Zcash fixes critical vulnerability: Previously threatened the security of over 25,000 ZEC, worth approximately $6.5 million

Odaily Planet Daily reports that the privacy coin Zcash has recently disclosed and patched a critical security vulnerability that could be exploited by malicious miners to move more than 25,000 ZEC (about $6.5 million) from the deprecated Sprout privacy pool. Security researcher Alex “Scalar” Sol disclosed on March 23 that the vulnerability was caused by the zcashd node skipping proof verification when processing transactions involving the Sprout pool. The official statement said the vulnerability has existed since July 2020, but has not been used in practice, and users’ funds have remained safe.

The development team has released version v6.12.0 to complete the fix, and major mining pools have finished upgrading and deploying within days. In addition, unaffected Zebra full node implementations have the ability to trigger chain reorgs, which can provide extra protection if the vulnerability is exploited. As disclosed, although the Sprout pool was shut down for new deposits in November 2020, there are still about 25,424 ZEC that have not been migrated. Even if the vulnerability is exploited, Zcash’s “turnstile” mechanism can prevent inflationary issuance, ensuring the total supply cannot be exceeded.

This vulnerability was discovered with AI assistance, and the researcher will receive a total bounty of 200 ZEC (about $51,000). It is worth noting that this is not the first time Zcash has faced a major vulnerability; as early as 2019, it had already fixed a serious flaw that could lead to infinite minting. (Decrypt)