I think it's incredibly disturbing that the zcoin devs are embargoing these discoveries when MTP has not been deployed yet.
There is no risk of an exploit since the exploitable code has not yet been deployed. And it sounds like mrb's second discovery is more than the horridly-maintained codebase containing magic numbers like "4034". But we have no way to know.
Shame on you, zcoin, for bribing researchers into silence.
+1
That way the research can be cited in academic papers. Bribing researchers and then instituting a gag order doesn't reflect well on this project or its contributors. There is no logical reason for exploits on public testnet code to be suppressed.
What I find equally disturbing - the authors of MTP failed to cite Fabien Coelho's earlier work:
"An (Almost) Constant-Effort Solution-Verification Proof-of-Work Protocol based on Merkle Trees"
http://www.hashcash.org/papers/merkle-proof.pdf2007
My team and I have been researching MTP and Fabien happens to be one of my colleagues. He's working on a paper covering MTP and unlike the "research" happening here, it will be made public.