I wanted to inform the Firo community of an oversight that has resulted in Firo’s marketcap and supply being significantly underreported by Coingecko and CMC.
To clarify, there is no new vulnerability or change in actual supply, just that the API endpoints needed to be updated to new ones and our RPC commands updated.
As at block 1049420, 06:42 UTC, 21 February 2025, Coingecko and CMC were using an old API endpoint that was never updated at (https://explorer.zcoin.io/api/zerocoin/getrealsupply) which is returning an incorrect figure of 14,701,999. You can tell how old it is especially since it’s pointing to the old zcoin.io domain.
This figure is inaccurate because:
a) It calculates Zerocoin inflation incorrectly with the following formula:
Coinbase - Zerocoin mints + Zerocoin spends
The API was coded in a way that failed to take into account that Zerocoin spends was a negative number, so it subtracted the spend amount instead of adding it back in.
The bug in this API calculation is here and was introduced by this commit back in 2018.
b) It does not factor in the inflation of 152,740.3176572 coins from Bitcoin CVE-2018-17144 vulnerability in 2020.
The correct figure is actually 16,964,245 and this PR calculates the inflation amounts from both the disclosed Zerocoin attacks and the Bitcoin CVE-2018-17144 and incorporates it into the gettotalsupply command
Additionally, after a deeper investigation and calculation, the inflation amounts created from Bitcoin CVE-2018-17144 were over-estimated.
CVE-2018-17144:
320,841.99803185
(which were previously erroneously reported as 384,400.82268276).
Minus amounts that were recovered and burnt:
168,101.68037465
Bitcoin CVE inflation: 152,740.3176572
This means that the reported supply figure on Coingecko and CMC is underreported by ~2,262,246 coins
These figures do not include any figures from the Lelantus vulnerability (which can only be determined conclusively once the Lelantus pools are closed) but we estimate this to be in the region of 59,000 coins only. Lelantus pools will be closed approximately in January 2026.
It also does not factor in that the Sigma pool will be closed soon. We expect 16,072 coins to be permanently removed from supply when Sigma is closed in the next hard fork which we will roll out together with Spark Names.
We have also fixed gettotalsupply RPC command (not used by Coingecko or CMC) which was previously only counting coinbase transactions (without any attack figures).
The TL:DR is
a) Inflation in previously disclosed Bitcoin CVE-2018-17144 is less than expected.
b) CMC and Coingecko are using an outdated and wrong API to determine supply which is resulting in an underreporting of supply of around 2.2m coins and therefore showing a lower market cap than the actual reality.
c) gettotalsupply has been fixed to accurately reflect total circulating supply and CMC/Coingecko figures will be updated soon. The fix will be available in the next release.
A formal blog post would follow soon.
