Zcash fixes critical vulnerability that threatened the security of over 25,000 ZEC tokens, worth approximately $6.5 million

Mars Finance news: The privacy coin Zcash has recently disclosed and patched a critical security vulnerability that could be exploited by malicious miners. More than 25,000 ZEC (about $6.5 million) have been transferred out of the now-deprecated Sprout privacy pool.

Security researcher Alex “Scalar” Sol disclosed the issue on March 23. The vulnerability exists because a zcashd node skipped proof verification when processing transactions involving the Sprout pool.

The official statement said the vulnerability has been present since July 2020, but it has not been used in practice; users’ funds have remained safe. The development team has released version v6.12.0 to complete the fix, and major mining pools have finished the upgrade and deployment within days.

In addition, unaffected Zebra full-node implementations have the ability to trigger chain reorgs, providing extra protection if the vulnerability is exploited.

According to the disclosure, although the Sprout pool was closed to new deposits in November 2020, there are still about 25,424 ZEC that have not been migrated. Even if the vulnerability is exploited, Zcash’s “turnstile” mechanism can prevent inflationary issuance and ensure the total supply amount is not exceeded.

The flaw was discovered with AI assistance, and the researcher will receive a total bounty of 200 ZEC (about $51,000).

Notably, this is not the first time Zcash has faced a major vulnerability. As early as 2019, it had already patched a severe flaw that could lead to unlimited minting.