We present two types of active side-channel attacks against private (a.k.a. shielded) transactions in Zcash. The attacks, called PING and REJECT, exploit differences in behavior between the payee of a particular shielded transaction and the remaining Zcash clients. By monitoring peer-to-peer traffic and injecting its own messages, an active attacker can remotely observe these differences due to fault and timing side-channels. The PING and REJECT attacks can be used to:
The PING and REJECT attacks exploit vulnerabilities introduced in Zcash's Sapling network upgrade (v2.0.0). Earlier Sprout transactions were not affected by the REJECT attack and were likely not remotely exploitable by the PING attack. Most of the above attacks apply even if the victim Zcash client uses an anonymity network such as Tor.
We disclosed these attacks to the Zcash security team, who fixed the underlying vulnerabilities in the v2.0.7-3 release of the Zcash client. See Zcash's security announcemenet and blogpost. Users who have updated their client to the latest release are no longer vulnerable to the attacks described here. Since the attacks require active monitoring and participation in the Zcash peer-to-peer network, they cannot be applied retroactively to earlier transactions.
A more detailed description of the attacks, as well as a FAQ can be found in our Technical Report.