Simply put
- Security researchers have discovered a critical vulnerability in Zcash nodes that bypasses proof validation for deprecated Sprout shielded pools.
- Major mining pools deployed the patch within three days, and Zcash developers released v6.12.0 on Tuesday.
- Zcash’s “turnstile” mechanism would have prevented broader supply inflation even if the pool had been compromised.
Security researchers have discovered a critical vulnerability in Zcash nodes. This vulnerability could allow a malicious miner to leak over 25,000 data. $ZEC Funds from the network’s deprecated Sprout Shield pool. At the time of writing, it’s worth about $6.5 million.
According to one source, Alex “Scalar” Sol disclosed the flaw on March 23rd. Disclosure report Released on Tuesday, it revealed that zcashd nodes were skipping proof validation for transactions involving traditional Sprout pools. The disclosure says the bug has not been exploited and all users’ funds remain safe.
The vulnerability spans releases from July 2020 to the present, and Zcash developers released v6.12.0 with a fix on Tuesday. According to the same report, major mining pools acted quickly to patch their systems, with Luxor mining pool confirming implementation on March 25th, and F2Pool, ViaBTC, and AntPool all implementing fixes by March 26th.
The report states that Zebra’s full-node implementation is not affected by this vulnerability, and that an attempted exploit could have caused a chain fork and provided an additional layer of network protection.
Sol discovered the vulnerability using AI assistance and reported it to Shielded Labs on March 23rd. The organization coordinated with the Zcash Open Development Lab (ZODL), where engineer Jack “str4d” Grigg created the patch.
For his disclosure, Sol receives $200. $ZEC Total awards total more than $51,000, with Shielded Labs, ZODL, Zcash Foundation, and Bootstrap each contributing $50 $ZEC.
The Sprout pool closed to new deposits in November 2020 and was deprecated, but it is still an active component with approximately 25,424 pieces of data. $ZEC Users have not yet migrated to the new sealed pool version.
Although the vulnerability could have depleted these funds, the Zcash Open Development Team (ZODL) says Zcash’s “turnstile” mechanism would have prevented widespread supply inflation. The turnstile requires that coins exiting the Sprout pool enter the pool in verifiable form, providing safeguards against the creation of new tokens beyond the network’s total circulation of approximately 16.63 million coins. $ZEC.
This is not the first major vulnerability that networks have faced. Back in 2019, the network patched a bug described as: “Infinite forgery” cryptographic generatorbut it was patched before it became a big problem for the Privacy Coin network.
Zcash is the biggest gainer among the top 100 coins by market capitalization over the past 24 hours. CoinGecko The data shows that the price recently exceeded $255, an increase of over 14%. Privacycoin’s price soared last fall from about $50 to a multi-year peak of nearly $700, but has fallen in line with Bitcoin and other cryptocurrencies in recent months.
