- Zcash has fixed a critical vulnerability in its node software that could have exposed millions of dollars worth of ZEC.
- The flaw affected proof verification for transactions tied to the deprecated Sprout shielded pool, though no exploit was reported.
Zcash has patched a serious software flaw that, under the wrong circumstances, could have allowed attackers to drain a meaningful amount of ZEC from an older part of the network.
The issue sat inside zcashd, the node software, and centered on transactions involving the legacy Sprout shielded pool.
According to the disclosure, nodes were skipping proof verification in those cases. That is the kind of bug that gets attention quickly in privacy-focused systems, because proof checks are not a side detail. They are part of the core machinery that keeps invalid transfers from being accepted in the first place.
A bug in an old pool, but still a real risk
The vulnerability was disclosed by Alex “Scalar” Sol on March 23, with the public report released on Tuesday. The affected area was not the main current privacy path most users think about today, but the older Sprout pool, which has already been deprecated. Even so, deprecated does not mean harmless. If funds still sit there, the attack surface remains relevant.
What made the flaw especially sensitive was the possibility that invalid transactions could slip past a critical validation step. In practical terms, that could have opened the door to draining funds from the pool without the network catching the problem where it should have.
Zcash says funds remain safe
So far, the important part is this. The bug was fixed before any known exploitation, and the disclosure says all user funds remain safe.
That should calm immediate panic, though it does not erase the broader lesson. Legacy components in crypto systems have a habit of staying economically relevant long after the ecosystem has mentally moved on from them. Old pools, retired logic, deprecated code paths, these things still matter when real assets remain attached.
For Zcash, the episode is less about visible damage and more about the value of catching a serious validation failure before it turns into one. In blockchain security, sometimes the most important story is the exploit that never got the chance.
Disclaimer: The information on this page may come from third parties and does not represent the views or opinions of Gate. The content displayed on this page is for reference only and does not constitute any financial, investment, or legal advice. Gate does not guarantee the accuracy or completeness of the information and shall not be liable for any losses arising from the use of this information. Virtual asset investments carry high risks and are subject to significant price volatility. You may lose all of your invested principal. Please fully understand the relevant risks and make prudent decisions based on your own financial situation and risk tolerance. For details, please refer to
Disclaimer.
