[VerusCoin.git] / doc / security-warnings.md

Security Warnings
====================

Security Audit
--------------

Zcash has been subjected to a formal third-party security review. For high priority security announcements, check https://z.cash.

x86-64 Linux Only
-----------------------

There are [known bugs](https://github.com/scipr-lab/libsnark/issues/26) which
make proving keys generated on 64-bit systems unusable on 32-bit and big-endian
systems. It's unclear if a warning will be issued in this case, or if the
proving system will be silently compromised.

Side-Channel Attacks
--------------------

This implementation of Zcash is not resistant to side-channel attacks. You
should assume (even unprivileged) users who are running on the hardware, or who
are physically near the hardware, that your `zcashd` process is running on will
be able to:

- Determine the values of your secret spending keys, as well as which notes you
  are spending, by observing cache side-channels as you perform a JoinSplit
  operation. This is due to probable side-channel leakage in the libsnark
  proving machinery.

- Determine which notes you own by observing cache side-channel information
  leakage from the incremental witnesses as they are updated with new notes.

- Determine which notes you own by observing the trial decryption process of
  each note ciphertext on the blockchain.

You should ensure no other users have the ability to execute code (even
unprivileged) on the hardware your `zcashd` process runs on until these
vulnerabilities are fully analyzed and fixed.

REST Interface
--------------

The REST interface is a feature inherited from upstream Bitcoin.  By default,
it is disabled. We do not recommend you enable it until it has undergone a
security review.

Block Chain Reorgs
----------------------------

Users should be aware of new behavior in Zcash that differs significantly from Bitcoin: in the case of a block chain reorganization, Bitcoin's coinbase maturity rule helps ensure that any reorg shorter than the maturity interval will not invalidate any of the rolled-back transactions. However for Zcash, all JoinSplits which were anchored within the reorg interval will become invalid, rolling back transactions and reverting funds to the original owner. The transaction rebroadcast mechanism inherited from Bitcoin will not successfully rebroadcast transactions containing JoinSplits if the anchor needs to change—the JoinSplit creator must do that.

For receivers of funds from a JoinSplit, using a higher minconf can help mitigate the risk of relying on funds received from transactions that may be rolled back.
Commit	Line	Data
8fb1005c TH	1	Security Warnings
	2	====================
	3
	4	Security Audit
	5	--------------
	6
a9ca1601	7	Zcash has been subjected to a formal third-party security review. For high priority security announcements, check https://z.cash.
8fb1005c	8
60991f9e TH	9	x86-64 Linux Only
	10	-----------------------
	11
	12	There are [known bugs](https://github.com/scipr-lab/libsnark/issues/26) which
	13	make proving keys generated on 64-bit systems unusable on 32-bit and big-endian
	14	systems. It's unclear if a warning will be issued in this case, or if the
	15	proving system will be silently compromised.
	16
8fb1005c TH	17	Side-Channel Attacks
	18	--------------------
	19
	20	This implementation of Zcash is not resistant to side-channel attacks. You
b7220002 TH	21	should assume (even unprivileged) users who are running on the hardware, or who
	22	are physically near the hardware, that your `zcashd` process is running on will
	23	be able to:
8fb1005c	24
35b3168d TH	25	- Determine the values of your secret spending keys, as well as which notes you
	26	are spending, by observing cache side-channels as you perform a JoinSplit
	27	operation. This is due to probable side-channel leakage in the libsnark
	28	proving machinery.
8fb1005c TH	29
	30	- Determine which notes you own by observing cache side-channel information
	31	leakage from the incremental witnesses as they are updated with new notes.
	32
2b5c33e1 TH	33	- Determine which notes you own by observing the trial decryption process of
	34	each note ciphertext on the blockchain.
	35
8fb1005c TH	36	You should ensure no other users have the ability to execute code (even
	37	unprivileged) on the hardware your `zcashd` process runs on until these
	38	vulnerabilities are fully analyzed and fixed.
8962f2a9	39
	40	REST Interface
	41	--------------
	42
	43	The REST interface is a feature inherited from upstream Bitcoin. By default,
	44	it is disabled. We do not recommend you enable it until it has undergone a
	45	security review.
a9ca1601	46
28799d8b	47	Block Chain Reorgs
a9ca1601 JG	48	----------------------------
a9ca1601 JG	49
28799d8b JG	50	Users should be aware of new behavior in Zcash that differs significantly from Bitcoin: in the case of a block chain reorganization, Bitcoin's coinbase maturity rule helps ensure that any reorg shorter than the maturity interval will not invalidate any of the rolled-back transactions. However for Zcash, all JoinSplits which were anchored within the reorg interval will become invalid, rolling back transactions and reverting funds to the original owner. The transaction rebroadcast mechanism inherited from Bitcoin will not successfully rebroadcast transactions containing JoinSplits if the anchor needs to change—the JoinSplit creator must do that.
	51
	52	For receivers of funds from a JoinSplit, using a higher minconf can help mitigate the risk of relying on funds received from transactions that may be rolled back.