YWallet Audit Results Anyone here a ZCash user? If so,

you may find this relevant.

Recently an audit of the Ywallet was published by cybersecurity professionals that were engaged by the ZCash team or whomever it is in that ecosystem that's responsible for commissioning such efforts.

The results of that audit were published here: https://zecsec.com/audits/YWalletAuditReport-FINALv3.pdf

They found one high-security issue and a couple of other lower level problems. The identified problems have since been remediated (addressed).

Takeaway From This Audit

Even though this issue has since been fixed, the high-security bug that the researchers identified is worth noting.

Essentially:

1. The wallet has a feature that allows one to create "contacts" for various wallet addresses the same way you would when saving someone # in your phone. Okay, cool.

2. Normally, this contact info is saved locally (on your computer / device / wherever you have this Ywallet software installed)

3. ZCash also allowed users to commit these contact mappings to the blockchain as well though (curious feature for a privacy-centric currency, but I digress)

With the above facts in mind, let's consider a hypothetical with Bob and Alice. They're both ZCash users and they know each other's respective ZCash addresses. Like the good friends / lovers they are, Bob has Alice saved as a contact under her address & vice versa.

If an attacker had knowledge of Bob & Alice's address + which addresses they had each other saved under as contacts, then said attacker would be able to intercept messages (memos) sent between the pair and modify / alter them before forwarding to them to their ultimate destination (MITM pretty much).

Developers Fixed This

The fix was providing cryptographic authentication for contacts pulled from the blockchain to prevent the type of forgeries that would enable a MITM attack like the one outlined in the audit report.

So, consider that a win for ZCash and their users.

Finding Bugs / Issues is a GOOD THING

You want to find issues in code / software so that you can address them and fix those problems before a bad actor does first.

Sadly, this space doesn't believe in this principle so often times when issues are discovered in smart contracts and other projects in blockchain, the "developers" or "team" backing said project will refuse to acknowledge the issue - opting instead to leave their fate up to chance.

I'm not sure why blockchain projects engage in this dumbass practice. I call it 'dumbass' because that's what it is. Perhaps its due to a lack of necessary funds to pay out bug bounties. Or maybe it derives from a terribly misguided belief that since addressing issues in a project's code requires inherently admitting that the developers are not infallible gods descended from Mt. Olympus that it would be better to risk the project being totally compromised before disappointing their respective communities with the grim reality that bugs are to be expected in software projects and that their existence or discovery is in no way indicative in itself of a catastrophic failure on the part of those responsible for building and maintaining the project.

The audit is really thorough. good thing it was the first audit