I'll just copy my reddit comment here:

I've made this list earlier:

List of possible pitfalls wrt ZeroCash/ZeroCoin:

[1] If ZeroCash/ZeroCoin is launched on behalf of a company, which seems the case here, the company can be given a gag order (e.g. to add a line of malicious code).

[2] If I recall correctly, the creator of the genesis block holds some kind of masterkey. As a result, you have to trust this person. Even if this key was held by a group, you still have to trust that particular group. In addition, you have to trust the program they run to create the Genesis block (the masterkey could be in there).

[3] It's too opaque in my opinion. If a bug existed that would create additional coins, there is no way you would see it.

[4] The math and cryptography backing it isn't peer reviewed yet and in an infancy stage.

[1] seems to be confirmed. They will be launching as a for profit company, see:


This could also invoke some legal issues, since they are basically not a decentralid currency and bear in mind they are **US** based (http://www.bizapedia.com/de/THE-ZEROCOIN-ELECTRIC-COIN-COMPANY-LLC.html). Just remember what happened with Ripple.

Basically, with Ring Confidential Transactions included in Monero it's basically pepsi vs coke (thanks to u/smooth_xmr for this analogy), where both have their advantages and disadvantages.

P.S. They are currently only on testnet, the "real-version" is at least 6 months away.

P.P.S. It seems like they transactions are also quit inefficient compared to Monero's. See this description on how to get from the basecoins (the transparent ones) to the zerocoins (anonymous ones):

I've done a little bit of comparison in the Ring CT paper / you can also look here for some facts on zcash- there are a few I've seen so far

[1] Setup: Monero (Trustless) vs Zerocash (Must Trust zcash company)

[2] Proof Generation: Monero (100's second ) vs Zcash (1/minute)

[3] Algorithm auditability: Monero (a decent number of people seem to understand ring signatures and confidential transactions) vs Zerocash (I'm not sure how many people actually understand the proofs besides the small group of authors) - although this point is certainly subjective.

[4] Poison-pill attack vulnerability: Monero (attacker would need 51%) vs Zerocash Vulnerable, (see zerocash extended paper section 6.4

[5] Anonymity set: Monero (although the zcash proponents note that a ring signature is a "smaller" anonymity set, they usually don't mention that the stealth address factor actually means that each transaction is masked, whereas the ring signatures provide additional plausible liability, furthermore, since keys appear in different ring signatures in different blocks in time, the anonymity set for when a given key is spent grows infinitely, and could eventually grow larger than the zcash anonymity set at any fixed instant in time) vs Zcash (anonymity set is the entire blockchain )

[6]Anonymous Multisig: Monero (yes! see "written up" link on ring ct sticky, this could make things like lightning potentially possible ) vs Zerocash (?)

[7] Mining: Monero (has it's own strongly decentralized mining process) vs Zerocash protocol from the paper lacks it's own mining (it's essentially just a distributed anonymous database), so there must be another coin which is mined to convert to zerocash tokens

--note that point 4. is an actual potential compromise of anonymity, which contradicts some of the statements the zerocash team has made.
.
Other Differences are slight: Slight differences in transaction size - however Monero transactions should end up being a bit larger when transmitted, but cost less in terms of storage (their eventual block-chain cost will be approximately 32 bytes* (n+1) where n is mixin + epsilon, where epsilon is the current tx size - ring signatures (Note in the recent Ring CT drafts, there is pruning mentioned for the range proofs, see the "written up" link)

Zerocash does not need IP obfuscation when all the transactions are in the private zerocoins. Cite the section of the paper. I think you must be misunderstanding something. You are probably conflating the use of the regular non-anonymous coins mentioned in the paper.

Here you are making excuses again. Corporations are not going to trust unprovable shit. And moreover, mixnets are always vulnerable to flood attacks. They are very, very unreliable. Not only do I disagree, but I also think you are ignoring basic fundamental realities about the technologies.

Edit: arguing for Tor/I2P is akin to arguing for Dash's off chain mixing. Now look in the mirror and remember your arguments for End-to-End Principled ring sigs (versus off chain mixing) and realize the same logic applies to why Zerocash is superior to using off chain mixnets. Hypocrite.

Edit#2: okay I see the section you are referring to:


I will need to understand this attack better. Seems to me they are saying that you need to spend from a block where your pour transaction was the only transaction in the block. But the user would I think know this and thus not spend the coin any more. Thus I believe the anonymity remains provable without the use of any mixnet. I will need to understand this more deeply to be sure.