Proof of Work #54

Hi from Boston and thanks for reading.

Quick note for newcomers: the projects which are featured in PoW are not my portfolio companies, but rather just a list of projects I think are interesting, less than 30% of which I’m also an investor in. I am by no means giving investment advice here! Regularly shipping cool stuff is necessary but not sufficient to be a good investment, and the only way to get listed in Proof of Work is to be working on something that’s truly interesting. Offering free tokens (multiple projects have tried!) is very much not the move.

A counterfeiting vulnerability was revealed by the Zcash team yesterday—the vulnerability was actually discovered by Ariel Gabizon (formerly a Zcash team member, and according to some folks there one of the absolute best people in the world at finding extraordinarily well-hidden bugs in encryption schemes) 11 months ago but was not disclosed while a fix was worked on. I delayed this PoW to be able to give a full writeup of this bug.

I’m not going to even attempt to explain the details of the bug—it was so obscure that it managed to evade every single member of the Zcash team and many other teams using the work in the BCTV14 proof generation paper from Ben-Sasson et. al, and I’m not going to do it justice here. You can read about it in technical detail in the Zcash Company’s post, or in the addendum to the paper.

Instead I’ll run through the potential implications of the bug, how it has been and will be dealt with, and what this means for privacy and for cryptocurrency disaster recovery.

In a sentence, this bug potentially allows someone to create ZEC coins from thin air within a shielded pool. This type of “counterfeiting bug” is much worse in Zcash than it would be in e.g. Bitcoin, because there is no simple way to audit the total supply of ZEC, so a counterfeiter could potentially go undetected long enough to actually spend some counterfeit coins. A small complication is that Zcash upgraded their node software from “sprout” to “sapling” fairly recently, so there are actually three types of Zcash addresses at the moment: Sprout shielded pool (old shielded), Sapling shielded pool (new shielded), and transparent pool, which is very similar to Bitcoin and has no privacy features. This bug only enables counterfeiting of Sprout shielded coins, not Sapling ones, so we can be sure that the Sapling shielded pool is “clean” and of course that the transparent pool is clean—we just aren’t sure if the Sprout shielded pool secretly has a bajillion counterfeit coins lurking in it.

However, from a practical standpoint, that’s very unlikely. This bug was truly an obscure one, and it also required access to a transcript produced by the initial Zcash setup ceremony which was surreptitiously taken down when this bug was discovered, and was downloaded by very few people before that occurred.

Further, a mitigation to this attack exists: to move coins from the older Sprout shielded pool to the newer Sapling pool, one must first “rotate” through the turnstile of a transparent address. That allows an observer to count coins coming in and out and make sure that we haven’t exceeded the expected total because of counterfeited coins. One option would be to add a consensus rule that renders any coins leaving the Sprout shielded pool unspendable if they exceed the total—the downside of this is that it becomes a bit of a game of musical chairs. If there are indeed counterfeited coins lurking, then the counterfeiter would rapidly move them to transparent addresses, effectively burning all the real coins left in the old shielded pool.

Another option would be to just wait and see if any counterfeiting occured, and if it did then to roll-back the tx(s) that moved the coins out of shielded sprout, and render that entire pool unspendable.

It’s important to note that no one I’ve talked to, including people who really dislike Zcash for a variety of reasons, think that this vuln was actually exploited. But the potential is a nasty one, and it potentially suggests that the Bitcoin Core team’s resistance to implementing strong privacy features on the base layer of BTC is not without reason. Another interesting discussion that came out of this bug was whether it’s better for a privacy coin to fail by losing privacy but keeping balances, or fail by maintaining privacy but losing balances (this is a real tradeoff in many privacy systems.) Interestingly from most of the folks I spoke with, they preferred that a privacy coin erase their balances rather than reveal their spending—the logic being that anyone using a privacy coin has strong reasons to prefer no one can see what they are spending it on. I’m not sure I agree with this, but the intuition is an interesting one.

I continue to be insanely excited by this space on both a technical and social level. The last Proof of Work prelude that contained some thinking about how crypto could be used to resist unjust government seizures that often precede genocides got an incredible amount of feedback and we’re working on putting together a seminar on this topic—stay tuned.

Finally, I read this interesting article about how clever traders broke Huobi’s meta-stablecoin by the Neutral team—adversarial thinking is one of the hardest things to learn, and one of the most crucial skills to have in this industry.

Bitcoin & Others

Tony from Kadena

  • The Pact (smart contract language) testnet is now live with real time linting (in editor error reporting)

  • Launched Pact module explorer, which lists available functions and a dialog for quickly calling functions

  • Released Pact live property checking while typing so any failed properties will display as warnings

  • Emily Pillmore, Pact lead maintainer, gave a lightening talk on Pact at Stanford Blockchain Conference

  • Emily also spoke on a panel at Grincon sharing "Perspective on Grin Use Cases"

  • New blog post on Chainweb 101 and FAQs about Kadena's public PoW blockchain in development

  • Deployed free "community edition" of Kadena's enterprise blockchain on AWS Marketplace

Daniel from Grin

Jimmy on Bitcoin

  • Bitcoin Energy Claims are BS

  • Bitcoin Developer Network article about node analytics and how to play with that data

  • MiniScript, Peter Wuille’s idea of a more easily composable subset of Bitcoin Script. [ed: Bitcoin scripts can be used for some really cool things, but are currently underused. This is an attempt to fix that]

  • Sporks, probabilistic Soft Forks, interesting analysis from Jeremy Rubin on how to smoothly activate soft forks and avoid situations like what happened around Segwit.

Aviv from Spacemesh

JZ from Decred

Johnny from Stellar

  • CAP-0005, a combined set of changes that rationalize how we throttle the network, and also makes it easier for clients to craft transactions that will make it into a ledger even when network fees are changing rapidly has been finalized, and is ready for implementation. It hasn't been formally scheduled yet.

  • CAP-0006, which introduces the ManageBuyOffer operation with functionality similar to the ManageOffer operation except that the amount is specified in terms of the buying asset instead of the selling asset is pending some final changes before being marked as finalized.

  • The CAP/SEP process has received some larger updates that are currently in review. We're open to any feedback regarding the process, and it's absolutely still open to evolution over time.

  • Currently there are three different proposals around fee mechanism (especially with regard to pre-auth transactions): CAP-0010CAP-0015, and the discussion here brought up by David Mazieres (pre-draft).

  • Release candidate for 10.2.0 is out. Much of the focus is on changes to the overlay (in particular, peer discovery among nodes). Will likely include a SCP fix for the final release.

  • 10.3.0 will focus on performance particularly at the database level.

  • Currently working on roadmap for the upcoming year along with the platform team.

Mahoney from Coda

  • We welcomed Jiawei Tang to the team as a new protocol engineer. 

  • Paul wrote an RFC that details what to do in each situation in our protocol when we detect a misbehaving peer.  

  • Corey mocked the hashing code during testing to speed up integration tests by an order of magnitude.

  • Deepthi landed a change to enable cheaper (in US dollars/ hr) snark workers to process transactions in our network.

Privacy coins

Paige & Zooko from Zcash

  • Final review and merging of tickets going into upcoming 2.0.3 release 

  • Fixing issues in zcashd for zcash bitcore/insight libraries support

  • Ironing out CI system for Windows support

  • 2018 audit results of Overwinter and Sapling upgrades are now published [ed: nothing exciting, which is good]

  • The Foundation opened up applications for Zcon1 [ed: last conf zcon0 was one of the best conferences of the year]

Diego and Riccardo from Monero

  • No update, update coming next week.

Smart contracting platforms

AJ from Tezos

Evan from Ethereum [ed: Evan’s newsletter also great]

Myles from EOS

  • A number of high-profile teams have collaborated to build the dGoods token standard for digital items on EOS

  • The Bancor/LiquidEOS team offers a first look at their LiquidApps scaling solutions 

  • secures two trademarks-- one for a social network called MEOS and another for an exchange called EOSX

  • Cypherglass debuts the EOS Name Service to buy custom EOS usernames 

  • Everything EOS now has a developer-focused video series 

Zaki from Cosmos

Kate and Dean from Agoric

Financial Infrastructure

Antonio from dYdX

  • No update

Brendan from Dharma

  • No update

Coulter from MakerDAO

  • No update

Bass from MARKET Protocol

  • January was a big month for our beta exchange MPX! We made a number of significant improvements, which we have not yet released: Refactored internals and UI to support a 0x relayer, improvements to wallet UI, redesigned user on-boarding flow, and an ew user home page and dashboard

Robert from Compound

  • No update

Layer two and interoperability

Tieshun & Boyma on Handshake

  • Boyma gave an awesome talk about the new type of authenticated data structure that Handshake uses, Urkel Trees.

  • Anthony from Namebase thought a bit about some potential anti-squatting measures.

  • Dylan released FistBump, an open source search tool for Handshake domains

Paul from Veil

Rahul from 0x

Janine from Liquidity.Network

  • Our Tech Road Map for the first half of the year has been published and includes exclusive details on the new mainnet hub, mobile app v2, DEX mainnet release and much more.  

  • NOCUST Client library documentation updated and now available for developers to use at

  • Deployment of improved contract with new features on rinkeby testnet.

Dong Mo from Celer

  • We've completed the implementation of OSP multi-server scalability 

  • We had significant progress on the coding of the new OSP protocol and duplex channels 

  • We are working on the WebSocket-based SDK, and have completed its server framework 

  • We significantly reduced the cost of the on-chain dispute process 

Alexandra from Parity Technologies

Application infrastructure

Doug from Livepeer

  • Completed "Minimum Viable Streamflow" development and testing milestone, implementing the protocol update for reducing costs and increasing reliability for video transcoding on Livepeer's network.

  • Spec'ed out "Scaled Streamflow" milestone, which assumes adversarial conditions and double spend prevention in the probabilistic micropayments scheme on a public network. 

Ryan from FOAM

  • Finalizing a new email notification and subscription functionality to the FOAM Map for alerts if your point has been challenged or if you need to reveal a vote 

  • Started work with Blocklytics on a new leaderboard feature for the FOAM Map to be launched at the end of this month 

  • Developing a new heat map layer for the Map to better explore Signals 

  • Released a summary of Dynamic Proof of Location — FOAM Community Call, Jan 24th

  • Released a new Reading List on Location Data Mishandling  

  • Announced the NYC Blockchain Showcase event with MakerDAO and Relevant. We will be launching the second NFT Treasure Hunt game on the Map alongside this event. 

David from Sia

  • Renter compatibility: ChrisSchinnerl worked on the code that will migrate the old metadata of renters to the new Sia file format: Empty folders on the renter directory will be cleaned up during the migration. A bug was fixed.

  • File repairs (work in progress) MSevey is currently working on finishing the file repair code: he is fixing bugs and improving the code that detects files needing repair and file chunks being stuck during the upload.

  • Release Progress: 1.4.0 The dev team considers probable to publish this week the Release Candidate version of 1.4.0 among contributors for beta-testing.

  • Stats 1 Nebulous repo was updated. 1 issue was created. 2 MRs were merged. GitLab user ChrisSchinnerl had code contributions merged into Sia. Also, users MSevey, lukechampine worked on MRs not yet merged.

  • From the community: The Goobox Team introduced their free file sharing solution that allows you to upload files using a web interface. Files can be easily shared using a link and an optional password. Data is stored on the Sia network, so files are shredded, encrypted and distributed across the Sia hosts around the globe.

Michael from Loom

  • Released the latest Zombie Battleground build (0.1.11) for all platforms -- AndroidiOSWindowsmacOS.

    • Includes new login system (use existing Loom.Games account, deck data synced across devices, no login required for solo matches), revamped in-game tutorial, improved connection stability and how the server handles disconnection errors, improved AI Overlord’s behavior, added new batch of cards, game animation enhancements, and several bug fixes

  • Latest video tutorial on the Loom Transfer Gateway, covering how to transfer ERC20 and ERC721 tokens from Ethereum mainnet to a Loom sidechain, and vice versa.

  • The first external validator on PlasmaChain is live in production!


Ari from Decentraland

  • Builder now includes out-of-bounds detection, top-bar controls, improved undo action, and first-person view. We’re currently working on item rotation and support for the Creator Contest.

  • Finishing the API for the Client UI, adding XML support to the SDK 5.0, conducting visual tests in the Unity Client, and updated to the latest Kronos plugin (adding support for GLTF).

  • Completing the Estate transfers to each District.

  • Adding support for a bidding feature to the Marketplace. The proposal has been sent to auditors, and we’re working on an improved frontend UX

  • We’ve also just completed an internal hackathon for the SDK 5.0, with the winner to be announced next week! 

Bowen from Hydro/

  • Hydro Protocol SDK new version:A client for interacting with the Hydro API 

  • Launched DDEX mobile App 1.2.1 with full Ledger support

Sam from OpenBazaar

  • We are rebasing IPFS on the server side. This rebase allows relay support which will improve connectivity within the OpenBazaar network..

  • Work continues to integrate Ethereum into the application. Because OpenBazaar was originally built for Bitcoin and Ethereum expects different levels of precision, we are working to make them compatible. The wallet integration is completed and is in testing now.

  • Some minor features and bug fixes are being worked on for the next release (2.3.1), including the ability to do bulk listing updates.

  • Work continues on the Haven mobile app, built on OpenBazaar. Private testing has begun.

  • The OpenBazaar team will be attending TABConf in Atlanta from Feb 8-10 with a booth and a live demo of the mobile app.

Martín from Zeppelin

  • No update.