| |
Vulnerability CVE-2019-7167
Published: 2019-03-26 Modified: 2019-03-27
| Description: |
Zcash, before the Sapling network upgrade (2018-10-28), had a counterfeiting vulnerability. A key-generation process, during evaluation of polynomials related to a to-be-proven statement, produced certain bypass elements. Availability of these elements allowed a cheating prover to bypass a consistency check, and consequently transform the proof of one statement into an ostensibly valid proof of a different statement, thereby breaking the soundness of the proof system. This misled the original Sprout zk-SNARK verifier into accepting the correctness of a transaction. |
Type:
CWE-20 (Improper Input Validation)
CVSS2 => (AV:N/AC:L/Au:N/C:N/I:P/A:N)
| CVSS Base Score |
Impact Subscore |
Exploitability Subscore |
5/10 |
2.9/10 |
10/10 |
| Exploit range |
Attack complexity |
Authentication |
Remote |
Low |
No required |
| Confidentiality impact |
Integrity impact |
Availability impact |
None |
Partial |
None |
References: |
http://fortune.com/2019/02/05/zcash-vulnerability-cryptocurrency/
https://github.com/JinBean/CVE-Extension
https://z.cash/blog/zcash-counterfeiting-vulnerability-successfully-remediated/
|
|
|
Copyright 2024, cxsecurity.com
|
|
|
