Zcash Patches Critical Orchard Bug That Could Have Enabled Unlimited Counterfeit ZEC

Zcash has patched a critical vulnerability in its Orchard shielded pool after security researcher Taylor Hornby identified the flaw on May 29, according to an announcement by Zcash founder Zooko Wilcox.

Following the discovery, the Zcash Open Development Lab initiated an emergency response and implemented a fix on June 2. A subsequent review by Shielded Labs confirmed that the vulnerability was legitimate and could have been exploited to create counterfeit ZEC tokens.

Shielded Labs said internal testing showed that an attacker could mint an unlimited number of fraudulent ZEC without triggering immediate detection mechanisms. However, the organization added that there is no indication the flaw was exploited before the patch was deployed.

Because Orchard is designed to preserve user privacy, it is not possible to definitively determine whether the vulnerability was abused before the fix. Nevertheless, Shielded Labs said it considers such a scenario unlikely based on its assessment.

To further strengthen confidence in the network, the organization is evaluating a potential protocol upgrade that would allow verification of Zcash’s total supply and help confirm that no counterfeit ZEC exists within the Orchard pool.

At the time of writing, ZEC was trading at $443.05, down 29% over the past 24 hours.

Source: Zooko Wilcox