At the request of Zcash Company, the team at Least Authority had the opportunity to provide security consulting services on Zcash’s major 2018 releases. This included auditing Zcashd v1.0.15 (as part of the Sprout 1.0.x series), reviewing and providing feedback on the Overwinter and Sapling Specifications for future implementation, and a security review of the Sapling Implementation and RPC Interface changes following the latest release. This approach allowed Least Authority to look at the evolving life-cycle of Zcash’s codebase for the entire year – allowing us a more holistic approach to the reviews as we worked through design specifications, follow up releases of the codebase, and the changes and iterations that took place thereafter.

Audit #1: Zcash Implementation Analysis (1.0.15) and Overwinter Specification Review

At the time of this audit in February – March 2018, Sprout was the live implemented version of Zcash. Overwinter was the first network upgrade of Zcash, activated and released in June 2018, and included changes such as versioning, replay protection for future forks, in addition to some performance improvements.

Our team for this audit – Jack Lloyd, Ramakrishnan Muthukrishnan, James Prestwich, Emery Rose Hall and Dominic Tarr – conducted a security analysis focused on investigating the protocol design, cryptographic constructions, consensus rules, and implementation details. The security issues identified were outlined in our initial audit report issued on March 29, 2018. This was followed by a verification phase to ensure that all issues were appropriately addressed by the Zcash team, prior to delivering a final updated report on May 29, 2018.

Although Zcash has been around for a considerably short time, our team was appreciative of the apparent significant effort that was applied into good programming practices and detail-oriented specifications. The contributing team at Zcash had clearly done its due diligence during the design stage – a practice and an effort that the team at Least Authority strongly stands behind. Overall, we identified a few issues, but found both the Sprout code and Overwinter Specification to be well thought out, reflecting a high quality design.

Audit #2: Zcash Overwinter+Sapling Specification

In a follow up review, the Least Authority team performed an audit of the Sapling Specification in preparation for the release of Sapling’s changes to the Zcash cryptography and consensus protocols. We reviewed the Zcash Protocol Specification: Version 2018.0-beta-20 [Overwinter+Sapling], looking for the potential security issues and vulnerabilities, along with performance problems, consensus failures, and game-theoretic issues.

The team performing this audit – Ramakrishnan Muthukrishnan, James Prestwich, and Jean-Paul Calderone – conducted a thorough investigation of the spec and, with the exception of two minor issues, were unable to identify any significant or notable threats or vulnerabilities. The initial report was issued on June 13, 2018 followed by a verification phase and a final report delivered on August 17, 2018. There was a slight delay in finalizing the report to allow for further analysis and discussion of the specification following Zcash’s decisions to push back Sapling release plans. No significant changes were made to the report during this delay.

Audit #3: Zcash Sapling Implementation / RPC Interface

For the last audit of 2018, our team – Emery Rose Hall, Dominic Tarr, Chris Wood, Ramakrishnan Muthukrishnan, and Jean-Paul Calderone – performed a security review of the changes and updates made to the second implementation of Sapling in addition to the changes made to the Remote Procedure Call (RPC) Interface. This second Sapling implementation analysis and code review is the third in the series and incorporated both past and new security concerns. It also followed the review of the specification which highlighted the changes made to Zcash’s cryptography and consensus protocols, allowing the team a more comprehensive understanding of the codebase and the changes it contained.

This review followed the most recent Sapling release on October 29, 2018. The audit was performed from November 12 – December 14 and an initial report was issued on December 20, 2018. In our report, we identified and reported five security issues and made one suggestion, which are currently being addressed by the Zcash team. These recommendations can be currently found as open issues on the Zcash GitHub project.

An updated report was issued on January 29, 2019 reflecting that the security issues called out in the initial audit report have been opened on Github and are in the public domain. A final report will be issued and published following the discussion and verification phase once the issues have been addressed and closed in 2019.