Veil has successfully sealed an exploit that was uncovered in August 2019. The exploit fix was a two-part process: the first of which patched the security flaw the attacker was able to exploit in the Zerocoin protocol. No further attacks have taken place since. The second wallet release (available here) restores trading on exchanges for Veil users and traders.
The short version of update changes are:
Zerocoin zero-knowledge proofs removed, lowering spend size and increasing spend-times
Ill-gotten funds have been blacklisted and restricted from exchange trade
Stolen balances from zerocoin accumulators once again available for owners to spend
Other security and protocol-level changes
What can you do now to update?
Veil wallet release v18.104.22.168 is now available. Please note that users who have updated only to version 22.214.171.124 will need to update again to the mandatory 126.96.36.199 or above as soon as possible. Note that versions 188.8.131.52 and 184.108.40.206 were not mandatory updates, but included changes to help users struggling to synchronize with the network. Wallets that have not updated by block 336000 will have forked and will need to resync with the network upon updating. Instructions on how to resync properly can be found here.
The Zerocoin exploit
Recap of events
The recent exploit to which Veil fell prey employed what project architect Presstab called ‘a mutation of an attack seen elsewhere earlier this year’. The exploit involved the attacker inflating the redemption value of their zerocoin, redeeming legitimate proofs associated with 10 veil denominations for higher denominations in their stead.
August 16th 4x13 announced to the team that he was certain we were under attack after carefully monitoring the network for some time. Unfortunately, the exploit took place gradually over time, only becoming readily apparent with larger changes to the network and an extended period of unusual trading taking place on the Vinex exchange. The Vinex exchange was in no way complicit in this attack, and was very helpful in resolving the issue.
The Veil team promptly reached out to exchanges and services to halt all trade activity as a security measure. While an inconvenience to users we apologize for, this was a necessary step in combating the attack.
August 17th Exchanges had all taken measures to stop trading by suspending deposits and withdrawals, halting trading altogether, or disabling Veil-specific pages on their websites. Developers had narrowed in on the vulnerability and investigated the best fix.
August 18th The first mandatory update’s source for the fix was released on GitHub as 220.127.116.11 and successfully patched the exploit, with no further attacks occurring since.
August 19th The binaries for the fix were released on GitHub as 18.104.22.168 following the earlier source.
August 31st The second update restored the ability to spend from accumulators hit by the ill-spent zerocoin, once again allowing them to be spent by their rightful owners. This update also blacklisted what remained of the stolen veil, though this was not announced at the time so to keep the attacker in the dark as long as possible, and hopefully limit their ability to panic sell tainted coins. For details on blacklisted coins see the section below.
Note: There have been versions available around the first and second mandatory updates aimed at aiding struggling nodes to sync with the network properly, though these were not mandatory.
The attack, as mentioned, relied on the attacker redeeming their own zerocoins at a higher value than intended, which served to inflate the coin supply in the process. While this means nobody’s veil was stolen, and all user funds remain safe, the supply did jump by 12,441,690 veil ahead of emission schedule. Of these, approximately 9,000,000 were sold across exchanges on several accounts. From the remainder, 282,125 basecoin, 46,810 zerocoin, 29 unspent stealth outputs (of undetermined value), and over 5000 RingCT outputs (also of undetermined value) were blacklisted so cannot be traded.
A more detailed explanation of the attack and damage can be found from Presstab on the releases page of GitHub.
While exchanges and services have been technically able to resume trading of veil as of block 336000, a short delay pending developer approval was necessary. The delay was to ensure no blacklisted coins could find their way into exchange holdings before ample nodes have updated and successfully synchronized with the network. The Veil team is ensuring exchanges are updated and aware of this. With stability now confirmed by developers, trading should resume in a relatively synchronized manner across platforms, and has already opened on several, including Vinex.
Along with the blacklisting, additional changes are being introduced to balance Veil’s emission schedule and protect against artificial inflationary pressure introduced by the recent attack.
Removal of Founder’s Reward
The Founder’s Reward portion of the budget will be burnt from years 2 through 5. This burning serves as a means of balancing the inflation caused by the attack, keeping emissions close to projections by offsetting 10,020,000 ill-created veil.
The burning of unallocated main budget funds to cover the remaining inflation will also take place, with 2,100,000 veil being removed from circulation. This portion of the budget was excess outside of operational costs always intended to be available in case of a sudden need. The burning of these funds therefore doesn’t negatively impact on operations in any way.
Additional wallet updates
Along with the security measures included in this recent release, additional changes have been implemented to the Veil wallet, particularly in the area of Zerocoin.
Precompute has been removed
Precomputing will no longer be required as Zerocoin computations have been significantly reduced. This change follows the removal earlier in the year of the privacy aspect of Zerocoin, and goes a long way to reducing resource costs and spend-times on all machines. Note that the precompute toggle on the GUI is still present, but no longer serves a purpose and will be removed in a future update.
Zerocoin spends have been reduced by around 50%
The size of the blockchain for Veil has grown significantly since launch at the start of this year. Most of this size has come from Zerocoin spends, which previously included proofs that needed storing and calculating. Zerocoin, now with privacy disabled, no longer needs these proofs. This reduction in size will greatly decrease projected storage use by the blockchain moving forward as we phase zerocoin out from Veil entirely.
PoS protocol changes
The entropy associated with Veil’s Proof-of-Stake consensus has been modified to protect further against stake grinding attacks on the network. This is achieved by reducing predictability of the PoS modifier at a point in the future. A detailed explanation can be found from Presstab on the releases page of GitHub.
Eligibility for staking has also changed from 200 blocks to 1000 blocks in this update. This is primarily a preemptive security measure against stake grinding along with the above, but will have nominal influence on user staking. The exact outcome of this is not something we can accurately test on the smaller test network, however, so users are encouraged to note their results and check in regularly for statistics to maximize their staking outcomes.
While the Zerocoin exploit has been very unfortunate, the Veil team has been working hard to both protect the network from attacks, and to hasten the shift to full-time RingCT, and then to Sonic. The move to RingCT is not far off now with an internal testnet environment imminent. It’s also not something we dare to rush though, so we ask your patience just a little longer.