Gate News message, April 1, privacy coin Zcash disclosed and fixed a critical security vulnerability. Security researcher Alex “Scalar” Sol disclosed on March 23 that the flaw stemmed from zcashd nodes skipping proof verification when processing transactions involving the Sprout privacy pool, which could be exploited by malicious miners to transfer more than 25,000 ZEC (about $6.5 million) from the deprecated Sprout pool.
Official statements said the vulnerability had been present since July 2020, but it was not actually exploited, and users’ funds were always safe. The development team released version v6.12.0 to complete the fix, and major mining pools completed the upgrade rollout within days. In addition, unaffected Zebra full-node implementations have the ability to trigger chain forks, providing extra protection if the vulnerability were exploited.
As disclosed, while the Sprout pool was shut down for new deposits in November 2020, there were still about 25,424 ZEC not yet migrated. Even if the vulnerability were exploited, Zcash’s turnstile mechanism could prevent inflationary issuance, ensuring the total supply could not be breached. The flaw was discovered with AI assistance, and the researcher will receive a total bounty of 200 ZEC (about $51,000). Notably, Zcash previously fixed a serious defect in 2019 that could lead to unlimited inflation.
Disclaimer: The information on this page may come from third parties and does not represent the views or opinions of Gate. The content displayed on this page is for reference only and does not constitute any financial, investment, or legal advice. Gate does not guarantee the accuracy or completeness of the information and shall not be liable for any losses arising from the use of this information. Virtual asset investments carry high risks and are subject to significant price volatility. You may lose all of your invested principal. Please fully understand the relevant risks and make prudent decisions based on your own financial situation and risk tolerance. For details, please refer to
Disclaimer.
Related Articles
Zcash Foundation Releases Zebra 4.4.0 on May 2, Fixing Multiple Consensus-Level Security Vulnerabilities
According to Zcash Foundation, Zebra 4.4.0 was released on May 2 to fix multiple consensus-level security vulnerabilities and strongly recommends all node operators upgrade immediately. The update addresses denial-of-service flaws that could halt new block discovery, block signature operation
GateNews4h ago
DeFi Suffers $606 Million in Losses in April; Drift, Kelp DAO Account for 95%
DeFi protocols experienced significant losses totaling $606 million in April, with 12 protocols targeted in attacks spanning less than three weeks. Drift and Kelp DAO accounted for the majority of the damage, with losses of $285 million and $292 million respectively, representing approximately 95% o
GateNews4h ago
MEV Robot Converts $0.22 to $696,000 via Meteora ANB Pool Exploit
According to SolanaFloor, an MEV robot exploited a vulnerability in Meteora's ANB pool to convert $0.22 USDC into $696,000 USDC in a single transaction. The ANB token fell 99% following the attack.
GateNews4h ago
Purrlend Loses $1.52M After Admin Multi-Sig Breach on HyperEVM and MegaETH
According to ChainCatcher, Purrlend suffered a security breach on its HyperEVM and MegaETH deployments on May 2, losing approximately $1.52 million. Attackers compromised the protocol's 2/3 admin multi-signature wallet and granted themselves BRIDGE_ROLE permissions, then minted unbacked
GateNews6h ago
EtherRAT Malware Recently Identified Combining Credential Theft and Cryptocurrency Wallet Attacks
According to LevelBlue SpiderLabs researchers, EtherRAT, a recently identified malware, combines credential theft, remote access, and cryptocurrency wallet attacks in a single coordinated campaign. The malware is distributed through fake Tftpd64 installers hosted on fraudulent GitHub repositories de
GateNews9h ago
Hundreds of Dormant Ethereum Wallets Drained by Single Address
According to ChainCatcher, hundreds of Ethereum wallets dormant for over seven years were drained by a single address today (May 2), according to crypto analyst Wazz. Aragon team member @TheTakenUser confirmed their wallet funds were transferred without authorization. The cause of the incident
GateNews10h ago
