Zcash Executes Emergency Network Upgrade to Patch Critical Privacy Pool Vulnerability

Zcash Executes Emergency Network Upgrade to Patch Critical Privacy Pool Vulnerability

In Brief

• A critical bug in Zcash’s Orchard privacy pool was discovered that could have enabled double-spending, though no exploitation occurred.
• The network underwent a two-stage emergency response: first an emergency soft fork to halt Orchard transactions, followed by a full network upgrade to restore functionality.
• Despite the disclosure, ZEC has rallied over 50% in 30 days, with no apparent impact from the fix announcement.

The Zcash Foundation quietly patched a critical flaw in the cryptocurrency’s core transaction system on Wednesday, executing an emergency network upgrade following a security researcher’s discovery of a bug that could have enabled bad actors to spend funds they didn’t possess.

The vulnerability, uncovered on May 29 by independent security researcher Taylor Hornby, existed in the Orchard Action circuit—the cryptographic foundation of Zcash’s most advanced privacy pool. Orchard, introduced in 2022 as part of Zcash’s shielded assets protocol, represents a significant portion of circulating ZEC tokens and requires no trusted setup.

Hornby disclosed the flaw to Zcash Open Development Lab (ZODL) engineers the same evening. Within hours, protocol developers confirmed the issue and initiated a confidential response to prevent exploitation before deploying a fix.

The coordinated repair unfolded over five days. Developers first implemented an emergency soft fork—a temporary rule change—that completely shut down Orchard transactions while the patch was being finalized. Private coordination with miners and exchanges began the evening of May 31. An initial activation attempt encountered deployment issues, but a second attempt succeeded early Monday morning, halting all Orchard activity at block 3,363,426.

The permanent fix arrived Wednesday when NU6.2—a full network upgrade—restored Orchard functionality using a corrected circuit. This hard fork was necessary because repairing a zero-knowledge proof system required updating a cryptographic verifying key, a change that cannot be accomplished through standard software patches.

Officials confirmed that the total ZEC supply remained secure. Zcash’s built-in “turnstile” mechanism, which tracks value across all transaction pools, verified that no unauthorized coins were created. There is zero evidence the bug was ever exploited.

“Given the time available and the number of parties involved—developers at ZODL and the Zcash Foundation, miners, exchanges, and others—this was the most ambitious network upgrade in Zcash’s history,” ZODL founder Josh Swihart wrote on X.

The Zcash Foundation recommends all node operators upgrade immediately to Zebra 5.0.0, which activates the corrected network rules.

Following the upgrade, some block explorers initially showed delays in block production, sparking concerns about network downtime. However, experts clarified that the network operated normally throughout—the explorers merely required their own node upgrades. “Block explorers are just readers,” CipherScan explained on X. “They pull data from a node, parse it, and display it. If the node is upgrading or resyncing, the explorer goes stale. The chain itself kept producing blocks the entire time—miners didn’t stop. Transactions kept confirming.”

The disclosure of the emergency upgrade has not impacted ZEC pricing, as the privacy-focused cryptocurrency continues its recent upward trajectory. ZEC is currently up over 10% in 24 hours at approximately $629, extending its 30-day gain above 53%. The token is now up 1,084% over the past year, reaching a recent high near $700—a level last seen in fall 2023.

Source link