A significant vulnerability within Zcash’s node software, discovered by security researcher Alex “Scalar” Sol, could have potentially allowed attackers to siphon over 25,000 ZEC—valued at approximately $6.5 million—from the network’s legacy Sprout shielded pool. The flaw, which affected Zcashd nodes, involved bypassing proof verification for transactions within the deprecated Sprout pool. Fortunately, the vulnerability was not exploited, and all user funds remain secure. Zcash developers responded swiftly, releasing version 6.12.0 to implement the necessary fix, with major mining pools deploying the patch within three days of its disclosure.
- A critical vulnerability in Zcash node software allowed bypassing proof verification for the Sprout shielded pool.
- The bug could have led to the draining of approximately $6.5 million in ZEC.
- The vulnerability was not exploited, and user funds remain safe.
- Zcash developers released a patch, v6.12.0, which was rapidly adopted by major mining pools.
- The “turnstile” mechanism in Zcash would have prevented broader supply inflation even if the pool had been compromised.
The vulnerability, which had persisted across multiple Zcashd releases from July 2020 to the present, was disclosed on March 23rd. The fix was authored by Jack “str4d” Grigg, an engineer at the Zcash Open Development Lab (ZODL), following coordination with Shielded Labs. The Zebra full node implementation, an alternative to Zcashd, was unaffected and would have initiated a chain fork in the event of an attempted exploit, providing an additional layer of network security. Alex Sol will be awarded a 200 ZEC bounty for responsibly disclosing the flaw, with contributions from Shielded Labs, ZODL, the Zcash Foundation, and Bootstrap.
The Sprout pool, which was closed to new deposits in November 2020, still holds around 25,424 ZEC that have not been migrated to newer shielded pool versions. ZODL emphasized that Zcash’s “turnstile” mechanism acts as a critical safeguard. This mechanism ensures that any coins leaving the Sprout pool must have been verifiably deposited into it, thereby preventing the creation of new tokens beyond the network’s established total supply of approximately 16.63 million ZEC. This incident highlights the ongoing importance of robust security auditing and rapid response in maintaining the integrity of blockchain networks, particularly those focused on privacy.
This is not the first time Zcash has addressed critical security concerns. In 2019, the network patched a significant bug described as an “infinite counterfeit” crypto generator, which was resolved before posing a widespread threat to the privacy-focused cryptocurrency.
Long-Term Technological Impact: AI in Security and Proactive Auditing
The discovery of this Zcash vulnerability, notably aided by AI, signals a pivotal shift in how blockchain security will be approached. The integration of Artificial Intelligence into the security auditing process represents a significant advancement. AI can analyze vast amounts of code and network activity far more efficiently than human auditors alone, identifying complex patterns and potential exploits that might otherwise go unnoticed. This proactive approach, exemplified by Sol’s use of AI, can lead to more resilient and secure blockchain infrastructure. As AI capabilities mature, we can expect to see them become integral to Layer 2 security protocols, smart contract verification, and even in developing sophisticated threat detection systems for Web3 ecosystems. The ability of AI to assist in discovering vulnerabilities before they can be exploited is a critical step towards building more trustworthy decentralized applications and networks.
The incident also underscores the importance of maintaining and securing legacy code, even in deprecated components like the Sprout pool. The rapid patching by major mining pools demonstrates the effectiveness of a well-coordinated ecosystem response. This collaborative spirit, combined with advancements in AI-driven security, is crucial for the continued innovation and adoption of blockchain technology, particularly in privacy-centric solutions and the broader Web3 development landscape.
Details can be found on the website : decrypt.co