Zcash bug could have put 25,000 ZEC at risk

Key points:

• A critical vulnerability in Zcash could have put over 25,000 ZEC (~$6.5 million) at risk.
• The flaw allowed transaction verification to be bypassed, but it was not exploited.

A security researcher has discovered a critical vulnerability in the Zcash network that could have resulted in the loss of more than 25,000 ZEC, worth $6.5 million. The issue affected the legacy Sprout Shielded pool and allowed transaction verification to be bypassed.

The vulnerability was identified by security expert Alex “Scalar” Sol, who reported it on March 23. According to his findings, zcashd nodes failed to properly verify proofs for transactions involving the Sprout pool. However, the flaw was not exploited, and user funds remain safe.

The issue affected versions released since July 2020. Developers quickly rolled out version 6.12.0 to fix the bug. Major mining pools, including Luxor, F2Pool, ViaBTC, and AntPool, promptly applied the patch.

Why the Vulnerability Didn’t Lead to Losses

Despite the severity of the bug, the network had additional safeguards. The Zebra node implementation was not affected and could have triggered a chain fork in case of exploitation, helping contain the issue.

Zcash also uses a “turnstile” mechanism that prevents the creation of new coins beyond the fixed supply limit. This means that even if the vulnerability had been exploited, attackers would not have been able to inflate the total supply.

The Sprout pool has been closed to new deposits since 2020, but it still holds more than 25,000 ZEC that users have yet to migrate to newer shielded pools.

For discovering the vulnerability, the researcher will receive a reward of 200 ZEC (over $51,000), funded by several organizations including the Zcash Foundation and Bootstrap.

This is not the first such incident. Back in 2019, the network patched a critical flaw that could have enabled unlimited coin creation, though it was fixed before any damage was done.

Following the news, Zcash saw a market uptick. The token gained more than 14% over the past 24 hours, rising above $255, although it has experienced significant volatility in recent months.