A malfunction in all of Zcash (ZEC) products, and a majority of its forks, has rendered its metadata – which includes the full nodes’ with shielded addresses (zaddr) IPs – exploitable.
Komodo (KMD) core engineer Duke Leto has mentioned the malfunction via his own webpage. The firm has issued A Common Vulnerabilities and Exposures (CVE) code, specifically assigned to follow up with the problem on September 29.
“A bug has existed for all shielded addresses since the inception of Zcash and Zcash Protocol. It is present in all Zcash source code forks. It is possible to find the IP address of full nodes who own a shielded address (zaddr). That is, Alice giving Bob a zaddr to be paid, could actually allow Bob to discover Alice’s IP address. This is drastically against the design of Zcash Protocol.” Leto further claimed regarding the incident.
Specifically, whichever client has made their zaddr, or has let another organization know the information can potentially suffer from the malfunction. Clients are advised to be alert regarding their “IP address and geo-location information associated with it as tied to […] zaddr.”
Non-zaddr, Tor Onion Routing network-exclusive or fund-sending zaddr users are the only ones suffering from the bug, and other coins apart from Zcash was also affected, including Hush, Pirate, Komodo smart chains with zaddr enabled by default, Safecoin, Horizen, Zero, VoteCoin, Snowgem, BitcoinZ, LitecoinZ, Zelcash, Ycash, Arrow, Verus, Bitcoin Private, ZClassic and Anon.
Komodo has taken the shielded addresses feature offline and move it to the Pirate chain, deeming the KMD bug-free.