Zcash — Puzzling the Hunters

04.04.2019

TL;DR. Ecology:5. Technology:8. Decentralization:5. Valuation:6. Rating:6/10

Cleaning Up the Toxic Waste Byproduct

Zcash is a privacy focused blockchain protocol that hides transaction sender, transaction recipient, and transaction amount. This is done through the use of a zero-knowledge proof construction dubbed zk-SNARK, which was developed by Zcash cryptographers. As the name implies, the zero-knowledge proof is why a transaction's validity (for example, spend only coins you actually own) can be proven without knowledge of the transaction details themselves.

There was one main drawback with this particular solution to private transactions -for zk-SNARKs to work, the blockchain had to have what has been coined public parameters. In the case of Zcash, these parameters, although complex, can simplified be described as taking the form of a public/private keypair, where if someone was to know this keypair, he or she could at will issue new, counterfeit coins on the blockchain. This conundrum had to be solved by breaking the public/private keypair up in shards, where multiple people involved with the forming of the zk-SNARK public parameters each held one public key shard and one private key shard; the latter was to be destroyed after setup. Theoretically, if just one such shard was destroyed properly, no one would ever be able to re-create the public parameters in a way that made the Zcash blockchain susceptible to the infinite inflation scenario mentioned earlier. After everyone had had their private key shards (also known as toxic waste) destroyed, they were to proceed to collectively construct the public blockchain with the help of the public key shards.

Chernobyl - still tainted by toxic waste. 

The Ceremony

To construct the public parameters before what was dubbed the Sprout mainnet launch, six participant Witnesses were chosen based on how well-known they were in certain circles, how good at cryptocurrency and IT security they were in general, and how ethical they were perceived to be. This selection was part of what was called the Multi-Party Computation (MPC) protocol - the process or Ceremony which would allow for the use of zk-SNARKs on the Zcash public blockchain. Three of the Witnesses were revealed to all participants as well as observers at the beginning of the Ceremony: Zcash lead developer Zooko Wilcox, computer scientist and Zcash technical advisor Andrew Miller, and Peter Van Valkenburgh. They were all spread out over different geographical locations.

The Ceremony occurred in October 2016. On the 23rd that month, a fourth Witness was revealed to be Derek Hinch of NCC Group. Four days later, security specialist Peter Todd revealed himself as the fifth Witness. The last Witness had not been revealed by the time of the Ceremony blog post.

Zcash launched on October 28th, 2016, with a month of slow mining in order to make sure miners got their software and hardware setup properly. The coin immediately traded above BTC parity, meaning it initially was the highest valued blockchain protocol in existence. While most people were happy with the launch, Peter Todd quickly expressed concern with how the Ceremony had been conducted. All Witnesses had used software dependent on a rustc version that was released the day before the Zcash Ceremony ISO's were built, which meant they theoretically could have been backdoored. Whether it was or not could be audited however, so Todd's critique was not a strong indication of actual unethical activity. The Ceremony drew other types of critique as well.

The Protocol at Launch

The protocol was based on Bitcoin Core, which made the Zcash blockchain technically similar to a much more fungible version of Bitcoin. Total supply had been set to 21M and the emission curve was as well similar to Bitcoin's, with halvenings every four years. During the first four years, around half of total supply were to be mined. For all these years there was also a mining tax (also known as Founders' Reward) in place, where the company behind Zcash - Zerocoin Electric Coin Company - as well as other investors and advisors, were getting 20% of all minted coins. This effectively allocated around 10% of all Zcash that will ever exist to these stakeholders. A portion of those 2.1M ZEC were pledged by some of the beneficiaries to be used to fund the Zcash Foundation - a non-profit vehicle more suitable than Zerocoin Electric Coin Company to in the long run serve the interest of everyone involved with the Zcash blockchain.

A checkpointed little Zcash sprout growing after the MPC. 

Even though the code base was based on Bitcoin, the Proof of Work (PoW) algorithm was not. Relying on RAM as the bottleneck resource for generating proofs, Equihash initially made Zcash incompatible with any Application Specific Integrated Circuit (ASIC) and so made sure Zcash could be mined with CPU or GPU. This Equihash mining algorithm was devised by Dmitry Khovratovich and Alex Biryukov, and was Zcash's initial attempt at ASIC resistance.

The Early Days

Zcash 1.0.1 was released on November 3rd, 2016. It included various bug fixes as well as a checkpoint to protect the chain from 51%-attacks. The 1.0.2 version released just four days later, containing more bug fixes. 1.0.3, another bug fix version that primarily mitigated a cache invalidation bug, was released on the 17th of November. The severity of the bug prompted a public security announcement from the team. 2016 ended with the last release for that year, 1.0.4, which added another checkpoint, fixed bugs as well as improved zk-SNARK verification performance by 7%. The first release of 2017 was 1.0.5, which mainly corrected for bugs as well as some usability properties. This was followed by a 1.0.6 February release that focused on improving functionality of the wallet as well as bug fixes.

On the 21st of February 2017, a type of roadmap was published by the Zcash developer team. It outlined a focus on stability, security and innovation, which aggregated took Zcash from it's Sprout releases to what was named Sapling. Planned improvements were for example Cross-Chain Atomic Transactions, which would allow for transactions spanning multiple blockchains. It essentially would enable users to trade Zcash to other blockchain tokens like Bitcoin, without relying on an intermediary. Further planned improvements were a cryptography upgrade, with efficiency improvements as a result. By this time the zk-SNARK cryptography was still very computational heavy to run. Lastly, there were plans to introduce user-created token functionality with the success of ERC20 in mind.

February also saw a push from the team to increase the percentage of shielded (in other words private) addresses on the network. Shielded addresses were optional, which had resulted in a majority of all used addresses being transparent at that time. The problem from a privacy perspective was that transactions to and from transparent addresses increased linkability also for some transactions to and from shielded addresses. At this time, only around 29% of all addresses were shielded, which was a cause for concern.

On the 17th of March, 2017, the Zcash Foundation was announced. Plans for such an entity was of course known already, but now those plans finally came to fruition in an attempt to disassociate Zerocoin Electric Coin Company from too much control over the Zcash blockchain. Zooko Wilcox stated that to have a for-profit company too tightly involved with the evolution of the project was problematic, and the Zcash Foundation as an independent, inclusive, non-profit body could take on that role better. This new entity was funded by donations stemming from the Founders' Reward, and had a stated focus on education, science, public infrastructure, and consumer protection.

A Sapling Grows

Spring 2017 saw a couple of new releases, mostly focusing on minor improvements and bug fixes. The 1 000 000th ZEC was mined around this time, meaning 20 000 000 ZEC were still 'in the ground'.

The Zcash Sapling - still not fully grown in 2017 

On April 12th, 2017, a public security announcement went out from the team, warning of a DoS vulnerability in the Zcash client. Transactions crafted in a certain way could crash full nodes, meaning this was a critical attack vector for Zcash miners, exchanges and other node operators. The 1.0.8-1 release patched the vulnerability.

On 1st of May, 2017, Zcash governance was further formalized. The new policy included a monthly release schedule (later changed to every 6 weeks), as well as a client version depreciation schedule, where client versions were depreciated four months after release date. The whole schedule was termed 'aggressive', which meant the Zcash developers took a firm grip on the direction of the project. May ended with a 1.0.9 release, as well as a J.P Morgan partnership announcement, where Zcash technology was to be added to Quorum, J.P. Morgan's enterprise blockchain platform.

Research on elliptic curves resulted in Jubjub, a curve efficient to perform operations on inside of zk-SNARK circuits. The implication for regular Zcash users was that when integrated to the future Sapling release, transaction proving time could see a 80% reduction while memory/RAM usage could see a dramatic 95% decrease.

One Year of Zcash

The one-year mark of network up-time could briefly be described as 12 software updates, release cycle formalization, governance changes in the form of the Foundation, as well as bleeding edge research in preparation for Sapling. The anniversary was quickly followed by improvements on the MPC protocol, in other words toxic waste minimization. As future upgrades of Zcash included more of these Ceremonies, these findings still mattered for the Zcash blockchain as well. One of the new innovations was the scaling of the number of possible participants, resulting in a higher overall security as it was still enough that just one participant was honest for the whole setup to be deemed secure. Another new feature gave participants flexibility in what hardware and operating system they used, which was not the case in the Sprout Ceremony.

Future MPC protocol Ceremonies could now due to innovation have an expanded participant list, resulting in lower overall risk of being compromised. 

On November 20th, 2017, 1.0.13 was released, reducing memory usage for shielded transaction creation with more than 40%. The month ended with some new hires. In December, Zcash was put in the spotlight due to a paper published by Jeffrey Quesnelle. In his paper, he mapped the effective privacy of Zcash, and concluded that especially certain transactions to and from shielded addresses were at risk of being linkable. Simply put, linkability increased if to- and from- amount were the same, despite the transactions being shielded.

The first release of 2018, 1.0.14, contained a new viewing key feature. With this feature, the owner of a shielded address could issue a viewing key that gave selected nodes the possibility to view past received transactions to that address, as well as all future transaction from that address. They could not spend any funds from the address.

Overwinter and ASIC Threats

On 2nd of March 2018, Zcash Overwinter was announced. Overwinter was a hardfork, meaning all nodes had to update in order not to break away from the main network. The update included, among other things, replay protection in preparation for future hardforks, and improved performance for transparent transactions. Overwinter was integrated in 1.0.15, which was released on the same day. All Overwinter changes as well as a couple of Sapling changes were put up for a comprehensive audit at the end of the month. The auditors consisted of NCC Group, Coinspect, Zooko's old company Least Authority, Kudelski Security, as well as University of London cryptography-oriented PhD candidate Mary Maller.

With the Zcash 1.1.0 release in April 2018, Overwinter was set to activate some time in June the same year. Soon after the client version release, new research was published by academics from College University of London, which mapped how anonymity could deteriorate if money was sent from a transparent address to a shielded one, and then partly back to a different transparent address. Even prior to this research the Zcash team recommended not to use a single shielded address as intermediate step between transparent addresses, and now that was stressed further.

Besieged Zcash GPU miners hoping for a PoW-algorithm miracle. 

In May 2018, Zerocoin Electric Coin Company put out a statement on ASICs, as mining equipment manufacturer Bitmain apparently had managed to create an ASIC for Equihash. The statement itself was not concrete in its response, but rather iterated the Zcash focus on Overwinter and Sapling, while the Zcash Foundation initiated research on this new ASIC reality. It was clear however, that should the threat grow too large, mining algorithm changes recommended by the Foundation could definitely get merged to future client releases.

Powers of Tau

Improvements on the MPC protocol has been discussed earlier in this article, and the practical implications of that research was first off a project called Power of Tau, organized by the Zcash Foundation. The large scale, communal Powers of Tau ceremony would be a mandatory precursor to the network's Sapling hardfork, and was initiated as early as late 2017 by ad-hoc coordination with a public mailing list. It was constructed in a way that included many, diverse participants, while transparency mitigated any fear that Zcash-affiliated individuals domineered the whole process. The completion of the ceremony was announced by the Foundation in April 2018, and transcripts and results of the whole process were available over BitTorrent for public review. As many as 87 contributors participated, and this fact should be viewed in the light that only one of all those supposedly had to supposedly be honest for the whole setup to produce usable public parameters for Sapling.

For the Powers of Tau, Ryan Pierce and Andrew Miller acquired small doses of radioactive waste from Chernobyl, placed it on the ground, flew 3000 feet over it and measured its radioactivity with a Geiger counter. All to achieve a source of randomness for the benefit of their Powers of Tau contribution. 

As the integrity of the Powers of Tau ceremony was deemed very high, Zcash developers proceeded with taking those results to combine with a second Sapling MPC ceremony. While volunteers could contact the Zcash developers to be included in this second part of Sapling preparations, the new client version 1.1.1 was released, with Sapling consensus code changes ready to activate in the future.

On June 26th, Overwinter activated. A month after that, Zcash developers announced that the Sapling MPC ceremony had been completed, with as many as 200 participants or contributors involved. This second ceremony was hosted by the Zcash company, and as well as for the Powers of Tau ceremony, it was one of the largest MPC events in history.

Sapling Activates

Zcash 2.0.0, the first Sapling-compatible version, was released in August 2018. Sapling was set to activate around 28th of October, on the second anniversary of the Zcash network. At block 419200, the activation occurred and the Overwinter network finally forked to become Sapling. Among major changes were the introduction of a new type of shielded addresses, resulting in a time reduction of 90% for constructing transactions, and a memory reduction of over 97%. These performance improvements paved way for Zcash integration with weaker machines like hardware wallets and mobile devices. As ZEC had to move to this new shielded address type by first touching a transparent address type, Zcash developers also conducted a mandatory monetary supply check as part of the upgrade. This was a measure to increase the chance of finding out if counterfeit ZEC up until then had entered the ecosystem through some type of bug.

In November, the Zcash Company expanded yet again. And as Sapling had gone smoothly, Zcash was promptly listed on the well-known cryptocurrency exchange Coinbase. Third party integration was by this time much easier as for example proving time of zk-SNARKs had been reduced from 37 seconds in Sprout to almost 2 seconds with Sapling. The year ended with a stated developer focus on further encouraging the use of shielded address for the benefit of privacy for the whole ecosystem. Plans were also drafted on the next Zcash upgrade, aptly dubbed Blossom. It is scheduled to activate in October 2019, one year after Sapling activated and half a year after this article was written. Possible features included in Blossom is anti-ASIC efforts in the form of a Harmony mining algorithm (later delayed for security reasons), a general re-work of the usability of transaction fees in anticipation of full blocks, optimizations for future Light Client, base consensus support for the second-layer protocol BOLT, full retirement of old Sprout address types, an increase in the frequency of blocks, and lastly chain roll-back protection.

The Inflation Threat Strikes

2019 started of with a small shift in Zcash activity towards marketing and adoption efforts. As the base layer now had solidified over years and shielded addresses were much easier to use than before, it was deemed logical to maintain focus on how to attract more users with for example good wallets, light clients, more exchange listings etc.

January ended with a summary post of findings from all 2018 audit contractors. There were a multitude of issues found, which prompted Zcash developers to initiate more audit rounds. On the 5th of February, a long announcement was posted that detailed a counterfeiting vulnerability (CVE 2019-7167) - the scariest of all bugs for a public privacy blockchain like Zcash. The vulnerability was discovered in early 2018, which meant it had been kept in the dark for almost a year in order not to increase the risk of someone exploiting it. It was secretly patched in the Sapling upgrade. Although unprovable, Zcash developers believed no-one had the high level of technical and cryptographic sophistication to actually have managed to pull off a successful exploit. Furthermore, the monitoring efforts of Sprout addresses had so far yielded no cause of alarm.

Zcash ATM - Figure out how to use it and create money from thin air. 

The media coverage about the serious infinite inflation vulnerability slowly cooled off. In February 2019, Zerocoin Electric Coin Company changed name to just Electric Coin Company to further distance the company from being seen as the official leader with regards to Zcash development. Shortly thereafter, the Zcash Foundation announced a suggested new ZIP (Zcash Improvement Proposal) process which formalized the relationship between actual changes of Zcash and ZIPs. The announcement also commended the Zcash Company's willingness to relinquish control over the development process.

The last released version of Zcash was 2.0.4, which corrected for a couple of bugs as well as integrated further counterfeiting counter-measures on the Zcash testnet. And that is all for the two and a half year history of this cryptocurrency.

Ecology

Looking at the latest Zcash blockchain statistics on a block explorer, it seems that around 100 000 shielded and transparent transactions have been processed during the last 30 days. This amounts to around 3000 transactions per day, which is not that much when compared to other top projects like Bitcoin or Ethereum. Work has started on a second layer solution dubbed BOLT, but it is not yet ready for mainnet, and its GitHub repository is updated by just one person.

With regards to community activity, there is evidence in the form of for example the 3-day long Zcon0 conference in Montreal, in 2018. The conference was attended by many well-known cryptographers. Zcon1 is planned for June 2019 and will take place in Croatia. Additional to these large conferences, the Zcash Foundation has also allocated resources to local Zcash meetups. The use of grants by the Zcash Foundation is yet another way to help create a broader ecosystem. When looking at activity on the Zcash subreddit, it is not high, but the level of the posts are at least of rather high quality, with an often technical or economical focus on ASICs, supply curves or anonymity technology.

The Founders' Reward mentioned in the beginning of the article have lead some cryptocurrency enthusiasts when assessing Zcash to wonder whether or not the developer team can be trusted or not. A somewhat common misconception is that 20% of all current and future ZEC are allocated to the founders. As the 20% mining tax is applied 'only' for four years, the true 'premine' if you will, is exactly 10% of total supply. This number is lower than most cryptocurrency projects out there, and additionally is not strongly tied to centralization in the sense that Zcash is a PoW and not PoS protocol. Instead of following praxis where a developer team allocates a large number of tokens to themselves in the genesis block and then often promise not to sell, the Founders' Reward at least spreads this allocation out over a period of four years, which also helps align incentives for core developers to continue their collective work on the project. BD Ratings concludes that this setup is not unethical, but comes with some other concerns that are discussed later.

In an attempt to speed up adoption, Zcash developers introduced a somewhat minimalistic reference wallet that they hoped third parties could use as template when designing light-weight wallets for more niche purposes. This focus on user experience for certain vital properties like transactions is clearly aimed at increasing adoption. Cryptocurrencies in general are far behind in the user experience of conducting even basic operations on blockchains.

And finally, as already mentioned in an earlier Monero article, the chances that the Bitcoin or Ethereum ecosystems were to absorb considerable economic activity from Zcash after hypothetically implementing anonymity features are probably slim. Adding full fungibility for layer one Bitcoin transactions would demand large changes to the code base. Any large changes would likely cause a rift among the conservative Bitcoin stakeholders and consensus would be a very hard goal to achieve. With Ethereum, zk-SNARKs could become popular, but again not on the 'base layer' itself but as token implementations.

Grade: 5

Reasons: Not a considerable number of daily transactions. Community is somewhat active and of decent quality. Grant money to help build an ecosystem. Well-known but relatively new blockchain.

Technology

When inspecting the Zcash GitHub repositories one can see flurry of activity by a number of developers. As for the Electric Coin Company, it's hiring focus seems to be on engineers, and the total number of developers on the team is promising as well. Among all the people involved with Zcash, there are many well-known cryptographers like Zooko Wilcox, Matthew Green and Eli Ben-Sasson. The code base, based on Bitcoin originally, has inherited the technical stability of that battle-tested blockchain, which reduces the risks of fatal vulnerabilities not related to zk-SNARKs.

Zcash developers have always had a strong focus on peer review. This has resulted in various articles in public science literature as well as well-known universities, like this one for The Johns Hopkins University Department of Computer Science. Another article got published at the International Association for Cryptologic Research (IACR), and yet another one at Institute of Electrical and Electronics Engineers (IEEE). The cryptography used in zk-SNARKs is novel, and although peer reviewed this comes with a higher risk of some type of failure. Only years of studying and using this technology can help establish its solidity and safety. This means wealth stored on the Zcash ledger will have to take this additional risk into account, which we all was reminded of in the CVE 2019-7167 counterfeiting vulnerability event.

During the years, a number of code audits have been commissioned by the team. Auditing firms include NCC Group, Coinspect and Solar Designer. Everything from the Equihash mining algorithm to zk-SNARK cryptography was audited. Some results of these audits seems to have been pretty serious, showing why spending money on code audits generally is a very good idea from a security perspective. The Equihash audit results concluded the feasibility of the algorithm (which later turned out to be somewhat incorrect). Long after the Sprout mainnet launch, an audit on the Ceremony was performed by NCC Group, who could not find any fatal vulnerabilities in how it was conducted. In preparation for Overwinter and Sapling, another comprehensive audit was initiated. Finally, the total 2018 audit results were large in scope, and it again proved the effectiveness of these services. As for all the bugs discovered in these audits; should they be very serious, they would obviously affect the Technology rating. But what BD Ratings is particularly interested in are real consensus failures, DoS attacks or inflation bugs that occur due to negligence or technical incompetence.

It is worth mentioning a process that recently solidified in its form: the Zcash Network Upgrade Pipeline. It is a formalization on how technical upgrades occur on the network, while still trying to disassociate with general governance. In other words, this pipeline is a way to increase security and efficiency for new client versions, but it is not designed to help with what kind of changes are going in to said client versions. Overall, this ought to increase the technical quality of Zcash slightly.

Grade: 8

Reasons: Battle-tested code base. Large team of good developers. A constant focus on peer-review and external code audits, both with regards to privacy tech as well as general code base and mining algorithm.

Decentralization

The Founders' Reward does centralize Zcash to some degree, as it funnels resources to certain developers, no matter how they should behave. It is of course a balance between development funding and slight centralization, and on the whole BD Ratings sees no insurmountable problem with a 10% allocation, especially as the tokens are released continuously over four years in order to align incentives and minimize token price manipulation. From a decentralization point of view, voluntary funding (as was the case with Monero) is preferred, but 10% is still on the low end in this space, and will especially have limited effect on centralization for a Proof of Work chain like Zcash. More serious with regards to the issue of centralization is the for-profit Electric Coin Company that still is relatively tightly involved with Zcash, and that so can get sued, co-opted or attacked in other ways.

Already before the launch of the Zcash blockchain, the developer team expressed a clear view of what they called 'protocol upgrades', in other word forks. They laid out a roadmap where these hard forks were a given, which is not uncommon for young blockchains. With regard to decentralization however, this early-on self-stated bypass of governance on the matter clearly tried to assign power to the developer team instead of other stakeholders. With that said, the team also seems comfortable with actual forks, so this approach to improving on Zcash does at the very least not try to enforce changes on unwilling stakeholders.

By introducing the Zcash Foundation, power was promptly better distributed away from Zooko's for-profit company. Additionally, Zooko himself stated clearly that the Foundation was to act as a counter mechanism should the company 'turn evil'. This whole move to try to introduce some checks and balances to what entities have the power to steer the evolution of the Zcash blockchain was positive for Zcash. The renaming of Zerocoin Electric Coin company in order to distance the for-profit entity from Zcash technical leadership is of course mostly cosmetic, but it should also be seen in the light of other decentralization efforts. BD Ratings sees a clear pattern with regards to these efforts. Not only is the Foundation helping slightly in this regard (especially after introducing its own governance mechanisms), but a Parity partnership introduces stronger long-term decentralization as well in the sense that having many different client implementations helps reduce dependencies on single developer teams.

ASIC hardware has started to become an issue for Zcash, as well as for many other PoW blockchains. Research on hardened ASIC resistance began by the Foundation already in 2018, and it is clear when looking at the initial goals of Blossom that the Zcash core developers have ASICs in mind when proposing changes. The possible change of PoW algorithm in 2020 (initially scheduled for 2019) is the first obvious indication, and roll-back protection is the second one. Zcash stakeholders need to think hard about this threat, and how best to counter it (give up/resist...) while minimizing different centralization forces and schisms. At least one comment from Zooko indicates that he will not push for PoW ASIC resistance at all. He has also publicly been relatively open to PoS, which would be one way to counter a serious ASIC threat. It is in other words anyone's guess what consensus mechanism Zcash will end up with.

A further indication that ASICs will consolidate power over the chain, at least until 2020, is a Zcash community governance panel that during the summer of 2018 voted not to push for a priority PoW change in order to brick ASICs. Instead they voted for a future unspecified consensus mechanism change towards a non-ASIC resistant, environmental friendly algorithm run by hardware designed by a consortium of manufacturers. In other words, it looks like at least this panel gave up on ASIC resistance and instead tried for the second best option: a competitive ASIC market. Regular Zcash enthusiasts seems to have been unhappy with this decision. When looking at pool hash rate distribution, no known pool is as of now very close to gathering 50%, but a single address has achieved a worryingly high hash rate (over 30%) for the last month.

And last of all concerning the Decentralization rating; the fact that roll-back protection has been discussed for future versions of Zcash needs to be monitored closely. It may be an effective way to counter a growing ASIC threat, but could also turn out to be a double edged sword should it allocate too much power to Zcash developers, who then can more or less decide that a minority hash rate chain is the 'true' Zcash.

Grade: 5

Reasons: For-profit company still in the center of development. Social decentralization efforts have been somewhat successful. The arrival of ASICs have increased risk of 51% attack, no matter total hash rate. Planned blockchain checkpoints.

Valuation

Considering all 21M coins, Zcash is valued to around USD 1.5B at time of writing. This puts Zcash at a valuation of around 1.5% of that of Bitcoin and also slightly above that of Monero. A 1.5% relative valuation to Bitcoin could be seen as on the lower end considering the rather strong overall fundamentals of Zcash.

One parameter that has to be taken into account when doing fundamental analysis on Zcash is the protocol's inherent privacy: it results in some scenarios where it is harder to notice ZEC coins created out of thin air due to a counterfeiting vulnerability exploit. After reviewing how the Sprout and Sapling Ceremonies were setup and performed, BD Ratings deems it much more likely that such an exploit could origin from an unrelated vulnerability rather than some type of flaw or integrity breakdown stemming from these Ceremonies themselves. Peter Todd's critique against the initial Zcash Ceremony is of course important to take into account when assessing total risk, but if/when Zcash has another infinite inflation bug like the one in 2018, it probably ought to again come from protocol bugs rather than any Ceremony weaknesses. This especially holds true after the implementation of certain improvement of the Ceremonies themselves.

The supply audit mechanisms are just smoke detectors and doesn't really hinder counterfeiting activity in the first place. With all the above said, overall risk of undetected counterfeiting remains higher than for other, transparent public blockchains. This especially holds true if the exploiter is technically highly capable and thus also easily can monitor the counterfeiting defenses in order not to get detected early.

Lastly, one factor that could make some investors hesitant to store value on Zcash at the moment is the high inflation. As the blockchain issuance schedule mimic that of Bitcoin's, inflation is only slowly trending towards zero. All in all, BD Ratings don't see this as a huge issue as the max cap of 21M coins is a well-known fact, meaning investors can take this inflation into account when valuing the already minted coins.

Grade: 6

Reasons: Sound fundamentals. Infinite inflation exploit risks.