A security researcher has disclosed a critical flaw in Zcash nodes that could have enabled malicious miners to drain more than 25,000 ZEC from the network’s legacy Sprout shielded pool, a sum valued at approximately $6.5 million at the time of writing. Researcher Alex “Scalar” Sol reported the vulnerability on March 23, according to a disclosure report published Tuesday. No funds were lost, and all user balances remain intact.
The flaw involved zcashd nodes failing to verify proofs for transactions tied to the deprecated Sprout pool. It affected software releases spanning from July 2020 through the present. Zcash developers responded by releasing version v6.12.0 on Tuesday, which contains the necessary fix.
Major mining operations moved swiftly to apply the patch after it became available. Luxor mining pool confirmed deployment on March 25, while F2Pool, ViaBTC, and AntPool all completed their updates by March 26, according to the disclosure report. The rapid response helped limit the window of potential exposure across the network.
The Zebra full node implementation was not affected by the vulnerability. According to the report, any exploitation attempt involving Zebra would have triggered a chain fork, providing an additional layer of protection for the broader network. This architectural difference meant the flaw was confined to zcashd-based nodes.
Sol discovered the vulnerability with the assistance of artificial intelligence tools and reported it to Shielded Labs, which then coordinated with the Zcash Open Development Lab (ZODL). ZODL engineer Jack “str4d” Grigg authored the patch that resolved the issue. For his responsible disclosure, Sol is set to receive a total bounty of 200 ZEC, valued above $51,000, with Shielded Labs, ZODL, the Zcash Foundation, and Bootstrap each contributing 50 ZEC.
The Sprout pool was closed to new deposits in November 2020 but remains active, currently holding approximately 25,424 ZEC that users have not yet migrated to newer shielded pool versions. Although the vulnerability theoretically permitted draining those funds, ZODL noted that Zcash’s “turnstile” mechanism would have prevented any broader inflation of the token supply. The turnstile requires that coins exiting the Sprout pool must be verifiably traced to prior deposits, guarding against the creation of tokens beyond the network’s total circulation of roughly 16.63 million ZEC.
This is not the first significant security issue the network has encountered. In 2019, Zcash patched a separate bug characterized as an “infinite counterfeit” crypto generator, which was also resolved before causing material harm to the network. The latest incident underscores the ongoing security challenges facing privacy-focused blockchain protocols. Following the disclosure, ZEC rose more than 14% over a 24-hour period to a recent price above $255, making it the top gainer among the top 100 coins by market capitalization, according to CoinGecko data.
Originally reported by Decrypt.
