Zcash fixes critical vulnerability: Previously threatened the security of over 25,000 ZEC, worth approximately $6.5 million

Odaily Planet Daily reports that Zcash, a privacy coin, recently disclosed and patched a critical security vulnerability that could be exploited by malicious miners. The issue enabled the transfer of more than 25,000 ZEC (about $6.5 million) from the decommissioned Sprout privacy pool. Security researcher Alex “Scalar” Sol disclosed on March 23 that the vulnerability stemmed from zcashd nodes skipping proof verification when processing transactions involving the Sprout pool. The official statement said the vulnerability had been present since July 2020, but had not been used in practice; users’ funds have remained safe.

The development team has released version v6.12.0 to complete the fix, and major mining pools have completed the upgrade and deployment within days. In addition, unaffected Zebra full node implementations have the capability to trigger chain forks, providing extra protection if the vulnerability is exploited. According to the disclosure, although the Sprout pool was shut down for new deposits in November 2020, there were still about 25,424 ZEC that had not been migrated. Even if the vulnerability were exploited, Zcash’s “turnstile” mechanism could prevent inflationary minting, ensuring the total supply would not be exceeded.

This vulnerability was discovered with AI assistance, and the researcher will receive a total bounty of 200 ZEC (about $51,000). Notably, this is not the first time Zcash has faced a major vulnerability. As early as 2019, it patched a severe flaw that could lead to infinite minting. (Decrypt)