A critical vulnerability in Zcash's legacy Sprout shielded pool was discovered, coordinated, and patched in under a week โ€” with user funds remaining safe throughout.

What Happened

Security researcher Alex "Scalar" Sol โ€” working with the help of AI tools โ€” identified a flaw in zcashd nodes that caused them to skip proof verification for transactions involving the deprecated Sprout pool. The bug affected zcashd releases going back to July 2020.

If exploited by a malicious miner, the vulnerability could have allowed up to 25,424 ZEC to be drained from the pool โ€” roughly $6.5 million at current prices. No exploitation occurred.

Fast Coordinated Response

Sol reported the flaw to Shielded Labs on March 23. The Zcash Open Development Lab (ZODL) coordinated with mining pools, who moved quickly: Luxor deployed the fix on March 25, and F2Pool, ViaBTC, and AntPool all followed by March 26. Zcash developers released the patched zcashd v6.12.0 on April 1.

The Zebra full node implementation was unaffected and would have triggered a chain fork as a secondary safeguard had exploitation been attempted.

Limited Blast Radius

Zcash's "turnstile" mechanism provides a backstop: coins leaving Sprout must have verifiably entered it, preventing new supply inflation. The Sprout pool has been closed to new deposits since November 2020, making this a legacy surface area with a defined ceiling.

Sol will receive a 200 ZEC bounty (roughly $51,000) split across Shielded Labs, ZODL, the Zcash Foundation, and Bootstrap.

Takeaway

A white-hat researcher with AI assistance quietly prevented what could have been a multi-million dollar theft from a major privacy coin. The fast multi-party patch coordination โ€” from report to full mining pool deployment in three days โ€” is a notable example of responsible disclosure working as intended.