At the beginning of November 2018, the Zcash Security Team contacted Komodo to initiate a vulnerability disclosure agreement.
Later in the same month, Zcash reached out once again to inform the Komodo Development Team about a critical vulnerability with the Zcash code base. Komodo is grateful that the Zcash team handled this issue in such a secure and professional manner, allowing Komodo to quickly reach a solution.
Komodo’s Dev Team, along with developers from the Verus Coin project, began evaluating the situation immediately. The team of developers and security experts decided to merge the fix that Zcash had implemented with other, Komodo-specific improvements to the codebase.
This allowed the real purpose of the upgrade— eliminating a vulnerability— to remain concealed and thus less likely to be exploited in the time before the new code was activated. The Komodo Dev Team deemed this essential to the safety of the ecosystem.
Komodo activated these changes to the code base on December 15, successfully hard-forking over 40 blockchains at the same time with no complications. Of course, this upgrade included the ZCash Sapling upgrade, 7 new assetchain parameters upstreamed to Komodo from Verus Coin, and an increase in block size from 2 Mb to 4 Mb, as well as the fix to the vulnerability.
Komodo’s developers reacted fast, removing the vulnerability within weeks of notification. It’s important to point out that the Komodo Development Team didn’t simply eliminate this vulnerability for the KMD chain. Rather, the Dev Team created a solution and pushed the upgrade throughout the ecosystem, securing 40 independent blockchains with one update.
The Komodo Dev Team is constantly working behind the scenes with third-party security experts and professional cryptographic code auditors to ensure the security of the Komodo ecosystem. Keeping with best practices, when vulnerabilities are identified, they are fixed quietly. Many victories go uncelebrated, in order to avoid attracting the attention of bad actors.
At this point, we would like to remind users that all KMD funds must be moved out of z-addresses before February 15, 2019. Regardless of whether your funds are in a Sprout z-address or a Sapling z-address, you must move them to a transparent address by Feb 15.
Private transaction functionality is being removed from the KMD main chain in Q2 2019. An interconnected chain, which will host zero-knowledge proof capabilities as well as Komodo's Custom Consensus technology, will be created and linked to the KMD chain. Komodo’s unique multi-chain architecture makes this high level of adaptability and blockchain interoperability possible.