diff --git a/protocol/protocol.tex b/protocol/protocol.tex
index 31f9673d..0798f10f 100644
--- a/protocol/protocol.tex
+++ b/protocol/protocol.tex
@@ -7503,26 +7503,38 @@ It is computed as described in \cite[Appendix B]{BCTV2014a}, using the pairing p
 specified in \crossref{bnpairing}.
 
 \pnote{
-Many details of the \provingSystem are beyond the scope of this protocol
-document. For example, the \quadraticConstraintProgram verifying the \joinSplitStatement,
-or its translation to a \quadraticArithmeticProgram \cite[section 2.3]{BCTV2014a}
-\cite{WCBTV2015}, are not specified in this document.
+Many details of the \provingSystem are beyond the scope of this protocol document.
+For example, the \quadraticConstraintProgram verifying the \joinSplitStatement, or
+its translation to a \quadraticArithmeticProgram \cite[section 2.3]{BCTV2014a},
+are not specified in this document. In 2015, Bryan Parno found a bug in this
+translation, which is corrected by the \libsnark implementation\footnote{Confusingly,
+the bug found by Bryan Parno was fixed in \libsnark in 2015, but that fix was
+incompletely described in the May 2015 update \cite[Theorem 2.4]{BCTV2014a-old}.
+It is described completely in \cite[Theorem 2.4]{BCTV2014a} and in
+\cite{Gabizon2019}.} \cite{WCBTV2015} \cite{Parno2015} \cite[Remark 2.5]{BCTV2014a}.
 In practice it will be necessary to use the specific proving and verification keys
-given in \crossref{sproutparameters} that were generated for the \Zcash production \blockchain,
-together with a \provingSystem implementation that is interoperable with the \Zcash fork of
-\libsnark, to ensure compatibility.
+that were generated for the \Zcash production \blockchain, given in
+\crossref{bctvparameters}, together with a \provingSystem implementation that is
+interoperable with the \Zcash fork of \libsnark, to ensure compatibility.
 }
 
 \vuln{
-$\BCTV$ is subject to a security vulnerability that could allow violation of Knowledge Soundness
-(and Soundness) \cite{CVE-2019-7167} \cite{SWB2019}. The consequence for \Zcash is that
-balance violation could have occurred before activation of the \Sapling network upgrade,
-although there is no evidence of this having happened. The vulnerability is believed
-to have been fully mitigated by activation of \Sapling. The use of $\BCTV$ in \Zcash is
-now limited to verifying proofs that were made prior to the \Sapling network upgrade.
+$\BCTV$ is subject to a security vulnerability, separate from \cite{Parno2015},
+that could allow violation of Knowledge Soundness (and Soundness) \cite{CVE-2019-7167}
+\cite{SWB2019} \cite{Gabizon2019}. The consequence for \Zcash is that balance violation
+could have occurred before activation of the \Sapling network upgrade, although there
+is no evidence of this having happened. Use of the vulnerability to produce false proofs
+is believed to have been fully mitigated by activation of \Sapling. The use of $\BCTV$
+in \Zcash is now limited to verifying proofs that were made prior to the \Sapling
+network upgrade.
 
 Due to this issue, new forks of \Zcash{} \MUSTNOT use $\BCTV$, and any other users of
 the \Zcash protocol \SHOULD discontinue use of $\BCTV$ as soon as possible.
+
+The vulnerability does not affect the Zero Knowledge property of the scheme (as
+described in any version of \cite{BCTV2014a} or as implemented in any version of
+\libsnark that has been used in \Zcash), even under subversion of the parameter
+generation \cite[Theorem 4.10]{BGG2016}.
 }
 
 \introlist
@@ -8124,7 +8136,9 @@ For the \Zcash production \blockchain and testnet, the $\SHAFull$ hashes of the
 
 These parameters were obtained by a multi-party computation described in
 \cite{BGG-mpc} and \cite{BGG2016}. \sapling{They are used only before \Sapling
-activation.}
+activation.} Due to the security vulnerability described in \crossref{bctv}, it is
+not recommended to use these parameters in new protocols, and it is recommended to
+stop using them in protocols other than \Zcash where they are currently used.
 
 
 \sapling{
@@ -9774,6 +9788,12 @@ of $\PRFaddr{}$ was found by Daira Hopwood.
 The errors in the proof of Ledger Indistinguishability mentioned in
 \crossref{truncation} were also found by Daira Hopwood.
 
+The 2015 Soundness vulnerability in $\BCTV$ \cite{Parno2015} was found by
+Bryan Parno. An additional condition needed to resist this attack was
+documented by Ariel Gabizon \cite[section 3]{Gabizon2019}.
+The 2019 Soundness vulnerability in $\BCTV$ \cite{Gabizon2019}
+was found by Ariel Gabizon.
+
 \sapling{
 The design of \Sapling is primarily due to Matthew Green, Ian Miers,
 Daira Hopwood, Sean Bowe, and Jack Grigg. A potential attack linking
@@ -9803,11 +9823,15 @@ Peter Newell's illustration of the Jubjub bird, from \cite{Carroll1902}.
 \section{Change History}
 
 \subparagraph{2019.0-beta-35}
-2019-02-05
+2019-02-08
 
 \begin{itemize}
+    \item Cite \cite{Gabizon2019} and acknowledge Ariel Gabizon.
     \item Correct [SBB2019] to \cite{SWB2019}.
-    \item The $\BCTV$ vulnerability affected Soundness as well as Knowledge Soundness.
+    \item The \cite{Gabizon2019} vulnerability affected Soundness of $\BCTV$
+          as well as Knowledge Soundness.
+    \item Clarify the history of the \cite{Parno2015} vulnerability and acknowledge
+          Bryan Parno.
     \item Specify the difficulty adjustment change that occurred on the test network
           at \blockHeight $299188$.
 \sapling{
diff --git a/protocol/zcash.bib b/protocol/zcash.bib
index a27981e9..b1775a17 100644
--- a/protocol/zcash.bib
+++ b/protocol/zcash.bib
@@ -13,9 +13,39 @@ pages 459--474; IEEE, 2014.}
    author={Eli Ben-Sasson and Alessandro Chiesa and Eran Tromer and Madars Virza},
    title={Succinct {N}on-{I}nteractive {Z}ero {K}nowledge for a von {N}eumann {A}rchitecture},
    url={https://eprint.iacr.org/2013/879},
-   urldate={2016-08-21},
+   urldate={2019-02-08},
    howpublished={Cryptology ePrint Archive: Report 2013/879.
-Last revised May~19, 2015.}
+Last revised February~5, 2019.}
+}
+
+@misc{BCTV2014a-old,
+   presort={BCTV2014a-old},
+   author={Eli Ben-Sasson and Alessandro Chiesa and Eran Tromer and Madars Virza},
+   title={Succinct {N}on-{I}nteractive {Z}ero {K}nowledge for a von {N}eumann {A}rchitecture
+({M}ay~19, 2015 version)},
+   url={https://eprint.iacr.org/2013/879/20150519:172604},
+   urldate={2019-02-08},
+   howpublished={Cryptology ePrint Archive: Report 2013/879. Version: 20150519:172604.}
+}
+
+@misc{Gabizon2019,
+   presort={Gabizon2019},
+   author={Ariel Gabizon},
+   title={On the security of the {BCTV} {P}inocchio zk-{SNARK} variant},
+   date={2019-02-05},
+   url={https://github.com/arielgabizon/bctv/blob/master/bctv.pdf},
+   urldate={2019-02-07},
+   howpublished={Draft.}
+}
+
+@misc{Parno2015,
+   presort={Parno2015},
+   author={Bryan Parno},
+   title={A {N}ote on the {U}nsoundness of vn{T}iny{RAM}'s {SNARK}},
+   url={https://eprint.iacr.org/2015/437},
+   urldate={2019-02-08},
+   howpublished={Cryptology ePrint Archive: Report 2015/437.
+Received May~6, 2015.}
 }
 
 @misc{PHGR2013,