In August 2016, Zcash engaged NCC Group to perform a targeted review of the Zcash cryptocurrency implementation. The review was performed in two parts, conducted simultaneously. The first part, performed by the Group’s Cryptography Services practice, focused on validating that Zcash’s implementation adhered to the Zcash Protocol Specification. An assessment looking for security errors within the cryptographic implementation was also performed. The second part was a C++ source code review for vulnerabilities that can occur in unmanaged languages, focusing on the Zcash and libsnark libraries. The review also included a cursory review of dependent libraries and recommendations for improving software assurance practices at Zcash.
This assessment was atypical for NCC Group because it emphasized remediation over analyzing exploitability, including issues reported by tools. This means that less time was spent determining how specific security flaws might be exploited and more time identifying as many possible security issues and associated remediation as time allowed.