An official blog post written by Zcash marketing director Josh Swihart, director of product security Benjamin Winston, and engineer Sean Bowe details a counterfeiting vulnerability that would have allowed an attacker to create unlimited fake Zcash tokens without being detected. The vulnerability, however, was snuffed out in October 2018 during the company's network hard fork known as Sapling.
On March 1, 2018, Ariel Gabizon, a cryptographer for Zcash, found the bug in the zk-SNARK proofs' construction used in the original 2016 launch of Zcash. zk-SNARK is the cryptography used by the privacy-heavy coin to shield Zcash transactions that are encrypted on the blockchain while still allowing for verification under the network's consensus rules.
According to the blog post, if the vulnerability had been found by a malicious actor, the attacker could have created "counterfeit shielded value" in any system that was using zk-SNARK parameters. An attacker would have needed information found in Zcash's multi-party computation (MPC) protocol transcript, which was made available after the coin's launch. Zcash removed the transcript from public availability under the cover story that the transcript was missing due to "accidental deletion."
Ultimately, is was decided that the the vulnerability would be taken care of in the October 2018 Sapling network upgrade, which also saw shielded transactions become less computationally heavy, making the currency easier to use. In November 2018, Zcash contacted Horizen and Komodo, which were both using zk-SNARK parameters. While Zcash did not disclose the specifics related to the bug, it recommended the two companies upgrade their systems.
The problem and its solution were not reported by Zcash until yesterday, February 5, in order to "protect against it being exploited prior to its remediation, and to provide information and remediated code to other projects that were also vulnerable." Though the vulnerability had existed for years, Swihart, Winston, and Bowe believe that no counterfeiting occurred because discovering the bug required "a high level of technical and cryptographic sophistication that very few people possess."
While that might sound like Zcash just negged the crypto community by describing why it believes the zk-SNARK bug was never used, let alone found, Zcash's handling of the situation was viewed in a positive light by many. Most notably, NSA whistleblower Edward Snowden took to Twitter to praise the team for finding the bug before any money was lost.
In June 2018, Vitalik Buterin tweeted about a hypothetical instance in which a hack of the zk-SNARK scheme occurred and counterfeit coins were made. Specifically, Buterin wondered in his thread how that sort of catastrophe should be handled. Zcash was able to find the bug before any hack, but now we know how to handle this kind of situation: Just don't say anything until you're really sure you've fixed it.