Proof of Work #54
|Eric Meltzer||Feb 6, 2019|
Hi from Boston and thanks for reading.
Quick note for newcomers: the projects which are featured in PoW are not my portfolio companies, but rather just a list of projects I think are interesting, less than 30% of which I’m also an investor in. I am by no means giving investment advice here! Regularly shipping cool stuff is necessary but not sufficient to be a good investment, and the only way to get listed in Proof of Work is to be working on something that’s truly interesting. Offering free tokens (multiple projects have tried!) is very much not the move.
A counterfeiting vulnerability was revealed by the Zcash team yesterday—the vulnerability was actually discovered by Ariel Gabizon (formerly a Zcash team member, and according to some folks there one of the absolute best people in the world at finding extraordinarily well-hidden bugs in encryption schemes) 11 months ago but was not disclosed while a fix was worked on. I delayed this PoW to be able to give a full writeup of this bug.
I’m not going to even attempt to explain the details of the bug—it was so obscure that it managed to evade every single member of the Zcash team and many other teams using the work in the BCTV14 proof generation paper from Ben-Sasson et. al, and I’m not going to do it justice here. You can read about it in technical detail in the Zcash Company’s post, or in the addendum to the paper.
Instead I’ll run through the potential implications of the bug, how it has been and will be dealt with, and what this means for privacy and for cryptocurrency disaster recovery.
In a sentence, this bug potentially allows someone to create ZEC coins from thin air within a shielded pool. This type of “counterfeiting bug” is much worse in Zcash than it would be in e.g. Bitcoin, because there is no simple way to audit the total supply of ZEC, so a counterfeiter could potentially go undetected long enough to actually spend some counterfeit coins. A small complication is that Zcash upgraded their node software from “sprout” to “sapling” fairly recently, so there are actually three types of Zcash addresses at the moment: Sprout shielded pool (old shielded), Sapling shielded pool (new shielded), and transparent pool, which is very similar to Bitcoin and has no privacy features. This bug only enables counterfeiting of Sprout shielded coins, not Sapling ones, so we can be sure that the Sapling shielded pool is “clean” and of course that the transparent pool is clean—we just aren’t sure if the Sprout shielded pool secretly has a bajillion counterfeit coins lurking in it.
However, from a practical standpoint, that’s very unlikely. This bug was truly an obscure one, and it also required access to a transcript produced by the initial Zcash setup ceremony which was surreptitiously taken down when this bug was discovered, and was downloaded by very few people before that occurred.
Further, a mitigation to this attack exists: to move coins from the older Sprout shielded pool to the newer Sapling pool, one must first “rotate” through the turnstile of a transparent address. That allows an observer to count coins coming in and out and make sure that we haven’t exceeded the expected total because of counterfeited coins. One option would be to add a consensus rule that renders any coins leaving the Sprout shielded pool unspendable if they exceed the total—the downside of this is that it becomes a bit of a game of musical chairs. If there are indeed counterfeited coins lurking, then the counterfeiter would rapidly move them to transparent addresses, effectively burning all the real coins left in the old shielded pool.
Another option would be to just wait and see if any counterfeiting occured, and if it did then to roll-back the tx(s) that moved the coins out of shielded sprout, and render that entire pool unspendable.
It’s important to note that no one I’ve talked to, including people who really dislike Zcash for a variety of reasons, think that this vuln was actually exploited. But the potential is a nasty one, and it potentially suggests that the Bitcoin Core team’s resistance to implementing strong privacy features on the base layer of BTC is not without reason. Another interesting discussion that came out of this bug was whether it’s better for a privacy coin to fail by losing privacy but keeping balances, or fail by maintaining privacy but losing balances (this is a real tradeoff in many privacy systems.) Interestingly from most of the folks I spoke with, they preferred that a privacy coin erase their balances rather than reveal their spending—the logic being that anyone using a privacy coin has strong reasons to prefer no one can see what they are spending it on. I’m not sure I agree with this, but the intuition is an interesting one.
I continue to be insanely excited by this space on both a technical and social level. The last Proof of Work prelude that contained some thinking about how crypto could be used to resist unjust government seizures that often precede genocides got an incredible amount of feedback and we’re working on putting together a seminar on this topic—stay tuned.
Finally, I read this interesting article about how clever traders broke Huobi’s meta-stablecoin by the Neutral team—adversarial thinking is one of the hardest things to learn, and one of the most crucial skills to have in this industry.
Bitcoin & Others
Tony from Kadena
The Pact (smart contract language) testnet is now live with real time linting (in editor error reporting)
Launched Pact module explorer, which lists available functions and a dialog for quickly calling functions
Released Pact live property checking while typing so any failed properties will display as warnings
Emily Pillmore, Pact lead maintainer, gave a lightening talk on Pact at Stanford Blockchain Conference
Emily also spoke on a panel at Grincon sharing "Perspective on Grin Use Cases"
New blog post on Chainweb 101 and FAQs about Kadena's public PoW blockchain in development
Deployed free "community edition" of Kadena's enterprise blockchain on AWS Marketplace
Daniel from Grin
18 Pull Requests were merged in the past week, by 10 unique contributors.
Grin v1.0.1 is out.
It took a small little nudge but Yeastplume's funding has now been closed. Thanks to all the supporters for contributing to the project.
Meanwhile @yeastplume has been hard at work getting Grin running on windows.
@quentinlesceller gave a Grin talk at Stanford Blockchain Conference.
Governance meeting notes: Fund transparency report, Promoting continuous donations, Grin stackexchange
Who will buy the first Grin pizza, you ask? Sheesh, we got our own pizza delivery service up in this.
Oh and we got forked. Twice. In the same day! And then the two forks started trash talking one another. ツ [ed: lol]
Berlin meetup this week on Feb 7 - come say hi!
More Grin info here.
Jimmy on Bitcoin
Bitcoin Developer Network article about node analytics and how to play with that data
MiniScript, Peter Wuille’s idea of a more easily composable subset of Bitcoin Script. [ed: Bitcoin scripts can be used for some really cool things, but are currently underused. This is an attempt to fix that]
Sporks, probabilistic Soft Forks, interesting analysis from Jeremy Rubin on how to smoothly activate soft forks and avoid situations like what happened around Segwit.
Aviv from Spacemesh
Gossip network protocol validation
Additional Hare protocol tests
Implemented Hare protocol Oracle for testing
As preparation for our test network, added broadcast API call
Devs Community Sync #2 live AMA via Youtube
Hare Protocol description in the Spacemesh protocol repo. An implementation of Synchronous Byzantine Agreement with Expected O(1) Rounds,
Expected O(n2) Communication, and Optimal Resilience
JZ from Decred
Version 1.0 of the Decred Android wallet has been released!
A new alpha has dropped for dcrdata as well and it's looking quite slick.
Johnny from Stellar
CAP-0005, a combined set of changes that rationalize how we throttle the network, and also makes it easier for clients to craft transactions that will make it into a ledger even when network fees are changing rapidly has been finalized, and is ready for implementation. It hasn't been formally scheduled yet.
CAP-0006, which introduces the
ManageBuyOfferoperation with functionality similar to the
ManageOfferoperation except that the amount is specified in terms of the
buyingasset instead of the
sellingasset is pending some final changes before being marked as finalized.
The CAP/SEP process has received some larger updates that are currently in review. We're open to any feedback regarding the process, and it's absolutely still open to evolution over time.
Currently there are three different proposals around fee mechanism (especially with regard to pre-auth transactions): CAP-0010, CAP-0015, and the discussion here brought up by David Mazieres (pre-draft).
10.3.0 will focus on performance particularly at the database level.
Currently working on roadmap for the upcoming year along with the platform team.
Mahoney from Coda
We welcomed Jiawei Tang to the team as a new protocol engineer.
Paul wrote an RFC that details what to do in each situation in our protocol when we detect a misbehaving peer.
Corey mocked the hashing code during testing to speed up integration tests by an order of magnitude.
Deepthi landed a change to enable cheaper (in US dollars/ hr) snark workers to process transactions in our network.
Paige & Zooko from Zcash
Final review and merging of tickets going into upcoming 2.0.3 release
Fixing issues in zcashd for zcash bitcore/insight libraries support
Ironing out CI system for Windows support
2018 audit results of Overwinter and Sapling upgrades are now published [ed: nothing exciting, which is good]
The Foundation opened up applications for Zcon1 [ed: last conf zcon0 was one of the best conferences of the year]
Diego and Riccardo from Monero
No update, update coming next week.
Smart contracting platforms
AJ from Tezos
Implement a Multi-Sig smart contract in Tezos; using ReasonML with this walkthrough
Improving Tezos storage for nodes -- Gitlab branch is now available for testers
Learn more about Marigold -- a layer 2 scaling solution for Tezos
Introducing two new features for Tezos node: Snapshots and History mode
Evan from Ethereum [ed: Evan’s newsletter also great]
Layer2: Plasma Group launches. Here’s the spec of their PlasmaCash variant. As well as the client, and the deployer to run your own. Also, cool: FunFair’s data shows that they get 100x scaling with state channels
Eth1: Görli cross-client testnet launches! Here's the block explorer.
wrapped BTC (wBTC) is now live on Ethereum's mainnet
Myles from EOS
A number of high-profile teams have collaborated to build the dGoods token standard for digital items on EOS
The Bancor/LiquidEOS team offers a first look at their LiquidApps scaling solutions
Cypherglass debuts the EOS Name Service to buy custom EOS usernames
Everything EOS now has a developer-focused video series
Zaki from Cosmos
Binance Chain joins the Cosmos Technology Ecosystem
Kate and Dean from Agoric
Reentrancy bugs keep showing up again and again in smart contracts, and most recently even caused Ethereum’s Constantinople update to be delayed. This week we released a medium post on how to prevent this entire class of bugs (interleaving hazards) for good. The solution is eventual-sends, which allow you to call a function asynchronously and receive a promise. Not only do eventual-sends solve interleaving hazards—they also make it much easier to design cross-blockchain, cross-shard communication.
Dean gave a talk at the Stanford Blockchain Conference on how to solve the train-hotel problem. Rather than trying to do an atomic transaction with a synchronous model, we instead asynchronously get covered call options, make a local decision on which options to exercise, and asynchronously actually exercise them. (Slides here, video to come).
Antonio from dYdX
Brendan from Dharma
Coulter from MakerDAO
Bass from MARKET Protocol
January was a big month for our beta exchange MPX! We made a number of significant improvements, which we have not yet released: Refactored internals and UI to support a 0x relayer, improvements to wallet UI, redesigned user on-boarding flow, and an ew user home page and dashboard
Robert from Compound
Layer two and interoperability
Tieshun & Boyma on Handshake
Boyma gave an awesome talk about the new type of authenticated data structure that Handshake uses, Urkel Trees.
Anthony from Namebase thought a bit about some potential anti-squatting measures.
Dylan released FistBump, an open source search tool for Handshake domains
Paul from Veil
Updated the Veil leaderboard to feature weekly performance as well as all time performance.
Updated the Veil order form to include clear payout calculations. Try it out in any market on Veil.
Added a feature to let users keep their activity private. Update your own settings now.
Added spot prices to market trade history graphs. Example: see trade price transposed on spot price of REP.
Added additional reporting instructions on Veil data feeds. See an example.
Added spot prices to market trade history graphs. Example: see trade price transposed on spot price of REP.
Added additional reporting instructions on Veil data feeds. See an example.
Open-sourced a sample market making tradebot for Veil.
Rahul from 0x
Will gave a talk at AraCon: "Using Metamodels for Cross-blockchain Governance"
January Dev Update: smart contract tools for the broader ecosystem, more Python packages, and lots of research (TEC, Selective Delay, Continuous Time Matching, TEC Compatibility with Forwarding Contract)
Janine from Liquidity.Network
Our Tech Road Map for the first half of the year has been published and includes exclusive details on the new mainnet hub, mobile app v2, DEX mainnet release and much more.
NOCUST Client library documentation updated and now available for developers to use at docs.liquidity.network
Deployment of improved contract with new features on rinkeby testnet.
Dong Mo from Celer
We've completed the implementation of OSP multi-server scalability
We had significant progress on the coding of the new OSP protocol and duplex channels
We are working on the WebSocket-based SDK, and have completed its server framework
We significantly reduced the cost of the on-chain dispute process
Alexandra from Parity Technologies
Substrate Collectables tutorial released.
Aragon announced that they will deploy aragonOS on Polkadot.
Web3 Foundation announced a grant to Chainsafe to build a Polkadot runtime environment in Go.
Robonomics used Substrate to build a blockchain that controls robots.
Going to ETHDenver? We'd love to see you at our meetup with Chainsafe.
Doug from Livepeer
Completed "Minimum Viable Streamflow" development and testing milestone, implementing the protocol update for reducing costs and increasing reliability for video transcoding on Livepeer's network.
Spec'ed out "Scaled Streamflow" milestone, which assumes adversarial conditions and double spend prevention in the probabilistic micropayments scheme on a public network.
Ryan from FOAM
Finalizing a new email notification and subscription functionality to the FOAM Map for alerts if your point has been challenged or if you need to reveal a vote
Started work with Blocklytics on a new leaderboard feature for the FOAM Map to be launched at the end of this month
Developing a new heat map layer for the Map to better explore Signals
Released a summary of Dynamic Proof of Location — FOAM Community Call, Jan 24th
Released a new Reading List on Location Data Mishandling
Announced the NYC Blockchain Showcase event with MakerDAO and Relevant. We will be launching the second NFT Treasure Hunt game on the Map alongside this event.
David from Sia
Renter compatibility: ChrisSchinnerl worked on the code that will migrate the old metadata of renters to the new Sia file format: Empty folders on the renter directory will be cleaned up during the migration. A bug was fixed.
File repairs (work in progress) MSevey is currently working on finishing the file repair code: he is fixing bugs and improving the code that detects files needing repair and file chunks being stuck during the upload.
Release Progress: 1.4.0 The dev team considers probable to publish this week the Release Candidate version of 1.4.0 among contributors for beta-testing.
Stats 1 Nebulous repo was updated. 1 issue was created. 2 MRs were merged. GitLab user ChrisSchinnerl had code contributions merged into Sia. Also, users MSevey, lukechampine worked on MRs not yet merged.
From the community: The Goobox Team introduced their free file sharing solution that allows you to upload files using a web interface. Files can be easily shared using a link and an optional password. Data is stored on the Sia network, so files are shredded, encrypted and distributed across the Sia hosts around the globe.
Michael from Loom
Includes new login system (use existing Loom.Games account, deck data synced across devices, no login required for solo matches), revamped in-game tutorial, improved connection stability and how the server handles disconnection errors, improved AI Overlord’s behavior, added new batch of cards, game animation enhancements, and several bug fixes
Latest video tutorial on the Loom Transfer Gateway, covering how to transfer ERC20 and ERC721 tokens from Ethereum mainnet to a Loom sidechain, and vice versa.
The first external validator on PlasmaChain is live in production!
Ari from Decentraland
Builder now includes out-of-bounds detection, top-bar controls, improved undo action, and first-person view. We’re currently working on item rotation and support for the Creator Contest.
Finishing the API for the Client UI, adding XML support to the SDK 5.0, conducting visual tests in the Unity Client, and updated to the latest Kronos plugin (adding support for GLTF).
Completing the Estate transfers to each District.
Adding support for a bidding feature to the Marketplace. The proposal has been sent to auditors, and we’re working on an improved frontend UX
We’ve also just completed an internal hackathon for the SDK 5.0, with the winner to be announced next week!
Bowen from Hydro/DDEX.io
Hydro Protocol SDK new version：A client for interacting with the Hydro API
Launched DDEX mobile App 1.2.1 with full Ledger support
Sam from OpenBazaar
We are rebasing IPFS on the server side. This rebase allows relay support which will improve connectivity within the OpenBazaar network..
Work continues to integrate Ethereum into the application. Because OpenBazaar was originally built for Bitcoin and Ethereum expects different levels of precision, we are working to make them compatible. The wallet integration is completed and is in testing now.
Some minor features and bug fixes are being worked on for the next release (2.3.1), including the ability to do bulk listing updates.
Work continues on the Haven mobile app, built on OpenBazaar. Private testing has begun.
The OpenBazaar team will be attending TABConf in Atlanta from Feb 8-10 with a booth and a live demo of the mobile app.
Martín from Zeppelin