuccinos
Later this month, NCC Group will be joined by two other auditors in the process of helping minimize bugs and other vulnerabilities in the code.
Due in part to Argentina-based Coinspect’s history of publishing “innovative” protocol designs, Zcash tasked the firm to validate specific threats, protocols and algorithms that only occur for cryptocurrencies.
The founder of the veteran security firm, which has audited implementations including Bitcoin Core, ethereum, monero, counterparty and bitcoinj says that cryptocurrencies prove an especially alluring target because some of the data at stake also has a corresponding token value.
CoinSpect’s Juliano Rizzo compared the launch of Zcash with the launch of bitcoin. He said that when bitcoin launched, there were few if any people with the diverse skill sets necessary to hack a cryptocurrency — skills which he estimates include cryptography, familiarity with GPU-internals, awareness of ASIC-design, regulation, economics and social dynamics.
One strategy Rizzo said he looks for in his clients to help reduce the risk of theft is smart contracts that allow companies to store cryptocurrency in cold storage and that include reversible time-locked vaults so “illegally triggered” transactions can be reversed.
But even as defenses against hacks have become more sophisticated since the early days of bitcoin, so to have the attackers.
Rizzo said:
“To physically steal bags of cash from a bank in minutes, you need a gang with different skills, including firing guns and digging tunnels while pretending to sell butter cookies. A cryptocurrency theft can be carried on quietly by a single hacker enjoying a Frappuccino in a coffee shop.”
The greater responsibility
Another auditor scheduled to begin work in September is Alexander Peslyak, better known as Solar Designer. His particular focus was on the Equihash proof-of-work algorithm.
In addition to being the founder and CTO of Openwall, Solar Designer is an advisor to the Open Source Computer Emergency Response Team that provides security support to open-source projects.
In interview with CoinDesk, Solar Designer explained the difficult task that other founders building cryptographically based startups face when trying to balance the nearly impossible task of creating a completely debugged codebase with a limited budget.
Solar Designer agreed with statements made individually by each of the other auditors that a perfectly debugged codebase of any “non-trivial” size “not only can’t be achieved — it can’t even be defined.”
Even with a $250,000 auditing budget, Zcash was forced to narrow the scope of its efforts to just those areas that weren’t already largely debugged.
But for startups that aren’t funded or don’t have another source of capital, Solar Designer said that the level of due diligence required changes from project to project. In the end, he said it’s up to the auditors themselves to communicate the limitations of each project.
But that doesn’t mean the diligence is optional.
“It is typical to adjust scope to budget, and the range can vary by an order of magnitude or more,” he wrote. “Can’t afford any? That’s tough.”
The ‘half-life of doubt’
Zcash is scheduled to launch into beta today with all its features live.
But Wilcox is seeking to discourage the accumulation of any large amount of wealth on the blockchain between now and the full launch slated to occur on 28th October.
Even then, he said he hopes the growth-rate of the currency’s value occurs slowly.
If a codebase is complicated enough, there truly are no guarantees. He calls it the “half-life of doubt”, or the idea that every year that goes by without a hack his confidence increases – but it may never reach absolute certainty.
Even though Zcash is based on the as-yet un-hacked bitcoin code base, Wilcox said he’s not 100% confident it might not someday be compromised.
“The only thing that will make me satisfied,” said Wilcox, “is that if years and years go by with more and more money.”
Trial by fire
There’s two ways to ensure the security of a system.
The first is what security expert Bruce Schneier famously described as “security through obscurity” in a 2008 article. This, arguably, was the state of bitcoin’s security through its early years, when few people knew it existed, and those who did are generally believed to have had the cryptocurrency’s best interests in mind.
The second form of security though is what Wilcox calls “trial by fire.”
Months before he hired auditors to take apart the code and look for weaknesses, the code was published on Github and the public was invited to search for bugs. As a result, multiple vulnerabilities were identified even before the formal audits began.
But the actual bugs exposed in a complex system like a cryptocurrency codebase are a factor of the actual bugs, and the exposure, or value, riding on the product, according to Wilcox.
Inviting additional outside auditors to review the cryptocurrency code accelerates that rate of exposure.
Wilcox concluded:
“You force yourself not to go through a trial by fire. And you want it to be seen by as many eyes as possible.”