Zcash engaged Coinspect and four other leading security companies to conduct a comprehensive security audit of the Overwinter network upgrade. The emphasis of Coinspect’s audit was on the impact on consensus and incentives of the Overwinter code changes. During the assessment, Coinspect identified 2 high-risk issues. The high-risk issues identified during the assessment were not remotely exploitable by themselves to steal funds or compromise the privacy Zcash users. However, they affected the performance and availability of the p2p network.
The review was limited to the following code changes in Zcash v1.0.15:
- Transaction format version 3 (ZIP-202)
- Network upgrade activation mechanism (ZIP-200)
- Transaction Signature Verification (ZIP-143)
- Transaction expiry (ZIP-203)
On November 2018, Coinspect was asked to review the modifications introduced in the code in order to fix the vulnerabilities reported, and concluded the fixes implemented were correct and as a result, both issues are now considered resolved.