Zcash Fixes Critical Sprout Pool Vulnerability; $6.5 Million ZEC Safe.
Key Takeaways
- A critical vulnerability in Zcash nodes bypassing proof verification for the deprecated Sprout shielded pool was discovered but not exploited.
- The flaw could have allowed draining over 25,000 ZEC (approximately $6.5 million at the time of writing) from the deprecated pool.
- Zcash developers released patch v6.12.0 on Tuesday, March 31, with major mining pools deploying fixes by March 26.
- The Zebra full node was unaffected, and the "turnstile" mechanism would have prevented broader supply inflation.
- Security researcher Alex "Scalar" Sol, who used AI assistance, received a 200 ZEC bounty for the disclosure.
A critical vulnerability in Zcash nodes that bypassed proof verification for the deprecated Sprout Shielded Pool was recently discovered and patched. The flaw, disclosed by security researcher Alex "Scalar" Sol on March 23, could have allowed malicious actors to drain more than 25,000 ZEC, valued at approximately $6.5 million, from the network. Crucially, the bug was not exploited, and all user funds within the network remain secure.
The vulnerability affected zcashd nodes by skipping proof verification for transactions involving the legacy Sprout pool. This issue spanned releases from July 2020 through the present. The Sprout pool was closed to new deposits in November 2020, yet it remains an active component holding approximately 25,424 ZEC that users have not yet migrated to newer shielded pool versions.
Get the Z-Brief
ZEC price analysis and the best Zcash content. 1-2x per month.
Join a growing community of Zcash investors
Rapid Response and Patch Deployment
Zcash developers promptly addressed the issue, releasing v6.12.0 on Tuesday, March 31, to contain the fix. Major mining pools rapidly integrated the patch; Luxor confirmed deployment on March 25, with F2Pool, ViaBTC, and AntPool following suit by March 26.
Mitigation and Safeguards
The Zebra full node implementation was not impacted by this vulnerability and would have triggered a chain fork had an exploitation attempt occurred, offering an additional layer of network defense. Furthermore, the Zcash Open Development Team (ZODL) affirmed that the network's "turnstile" mechanism would have prevented any broader supply inflation. This mechanism mandates that all coins exiting the Sprout pool must have verifiably entered it, safeguarding against the creation of new tokens beyond the current total circulation of approximately 16.63 million ZEC.
Discovery and Bounty
Alex Sol reported the vulnerability to Shielded Labs on March 23, having discovered it with AI assistance. Shielded Labs collaborated with the Zcash Open Development Lab (ZODL), where engineer Jack "str4d" Grigg developed the necessary patch. For his disclosure, Sol is set to receive a total bounty of 200 ZEC, valued at over $51,000, with contributions from Shielded Labs, ZODL, the Zcash Foundation, and Bootstrap.
Historical Context
This incident marks another significant security event for the network, recalling a 2019 bug described as an "infinite counterfeit" crypto generator. That previous flaw was also patched before it could pose a major threat to the privacy coin network.
