A security researcher discovered a critical vulnerability in Zcash nodes that could have permitted malicious miners to drain over 25,000 ZEC, valued at approximately $6.5 million, from its deprecated Sprout shielded pool.
This vulnerability, disclosed by Alex “Scalar” Sol on March 23, involved zcashd nodes skipping proof verification for transactions linked to the legacy pool. Although the bug was not exploited and user funds remain secure, the risk it posed has triggered rapid response from Zcash developers and major mining pools.
Zcash developers released version 6.12.0 on March 28 to address the issue. Major mining pools acted quickly to implement the patch, with Luxor confirming deployment on March 25 and F2Pool, ViaBTC, and AntPool completing fixes by March 26.
The vulnerability affected all releases from July 2020 to the present, but the Zebra full node implementation was unaffected and could have initiated a chain fork to enhance network security if exploitation had taken place.
Sol identified the flaw using AI tools and reported it to Shielded Labs, which collaborated with the Zcash Open Development Lab (ZODL) for the patch’s development. For his discovery, Sol will receive a bounty of 200 ZEC, equivalent to over $51,000, funded by Shielded Labs, ZODL, the Zcash Foundation, and Bootstrap.
Despite the vulnerability, Zcash’s “turnstile” mechanism would have mitigated broader supply inflation risks. This mechanism requires that any funds leaving the Sprout pool must have been verified as entering it, thus safeguarding against the creation of new tokens beyond the total circulation of approximately 16.63 million ZEC.
The Sprout pool closed to new deposits in November 2020 but still holds around 25,424 ZEC that users have yet to migrate to newer shielded pool versions. Historical vulnerabilities include a significant bug in 2019, characterized as an “infinite counterfeit” generator, which was resolved before it aggravated the network’s security.
Zcash experienced a notable price increase recently, becoming the top gainer among the top 100 cryptocurrencies by market cap, rising over 14% to surpass $255. The cryptocurrency rose from approximately $50 to nearly $700 last fall but has since declined alongside broader market trends.
