News 
Coin Information 
About us 
Customer Service 
Security researchers have uncovered and resolved a critical vulnerability in Zcash nodes that could have enabled malicious miners to siphon over 25,000 ZEC — approximately $6.5 million — from the network's legacy Sprout shielded pool. The flaw was responsibly disclosed and patched before any exploitation occurred, leaving all user funds intact.
Researcher Alex "Scalar" Sol identified the bug on March 23 with the help of AI-assisted analysis. The vulnerability caused zcashd nodes to bypass proof verification on Sprout pool transactions — a serious oversight that persisted across releases dating back to July 2020. Sol reported the issue to Shielded Labs, which coordinated with the Zcash Open Development Lab (ZODL). Engineer Jack "str4d" Grigg developed the official patch, released as zcashd v6.12.0. Major mining pools — including Luxor, F2Pool, ViaBTC, and AntPool — deployed the fix rapidly between March 25 and 26.
Importantly, the alternate Zebra full node implementation was unaffected and would have triggered a chain fork if an exploit had been attempted, serving as a natural network safeguard. Additionally, Zcash's built-in "turnstile" mechanism would have blocked any attempt at supply inflation by requiring verifiable proof that coins exiting the Sprout pool had legitimately entered it.
The Sprout pool, which closed to new deposits in November 2020, still holds roughly 25,424 ZEC from users yet to migrate to newer shielded pool versions. For his responsible disclosure, Sol will receive a 200 ZEC bounty — valued above $51,000 — split equally among Shielded Labs, ZODL, the Zcash Foundation, and Bootstrap.
This is not the first vulnerability Zcash has faced; a separate "infinite counterfeit" bug was quietly patched in 2019. Despite the security scare, ZEC surged over 14% in the past 24 hours, trading above $255 and ranking as the top gainer among the top 100 cryptocurrencies by market cap.
Comment 0