Why I’m critical of ZCash

Why I’m critical of ZCash

ZCash is a cryptocurrency with advanced privacy features, making it a serious contender in the privacy space. However, I have strong reservations about the project and it largely stems from the judgment and motives of the founders. These concerns are not just shared by myself but are not frequently discussed which is the aim of this article.

To be clear, the typical concerns about ZCash among domain experts are:

  • optional privacy instead of default privacy
  • raised money from investors
  • 20% founders reward for first 4 years
  • statements by Zooko and team regarding privacy
  • trusted set-up

Exactly why these points are concerns is not the scope of this article and it should not be hard to find in other places. These alone do not highlight my concerns with the judgment and motives of the founding team.

The first place to start is that ZCash as a cryptocurrency is a monetary system. It was launched in 2016, long after prior cryptocurrencies had set precedent for a “business model” of fair launch, distribution, and funding. As monetary systems, how a cryptocurrency project is launched greatly affects public perception. Premines, ICOs, instamines, etc. largely compromised public confidence in the motivations of the founding team while also being wholly unnecessary. Projects like Bitcoin, Litecoin, and Monero launched with no source of funding or marketing and over time evolved into mature projects whose coins became profitable for early adopters. It is fair to say that raising funds before launching a project is done for the comfort and convenience of the founders, not for the viability of the project.

ZCash did not go this route. I do not understand why because ZCash did not seem to face any existential risks due to lack of upfront capital. ZCash had the right ingredients in terms of product and expertise of the team. What ZCash did instead was raise money from about 30+ investors, who were putting their money into this project largely because they were expecting to financially benefit from this new monetary system by receiving something in return.

So before ZCash is even launched, the founding team has already started adding perverse incentives to their monetary system. Those 30 investors each now have a financial incentive not just for ZCash to succeed, but for any other project with strong privacy features to fail. This is not just a theoretical risk. Human history is a giant precedent for the dangers of adding perverse incentives like this. The investor list is filled with wealthy individuals and sometimes the companies they own. I doubt any of them are concerned with privacy in the same way a journalist is as none of them seem to have affiliations in the privacy space. ZCash could have raised funds from the Electronic Frontier Foundation, Free Software Foundation, and other non-profits dedicated to privacy and civil liberties for enough money to get started even if it were really necessary. I would be surprised if these organizations wouldn’t or couldn’t have helped fund ZCash. None of these organizations is on the list of investors. There were almost certainly options to have investors who would not introduce negative externalities into the space.

Next, adding these investors, who are expecting something in return, has already compromised the fairness of a monetary system that has not even launched yet. As I mentioned, this is especially egregious because it was unnecessary to begin with. This monetary system was now hampered with a 20% founders tax for the first four years, equaling 10% of the total coin supply that will ever be created in ZCash. A group, probably smaller than 50, almost certainly less than 100, will control 20% of the monetary supply until 2020. (I am assuming some investors are anonymous.) This is the largest tax to ever exist in the early years of a cryptocurrency. Raising capital from investors to fund development and then taxing this monetary system heavily with a founders fee to fund development again sounds like a cash grab. Where, exactly, is Zooko showing restraint in this process of raising funds? To make matters worse, the initial funding for the project was not open to the public. Just a closed group of investors. This is equivalent to a pre-mine due to the closed participation. ZCash would have been better off with an ICO, which would have been a less egregious (due to open participation), but an equally unnecessary way of starting off the project unless the cap was reasonably small.

That ZCash chose to start their project in such a way that immediately raised large amounts of capital when it was not necessary makes me question the motives of the founding team. I do not think they raised a small amount of money from 30 public investors and perhaps some private ones where in return they promised a large percentage of the minted coins. They are clearly not mission driven, or at least not mission driven like other projects seem to be. Mission driven founders do not attempt to raise excessive capital to launch their project, because it comes at the cost of equity and autonomy. Good projects are capable of succeeding on their own merits. The cryptocurrency space has always attracted scammers and dishonest founders looking to profit off of the space. While I do not see Zooko as dishonest, the way ZCash was set up is, to say the least, disappointing to see.

Next was an event that I think further highlights the problems I see with the founding team. It starts with a website called monerolink.com.

monerolink.com discusses academic research on Monero’s inputs for ring signatures and acts as a tool to help see if your transactions can be linked due to early vulnerabilities in the project. The research paper is interesting and helpful to have since it quantified a known problem, but the manner that the site was presented leaves me with concern. There are known constructive ways to further the development of secure privacy tools. A different approach was taken due to the perverse incentives for the ZCash founders.

First, one of the authors of the paper is Andrew Miller, who is on the board of directors of ZCash. There is nothing particularly concerning at this point, as good research is good research, independent of authorship. However, the details of how this research was publicized makes me skeptical of the claim that this was science as usual and this affiliation just makes it that much more suspect. Let me explain.

Putting up a website called monerolink.com was highly unusual for a few reasons. First, this is never done with privacy tools, ever. There’s academic research on every major privacy tool that exists. It’s why we have increasing confidence in their security, the open discussion. Research about privacy tools is almost always about finding potential attacks or weaknesses and quantifying it. However, there is no torlink.com. No i2plink.com. No httpslink.com. No internetexplorerlink.com. There are no dedicated websites whose sole purpose is to inform the general public saying “this tool has a vulnerability” to spread fear and doubt because that is not a constructive way of improving these tools. The predictable knee-jerk public reaction is exactly why putting up dedicated websites is not considered a good protocol for discussing vulnerabilities and is strongly discouraged in the security community. (Remember when I said that investors had a financial incentive for other projects in privacy to fail? This is the result of that.)

This is what monerolink.com looks like to me: a project funded by investors receiving an outsize portion of the monetary supply puts up a site discrediting a community-driven, mission-oriented privacy project that has no funding and no marketing and is not even production ready (dev motto was “don’t buy Monero” for years). This site purportedly is doing a public service by helping show some transactions as being linkable, but the stark majority of these linkable transactions are from the earliest days of Monero, back when privacy could be manually removed and back when its primary use case was trading, so pool operators and exchanges disabled these privacy features to reduce transaction fees. During Monero’s evolution, the linkability of these transactions decreased over the years as these vulnerabilities were researched stronger measures implemented. This is the nature of new and evolving privacy tools, they are constantly in flux being made more secure at a rate so rapid that studies on vulnerabilities can become outdated before the draft is made. At the time monerolink.com was made, the analysis used to link transactions was no longer applicable. It was analogous to setting up a website warning against using Windows 10, and justifying it by showcasing vulnerabilities from Windows 95.

Zooko defended this site on the basis of it being a public service: https://twitter.com/zooko/status/904009573161287681. What is strange to me is why he is taking a 2–3 year old tool, so new that it is rapidly evolving and does not yet have all of it’s core features, and acting as if this technology was pushed forward as production-ready during that time. Even as of December, 2017, Monero’s core features are not yet finished. This site, monerolink.com, strongly gives the impression that this analysis applies towards a finalized technology, where any vulnerabilities are due to oversights of the team rather than an open source project developing this technology over time. Zooko’s claims that he is doing a service for anyone who was using Monero to evade someone dangerous seem bizarre. Why exactly does he think Monero misrepresented the evolving nature of this privacy tool, or think that the community wasn’t aware of this before? The ring signatures in Monero are so nascent in cryptocurrencies that this feature is used to provide plausible deniability per transaction rather than guarantee privacy. And why does he feel the need to warn the public over a privacy feature that even the study acknowledges is no longer susceptible to linking any transactions with their analysis?

This behavior is sad and disappointing, made possible by perverse incentives that could have been avoided. ZCash is itself not a mature tool due to the resource requirements of private transactions, and this team is spending its time setting up a website highlighting early vulnerabilities in a project that threatens ZCash’s hegemony in the privacy space. Attacks in the future are likely, not just against Monero but any other project which becomes sufficiently successful in the privacy space. I am left wondering if Zooko’s project is going to have a net positive effect in the development of privacy tools or a net negative one. Before ZCash, I had never seen a privacy tool whose development had negative externalities in the space. This is a disappointing precedent to set.

This is what I mean when I say I question the motives and judgment of the founding team and investors. In privacy, we’re talking about a human rights issue. Political activists, dissidents, journalists, etc. They’re all targeted by governments they criticize. There is no such thing as competition in human rights. Multiple mature tools means more security and more privacy, since we can use the tool best suited to our threat model. Multiple great projects together have positive externalities. ZCash is seemingly an outsider in the way it operates. monerolink.com is a site whose apparent purpose is to elicit greater concern than is warranted with outdated information on a project that is still extremely young and in development. This is highly unusual in the security space. ZCash at times is prone to cutting down “competitors” and is acting like success means that others must fail. This behavior is not consistent with mission driven teams but rather a group with perverse incentives. When Monero grows to full maturity I would not be surprised if monerolink.com’s strongly worded statements remain unchanged, and the general public wary of a project because of an extremely premature warning based on information that has long since been outdated. In fact, I suspect that ZCash investors will ask that the site stay up.

In the About section the site reads “Monerolink is proudly served from a beefy EC2 m3.medium, safely ensconced within CloudFlare’s protective embrace”, a veiled way of saying “you can’t bring this site down with a DDoS attack, so don’t try”. Exactly why this site would be attacked is beyond me, because this is not how honest operators act in this space. ZCash is revealing a lot about itself in the way it treats a major community-driven project working on a human rights issue and anticipates their response to monerolink.com. It is clear that the authors know exactly how controversial these actions are when they are pro-actively preparing for a DDoS attack that never even happened (because why would it?). I think the ZCash team should take a moment to reflect on why it is that they seem to be the only group publishing misleading sites like monerolink.com and proactively preparing for an anticipated DDoS attack.

As I mentioned, the researchers’ ability to link the true sender of a transaction was largely diminished after the banning of 0-mixin transactions in 2016 and completely didn’t apply after the inclusion of RingCT in 2017. (Not to mention, more improvements are in the pipeline, like increasing the minimum mixin size to 4 and efficient range proofs.) Putting up monerolink.com was like putting up a site discrediting Windows 10 but referencing a paper finding exploits in Windows 95. This is the nature of evolving privacy tools in the early stages. You could be forgiven for not knowing this looking at the site, since this is a nuance that most will not be aware of. It largely gives the impression that this analysis still applies, since you have to read past the title, past the first paragraph with big red bolded statements. It does not help that the paper cites the aggregate where the vulnerability is heavily weighted towards Monero’s early years rather than more recent ones (e.g. no last 6 months analysis, etc.). In fact, even Edward Snowden referenced monerolink.com saying that this vulnerability was due to amateur cryptography: https://twitter.com/Snowden/status/913557610858778625. It is hard to argue that the site isn’t misleading when Snowden is linking to it and basing his arguments off of the title. This is exactly why public and dedicated websites discussing vulnerabilities are considered a bad idea, especially vulnerabilities that are historical artifacts. If the aim was to educate users of Monero, I am left wondering why such a controversial website is worded in such a way that it even confuses Snowden.

(Regarding Snowden’s statement, the choice of inputs is a distribution problem, not one in cryptography, but I’ll assume he didn’t misspeak.) The only cryptography he could be talking about is the Cryptonote protocol. It’s hardly amateur cryptography. The paper has been studied extensively by professional cryptographers for years and there are no big problems I am aware of: https://downloads.getmonero.org/whitepaper_review.pdf. If the paper’s anonymous authors aren’t professional cryptographers, they’re indistinguishable from them. Furthermore, the choice of inputs for the ring signature was a known issue discussed multiple times in formal channels for Monero, about 2–3 years before the paper was published: https://lab.getmonero.org/pubs/MRL-0001.pdf, https://lab.getmonero.org/pubs/MRL-0004.pdf. You would only know this by reading the actual study, which is pretty dense reading. The study’s value was in quantifying this known problem. These nuances are also certainly going to be lost on the general pubic taking a look at monerolink.com, like Snowden. Furthermore, they are going to read this site and leave with misleading information that they perpetuate because they are assuming information is portrayed honestly.

Zooko seems to think concerns over monerolink.com relate to effects on price: https://twitter.com/zooko/status/904008020610359296. It is disappointing that he does not understand that the biggest concern among experts is the effects of misleading information in a space where deanonymization could endanger users. Instead Zooko thinks that a community that is ideologically against marketing, never paid an exchange to list them, never paid for articles to be written about them, has no investors, has no dev tax or founders reward, and discourages people from buying Monero (“don’t buy Monero” is a slogan) is somehow primarily concerned about price. I would really like Zooko to provide more insight into why he thinks criticism about monerolink.com is about the price of Monero given this information. And when criticisms came of this site from outside of the privacy space with a cheeky infographic to make a point, Zooko complained that the implication was misleading: https://twitter.com/zooko/status/854173162271121409. (That was exactly the point the infographic was making.)

Zooko has commented on monerolink.com saying that he has no real authority over what Andrew Miller does or publishes. This is also a problem I am concerned with. All of his investors are incentivized to discredit competing projects and sometimes they do. Zooko created perverse incentives in this space for his investors to malign projects that could threaten ZCash’s anticipated monopoly in the private cryptocurrency space. So I am unimpressed with Zooko’s attestation that there nothing he can do to stop this kind of behavior when he created an environment that makes privacy a zero-sum game for ZCash investors who are beneficiaries of the founders reward.

ZCash is a cautionary tale of creating perverse incentives by raising private equity in a company that effectively controls a monetary system. It is no less perverse than a government having private investors as governments also control their monetary policy. Private equity brings all the problems and politics of big money in the hands of a few. Raising private equity may be even worse than an ICO due to the closed participation and smaller group of investors. As the cryptocurrency space grows and ZCash coins become more valuable, the incentive to attack other projects with misinformation campaigns will increase, funded by the founder’s reward. It could realistically be a prudent financial decision for a ZCash investor to pay half a million dollars on a negative PR campaign against Monero right before selling off several million dollars worth of ZCash. We might find that other privacy project development is hindered as high-profile public figures like Snowden cite plausible but misleading articles. People whose safety depends on anonymity could end up using unsafe alternatives out of fear of using the tools targeted by negative PR campaigns. I have seen other communities, like Dash, argue that mixing is more secure than ring signatures because nobody has published vulnerabilities related to mixing, and then referencing monerolink.com as evidence that ring signatures are insecure. (Thanks, Zooko!)

Alternatively, we could find that the impact of raising private equity is minimal, but that is a best case scenario considering the effects of big money. I do not get the sense that this was thought out with sufficient care given that these ZCash investors could have been non-profits like the EFF who are less likely to act out of self-interest with their stake, and would certainly act as better advisors. 30 publicly-known investors with no domain knowledge in privacy seems unnecessarily large to get a project off the ground. And some of the investors like Roger Ver were already known for attacking existing projects to further ones they supported. It is entirely possible that if Roger Ver was not busy with BCH and attacking BTC that he could be doing the same with ZCash and Monero. We’d be seeing long tweets about how Monero’s ring signature input distribution is flawed and have hard forks of Monero Cash to promote Saberhagen’s “original vision”. This would be followed by plans of another hard fork called M2X with double the ring size but no two-way hard replay protection. Or, maybe someone affiliated with ZCash will just put up a site called monerolink.com which uses early vulnerabilities in Monero to give the impression that it is a poorly implemented and insecure project made by “amateur cryptographers”.

It is pretty clear ZCash could have been structured better, and this ultimately boils down to the judgment of Zooko and the motives of the people he selected as investors. The problems I outlined were completely avoidable, and now we are stuck with the negative externalities of Zooko’s decision. It seems he did not anticipate the incentives he created and does not seem to recognize self-interested behavior from his associates. The best we can hope for now is that Zooko successfully discourages his investors from attacking other privacy projects for financial gain in the future. It would also be nice if Zooko, the brand ambassador for ZCash, publicly stated that setting up dedicated websites to discuss known vulnerabilities with outdated analyses in a sensationalist manner is not a great precedent to set to further the development of privacy tools.