Introduction
We are now at the stage where we can share further details regarding the recent Salvium 0.7.x hard forks. We know that we have been slow in sharing this information, but it has been important for us to ensure its accuracy.
At the end of December, the core team initiated several hard forks to patch vulnerabilities that had been identified.
Unfortunately, a missing ZK proof created a particular vulnerability that would allow a malicious actor to mint new coins in a way that would not be detected by the chain analysis script. This introduced the risk of a hidden inflation hack, which we are taking very seriously.
The custom chain analysis script that we developed was of no use in the case of this particular exploit.
This document sets out the nature of the vulnerability, along with the ZK proof that was deployed in v0.7.0 to prevent the risk of future exploitation. To ensure confidence in the protocol, we are currently planning an audit to confirm the exact supply.
Overview of Vulnerability
Salvium attempted to incorporate improvements over Monero, the coin on which Salvium was built. One such improvement was a “commitment to a difference,” rather than a “commitment to zero” as used by the Monero system. Monero’s “commitment to zero” approach meant that the commitment masks could not all be chosen independently. Implementing a “commitment to a difference” and providing that commitment in the transaction, allowed all commitment masks for all inputs and outputs in the transaction to be independent of one another.
The “difference commitment” is calculated when generating the input and output commitments as:
pr = Commit(sumPseudoOuts - sumOuts, 0)
However, in versions of Salvium before the 0.7.0 update, Salvium did not include proof that the “difference” commitment (denoted ) contained a zero “amount.” This resulted in the described vulnerability, which allowed for the potential creation of coins without leaving detectable evidence on the blockchain.
The Missing Proof
The Required Proof
The required proof (that the difference commitment had no amount component, i.e., p) was a straightforward Schnorr-like sigma-protocol, as follows:
- Generate a random scalar
b. - Compute
r = b · G + 0 · h, whereGis the generator point andhis the zero scalar.
Prover Steps (for a commitment difference d):
- Generates a random scalar r (a nonce).
- Generates a commitment to the scalar, i.e.
R = r · G. - Computes a commitment to the difference, with zero amount, i.e.
Cd = Commit(d, 0). - Calculates a challenge
c = Hs(R || Cd). - Calculates a response to the challenge
z = r + c · d. - Stores the tuple
{R, z}and the commitment to the differenceCdin the transaction data.
Verifier Steps
- Recomputes the challenge from the proof and public data
c' = Hs(R || Cd). - Recomputes the commitment to the scalar
R' = z · G - c · Cd. - Tests
R' ?= R– if they are equal, then the commitment has a zero (0) amount term and is valid.
By adding this proof in v0.7.0, Salvium has prevented any future exploitation of this vulnerability.
Audit and Impact
We must accept that the presence of a vulnerability means there is a risk that there has been an inflation hack. Given that Salvium is a private coin with an amount hiding, the only way to truly ascertain the circulating supply is to audit the coins. To that end, Salvium will undergo an audit to confirm the exact supply. For security, specific details of the audit won’t be shared at this stage.
Exchanges
Exchanges were originally closed while we resolved the chain split. This issue has now been addressed, but it is prudent for exchanges to remain closed until the situation is clearer.
Acknowledgment and Commitment
We acknowledge the disruption caused by the rapid implementation of hard forks and appreciate the community’s patience. Moving forward, our focus remains on transparency and security. Thank you for your understanding and trust as we navigate this crucial period.