So for each of the affected projects, there may be wallets that forged an arbitrary amount of currency using the exploit, which cannot be confirmed by an audit of the blockchain due to its private nature?
Possibly. The affected projects are mostly libraries. Other than Zcash there are (I think) still relatively few projects that use ZKPs for cryptocurrency, due to performance and other issues.
One of those other issues being this - ZKPs are notoriously hard to implement correctly. This isn't the first time such an issue has arisen. Whilst this one specifically might not break any major cryptocurrencies, a bug in one of the classic zk-SNARK papers led to ZCash being totally broken some years ago. The developers kept it a secret even from their own head of security and proceeded to try to clean up the mess whilst lying about what they were doing/why, which just made it worse.
A big problem with using ZKPs to secure a currency is that if a flaw is ever found in them it's impossible to prove that it wasn't abused. Typically it's as you say: anyone who knew could have forged any amount of currency and done so undetectably. There is no audit trail and no way to prove this didn't happen. It raises fundamental questions about the social contract of these systems. If you assume that eventually a breach will occur, and then when it does it can completely destroy faith in the currency, should such a currency be used at all? Imagine the nightmare scenario where such a bug isn't found by white hats but rather by people working for criminal gangs, hostile foreign governments, a Mafia etc and they manage to abuse it for years without being detected. Or even worse, someone who figures it out turns it into an easily used app and releases it zero day for the lulz.
Basically the only defense you'd have is the anti-money laundering / tax system i.e. people being constantly asked to prove that they acquired their wealth legally, which is hardly optimal.
Bitcoin and such don't have this issue because the records are auditable. I used to work on a blockchain system that was going to use SGX to achieve the same sort of thing, though that project never made it that far unfortunately. We were careful to design a setup in which breaches of the enclave only sacrificed privacy but not integrity, although a setup in which the enclaves manage everything including integrity is a lot easier to build.
mike_hearn|3 years ago
One of those other issues being this - ZKPs are notoriously hard to implement correctly. This isn't the first time such an issue has arisen. Whilst this one specifically might not break any major cryptocurrencies, a bug in one of the classic zk-SNARK papers led to ZCash being totally broken some years ago. The developers kept it a secret even from their own head of security and proceeded to try to clean up the mess whilst lying about what they were doing/why, which just made it worse.
A big problem with using ZKPs to secure a currency is that if a flaw is ever found in them it's impossible to prove that it wasn't abused. Typically it's as you say: anyone who knew could have forged any amount of currency and done so undetectably. There is no audit trail and no way to prove this didn't happen. It raises fundamental questions about the social contract of these systems. If you assume that eventually a breach will occur, and then when it does it can completely destroy faith in the currency, should such a currency be used at all? Imagine the nightmare scenario where such a bug isn't found by white hats but rather by people working for criminal gangs, hostile foreign governments, a Mafia etc and they manage to abuse it for years without being detected. Or even worse, someone who figures it out turns it into an easily used app and releases it zero day for the lulz.
Basically the only defense you'd have is the anti-money laundering / tax system i.e. people being constantly asked to prove that they acquired their wealth legally, which is hardly optimal.
Bitcoin and such don't have this issue because the records are auditable. I used to work on a blockchain system that was going to use SGX to achieve the same sort of thing, though that project never made it that far unfortunately. We were careful to design a setup in which breaches of the enclave only sacrificed privacy but not integrity, although a setup in which the enclaves manage everything including integrity is a lot easier to build.