May 15, 2019

Veil — the libzerocoin exploit, security measure, and the future

In this article, we will explore the recent Zerocoin exploit and how that affects Veil’s future.

As you are likely aware, Zerocoin reliant projects, including Veil, have recently been impacted by the discovery of an exploit in the libzerocoin library—the basis for the Zerocoin protocol. This article delivers an overview of the situation, as well as some insight on our plans for Veil moving forward.

Zerocoin exploit surfaces

On March 3rd, an attack was identified on the PIVX network in which zerocoins were being spent through a bug exploit. The exploit, termed ‘wrapped serial exploit’ did not impact or apply to Veil, and revolved around serials being spoofed to spend non-existent zerocoins on the back of an implementation flaw. An in-depth breakdown of the wrapped serial exploit can be found here.

On April 9th, a second Zerocoin exploit was identified when Zcoin discovered they were under attack. The vulnerability, which was found to apply to all project’s reliant on the libzerocoin library, was quickly shared between development teams, and a combined force of developers got to work on producing solutions. All the while, the Veil network was being closely monitored to thwart any attempted exploits, though none were found.

On April 26th, Veil committed GitHub changes including the security measure, which removes the vulnerability from Zerocoin at the cost of minting anonymity. Note that this anonymity loss is not retroactive, so all zerocoin denominations minted before the change remain anonymous until spent. This security update was quickly released as version If you have not updated your wallet to version by now, be sure to do so here.

At the time of this article’s publication, Zerocoin is not providing anonymity to Veil users. Veil still provides anonymity in the form of RingCT, so non-zerocoin Veil transactions remain private. Users wishing to continue minting zerocoin denominations for staking pseudo-anonymously can do so by minting from RingCT as a workaround; just remember that successfully staking isn’t private while the security measure is active.

Once affected projects had taken measures to protect their networks, Zcoin released a cryptographic description of the attack on April 30th, which can be found here.

Determining a temporary Zerocoin fix

While some initial talk online suggested Zerocoin is not fixable, the reality is that being math and code, it is. Some potential fixes, such as those listed by Zcoin in the cryptographic breakdown, that further developed here, and others, have been carefully considered since the time Zcoin first reached out to Veil. The computational resources these fixes demand, however, are currently in excess of what Veil targets for its long-term solution.

Due to these solutions being unsatisfactory for the long-term, it’s been determined that rather than heavily sinking resources into salvaging the poorly aging Zerocoin protocol, the fix will only be temporary. The best course of action for this interim fix is currently being vigorously investigated.

We’ve also altered our plans with Least Authority, who were previously slated to audit Veil’s code, to instead have their assistance as independent consultants on the Zerocoin fix. This will ensure solutions moving forward withstand additional scrutiny, and will shorten development time. Due to this change, the Veil code audit has been postponed until a later date.

Future protocol and conclusion

As Veil’s development team have determined Zerocoin has, with its security flaws, proven unsatisfactory as Veil’s primary privacy protocol, a new long-term solution has been under careful consideration. As previously mentioned in a recent update, the next privacy protocol Veil moves to will need to meet certain criteria:

  • Full-time privacy
  • Only private transactions (one coin type)
  • Private mining via the X16RT algorithm
  • Private staking
  • IP privacy (Dandelion)
  • Fast transaction validation
  • Minimized transaction sizes
  • No denominations

Research to this point has brought us to a shortlist of potentials, all of which are more recent developments in SNARK cryptography that from initial investigation show great promise. Cryptography, however, is not simple, and while something may appear sound and applicable in theory, careful investigation is yet needed to determine the best fit for Veil.

While we’re currently determining which long-term protocol to move forward with, wallet and Zerocoin updates will continue regularly, with development now more robust than ever. We at Veil are determined to continue providing updates as often as we are able to do so confidently, and questions are always welcome over on the Veil Discord.