Zcash Vulnerability That Put Millions of Dollars of ZEC at Risk Has Been Fixed
A critical vulnerability was found in Zcash nodes, potentially allowing malicious miners to drain over 25,000 ZEC (about $6.5 million) from the deprecated Sprout shielded pool. The flaw, affecting zcashd releases since July 2020, involved nodes skipping proof verification for Sprout transactions. The bug was not exploited, and user funds remain safe. Zcash developers fixed the issue with v6.12.0, and major mining pools rapidly applied the patch in late March. The Zebra node implementation was not affected and would have triggered a fork if exploitation occurred. Security researcher Alex "Scalar" Sol, aided by AI, discovered and reported the vulnerability on March 23. As a reward, Sol will receive a 200 ZEC bounty (over $51,000) from multiple organizations. The Sprout pool, closed to new deposits in 2020 but still holding funds, would have remained partially protected by Zcash’s turnstile mechanism, which prevents unauthorized inflation by ensuring only legitimately deposited coins leave the pool. Previously, Zcash patched another severe vulnerability in 2019. The coin rose over 14% after news of the fix.
