A bug was noticed on the PIVX network zerocoin protocol on March 6, 2019 prompting an audit that explained the full impact of the found vulnerabilities.
The “wrapped serials” which has since been fixed on the #PR-837 consists of an attack that fakes network acceptable serials thereby enabling the attacker to spend zerocoins that was never minted.
The intensity of the attack stems from its inflationary effects since a successful exploitation would brings unaccounted coins into circulation. Despite that, the vulnerability would not harm or affect users’ privacy and their holding in a direct manner.
The bug was discovered when developers noticed on March 3 that block 1679090 was crashing any wallets based on the GMP library bignum. The bug was not simulated with the original OpenSSL library.
The developers searching for inconsistencies in the two libraries discovered that there was a bigger problem being highlighted by the GMP bug. This was an implementation overlooked in the OpenSSL library.The failed block and subsequent ones have serial numbers greater than 256 bits but with the last 256 bits equal to other valid serials.
Tests showed that the crash was not fallout from a bug in the GMP library but an implementation flaw being exploited. The zerocoin functionality was disabled using the PIVX “spork” while the investigation was on.
Spork is a process first used by the Dash network to forestall unintentional hard fork on the network. This enables the deployment of network level features without unnecessary disruptions.
A blog post by PIVX network announced the impact of the vulnerability when it wrote about the “Wrapped Serials” attack:
“Over the course of five days, it involved the spending of 477 zerocoins, of various denominations with invalid serials (belonging to coins that were never minted). This resulted in the creation of a total of 568,897 PIV (roughly 438,000 USD at current valuation) out of thin air.”
More at: https://firstname.lastname@example.org/report-wrapped-serials-attack-5f4bf7b51701