Zcash rectifies vulnerabilities by re-releasing version 2.0.7-3 of Zcashd

The recent crash in the cryptocurrency market pushed several currencies down to their yearly lows. Privacy-focused coin, Zcash, was one of them as the coin recorded a yearly low of $35.38 on 27 September. At the time of writing, ZEC stood 29th on CoinMarketCap and was valued at $37.72, recording a 1.12% drop in its price over the last 24 hours.

In a recent update, the creator of the privacy-based altcoin, Electronic Coin Company [ECC], published a report revealing the release of version 2.0.7-3 of Zcashd. The company had previously released the same version. However, Florian Tramèr, Dan Boneh, and Kenneth G. Paterson had pointed out several issues pertaining to the said version. The trio had classified the same into two vulnerabilities, Reject and Ping. The latest available version of Zcashd is meant to address these very vulnerabilities.

As per ECC’s blog post, the Reject vulnerability, which was later named CVE-2019-16930, posed a threat to sapling addresses. This vulnerability is caused due to an “unhandled exception” in the wallet processing code. However, Zcashd fixed the same by altering the code to handle the exception. The ECC also wrote that it hadn’t encountered a problem like this.

The Ping vulnerability acted as intimidation to both sapling and sprout addresses and was labeled as CVE-2019-17048. This vulnerability is mainly prompted by the internal wallet code that processes new transactions, in line with the network code. The post further suggested that potential attackers would be able to derive the relationship between the transaction and the node, without the use of the victim’s address. Furthermore, the post read,

“The timing of the victim node’s response to the attacker’s probing transaction is enough for the attacker to determine if the victim peer has the viewing key loaded.”

Zcashd 2.0.7-3 now shelters a modified code that would yield wallet processing of new transactions on another thread. In an effort to avoid any compromise of privacy, logfile shrinking has been disabled in the latest version.

The Electronic Coin Company went on to ask users to upgrade to the fixed version, as the same has been made available.