A Source Code Typo Allowed An Attacker To Steal $592,000 In Cryptocurrency

An anonymous reader writes: "A typo in the Zerocoin source code allowed an attacker to steal 370,000 Zerocoin, which is about $592,000 at today's price," reports BleepingComputer. According to the Zcoin team, one extra character left inside Zerocoin's source code was the cause of the bug. The hacker exploited the bugs for weeks, by initiating a transaction and receiving the money many times over.

"According to the Zcoin team, the attacker (or attackers) was very sophisticated and took great care to hide his tracks," reports the site. "They say the attacker created numerous accounts at Zerocoin exchanges and spread transactions across several weeks so that traders wouldn't notice the uneven transactions volume... The Zcoin team says they worked with various exchanges to attempt and identify the attacker but to no avail. Out of the 370,000 Zerocoin he stole, the attacker has already sold 350,000. The Zcoin team estimates the attacker made a net profit of 410 Bitcoin ($437,000)."

Steal?

[beernutmark]

I don't think steal is the right word in this context. The article doesn't state that anyone else lost their coins. More accurately would be "created", "unauthorized-mining", or perhaps most accurately "counterfeited"

Re:Steal?

Indeed, he profited from a loophole in the system, and it's unclear whether this was illegal. The question of legality probably depends on the terms of service for Zerocoin, and on the laws of the country where the "attacker" resides.

But in human societies, when a lone wolf exploits a loophole, the lone wolf's behavior is usually unacceptable. When a group of individuals who possess social status exploit the loophole, their behavior is often acceptable. Isolated individuals with low social status have very few advantages in society. And when they figure out how to gain an advantage, society goes on the offensive against them.

Bug Bounty

[Registered+Coward+v2]

Seems like he collected an ~500k$ bug bounty. The interesting part is "Zero Coin is a project to fix a major weakness in Bitcoin: the lack of privacy guarantees we take for granted in using credit cards and cash. Our goal is to build a cryptocurrency where your neighbors, friends and enemies can’t see what you bought or for how much" per Zero Coin. It seems they succeeded in their goal and were hoist by their own petard. Of course, had they recovered the funds then ZeroCoin would have failed at its purpose. I wonder who took the loss.

Re:Bug Bounty

Why did the Zcoin team even attempt to identify the attacker? Surely they realize that if they succeed, then no one will believe their claim about strong privacy guarantees and anonymity. This could harm their cryptocurrency by more than 592k$. Catch-22.

attacker has already sold 350,000

[frovingslosh]

the attacker has already sold 350,000

By which we mean he has already moved it into other accounts that he likely controls.

== vs =, | vs ||, variable/pointer dereference

[raymorris]

> A one character bug? Really?

Sure, I've seen many single-character bugs, and created a few. I imagine MOST experienced programmers have done this at least once:

if (a = b) {

When they meant:
if (a == b) {

Every language I can think of has a common single-character bug. Many Microsoft SQL users routinely leave off the semicolon which terminates a statement. Sometimes that results in buggy behavior right away, sometimes not until two years later when a change is made to the *proceeding* statement.

> What about the tests?

This is crypto-currency, the hot new thing tests are for old fogeys who still use dollars. Get with the times, young programmers are Agile, they don't plan and test their work, they release early and often. They release the Minimum Viable Product (minimum piece of shit they can get away with for a moment), it's illegal now to even think about corner cases and make code robust.