I'll just copy my reddit comment here:
I've made this list earlier:
List of possible pitfalls wrt ZeroCash/ZeroCoin:
[1] If ZeroCash/ZeroCoin is launched on behalf of a company, which seems the case here, the company can be given a gag order (e.g. to add a line of malicious code).
[2] If I recall correctly, the creator of the genesis block holds some kind of masterkey. As a result, you have to trust this person. Even if this key was held by a group, you still have to trust that particular group. In addition, you have to trust the program they run to create the Genesis block (the masterkey could be in there).
[3] It's too opaque in my opinion. If a bug existed that would create additional coins, there is no way you would see it.
[4] The math and cryptography backing it isn't peer reviewed yet and in an infancy stage.
[1] seems to be confirmed. They will be launching as a
for profit company, see:
For its first four years online, a portion of every mined Zcash coin will go directly to Wilcox’s Zcash company
This could also invoke some legal issues, since they are basically not a decentralid currency and bear in mind they are **US** based (
http://www.bizapedia.com/de/THE-ZEROCOIN-ELECTRIC-COIN-COMPANY-LLC.html). Just remember what happened with Ripple.
Basically, with Ring Confidential Transactions included in Monero it's basically pepsi vs coke (thanks to u/smooth_xmr for this analogy), where both have their advantages and disadvantages.
P.S. They are currently only on
testnet, the "real-version" is at least
6 months away.
P.P.S. It seems like they transactions are also quit inefficient compared to Monero's. See this description on how to get from the basecoins (the transparent ones) to the zerocoins (anonymous ones):
This operation (called a pour) might take a minute or two depending on your hardware. It is producing a zero-knowledge proof. (This operation's performance will be improved in the coming months.)
Shen Noether (aka NobleSir), who is obviously more knowledgeable about this subject than me, also made a comparison on reddit:
I've done a little bit of comparison in the Ring CT paper / you can also look here for some facts on zcash- there are a few I've seen so far
[1] Setup: Monero (Trustless) vs Zerocash (Must Trust zcash company)
[2] Proof Generation: Monero (100's second ) vs Zcash (1/minute)
[3] Algorithm auditability: Monero (a decent number of people seem to understand ring signatures and confidential transactions) vs Zerocash (I'm not sure how many people actually understand the proofs besides the small group of authors) - although this point is certainly subjective.
[4] Poison-pill attack vulnerability: Monero (attacker would need 51%) vs Zerocash Vulnerable, (see zerocash extended paper section 6.4
[5] Anonymity set: Monero (although the zcash proponents note that a ring signature is a "smaller" anonymity set, they usually don't mention that the stealth address factor actually means that each transaction is masked, whereas the ring signatures provide additional plausible liability, furthermore, since keys appear in different ring signatures in different blocks in time, the anonymity set for when a given key is spent grows infinitely, and could eventually grow larger than the zcash anonymity set at any fixed instant in time) vs Zcash (anonymity set is the entire blockchain )
[6]Anonymous Multisig: Monero (yes! see "written up" link on ring ct sticky, this could make things like lightning potentially possible ) vs Zerocash (?)
[7] Mining: Monero (has it's own strongly decentralized mining process) vs Zerocash protocol from the paper lacks it's own mining (it's essentially just a distributed anonymous database), so there must be another coin which is mined to convert to zerocash tokens
--note that point 4. is an actual potential compromise of anonymity, which contradicts some of the statements the zerocash team has made.
.
Other Differences are slight: Slight differences in transaction size - however Monero transactions should end up being a bit larger when transmitted, but cost less in terms of storage (their eventual block-chain cost will be approximately 32 bytes* (n+1) where n is mixin + epsilon, where epsilon is the current tx size - ring signatures (Note in the recent Ring CT drafts, there is pruning mentioned for the range proofs, see the "written up" link)
https://www.reddit.com/r/Monero/comments/41vg68/monero_vs_zcash_eli5_fundamental_differences/cz63pqw
