Zcash Orchard Vulnerability: Unexploited, Funds Recoverable, Supply Verification to Resume

icon MarsBit
Share
AI summary iconSummary

Original authors: Jason McGee, CEO of Shielded Labs, and Zooko Wilcox, founder of Zcash

Compiled by Odaily Planet Daily, Qin Xiaofeng (@QinXiaofeng 888 )

Orchard

Editor’s Note: On June 5 Beijing Time, the privacy project Zcash was revealed to have had a critical forgery vulnerability in its new-generation privacy pool, Orchard, causing the ZEC token to plummet by nearly half, reaching a low of around $250. After about ten days of market fallout, panic has subsided, ZEC’s price has recovered, and today it has regained the $500 level.

This morning, Zcash founder Zooko Wilcox published another lengthy post addressing market concerns. He stated that it is likely the Orchard vulnerability was not exploited previously, and legitimate Orchard funds can be recovered; users currently cannot independently verify whether Zcash supply has been exceeded, but the Ironwood upgrade will freeze the Orchard pool and restore this verification capability; no other forgery vulnerabilities have been found during ongoing reviews, but full certainty requires additional work.

The following is the original text by Zooko Wilcox, translated by Odaily Planet Daily, enjoy~

————————————

The recent Orchard vulnerability has raised important questions about Zcash's supply and the security of user funds. The discussion has mixed several distinct issues, making it difficult to understand the actual impact of the vulnerability on users. This article aims to separate these issues and explain each one’s significance to users.

The Orchard vulnerability raises four important questions:

  1. Has the Orchard vulnerability ever been exploited?
  2. Can legitimate Orchard funds be recovered?
  3. Can users verify that the supply of Zcash has not been inflated?
  4. How do we know there are no other forged vulnerabilities?

Has the Orchard vulnerability ever been exploited?

Unknown. We believe it was unlikely to have been exploited, although we cannot rule it out entirely. We believe the vulnerability was most likely not exploited, for three reasons:

Despite continuous review by leading cryptographers and security researchers worldwide for many years, this vulnerability had not been previously discovered. Its eventual discovery was not accidental; it was found by Taylor Hornby of Shielded Labs, who aimed to proactively identify such security flaws before malicious actors could exploit them. Taylor employed advanced AI-assisted security research techniques and specially built custom tools designed to uncover subtle flaws others had missed—making this feat significantly more difficult for those unfamiliar with the Zcash codebase.

Upon discovery of the vulnerability, Zcash developers (led by the Zcash Open Development Labs team) swiftly coordinated with mining pools to temporarily freeze the Orchard pool and deploy a patch, thereby limiting the window of opportunity for any attack.

Cryptocurrency exploits are common, and attackers typically seek to cash out as quickly as possible, especially after the vulnerability is made public. To profit from this vulnerability, attackers would need to exchange the forged ZEC for valuable assets, which usually results in ZEC flowing out of the Orchard pool via the turnstile mechanism. If this vulnerability had been exploited before being patched, we would expect evidence to have emerged by now. Historically, cryptocurrency exploits have typically been “grab-and-run” operations, rather than strategies hidden for months or even years like a game of 4D chess.

Can legitimate Orchard funds be recovered?

We believe it is possible, as we believe the vulnerability was never exploited. If this assessment is correct, all legitimate Orchard funds can still be fully recovered.

Image

On the other hand, if forgery does occur in Orchard, the existing turnstile mechanism limits the total migration amount to the quantity of ZEC legally entering the pool. Therefore, if forged funds are migrated before legitimate funds, users may be unable to recover some or all of their legitimate Orchard funds.

Image

We believe this scenario is unlikely to occur. However, for more cautious users, we still recommend moving their ZEC out of Orchard. Before doing so, they should be aware of the following:

  • Transferring funds to a transparent pool (i.e., to a t-address) will expose both the transfer amount and the transfer time, and these funds will be publicly linked to that t-address.
  • Transferring funds from the Orchard pool to the Sapling pool reveals the transfer amount and timestamp, but unlike transferring to a t-address, it does not link these funds to a specific address or transaction history.
  • The Sapling pool relies on a trusted setup ceremony conducted in 2018. Relying on this trusted setup introduces an additional risk that users should be aware of.
  • To our knowledge, YWallet and Zkool are currently the only self-hosted Zcash wallets that are widely used and support the Sapling pool.
  • Transferring funds to a new wallet or custodial service introduces additional risks, including user error, software defects, custodian risk, or other unforeseen issues.

Overall, we consider the above risk level to be moderate. If your funds are currently held in a self-custody wallet that is shielded, given our assessment that prior forgery is unlikely to occur, leaving them there is a reasonable choice. It may also be reasonable to move your funds elsewhere if you have a secure means of doing so. Users may reach different conclusions based on their individual circumstances.

Can users verify that the supply of Zcash has not been inflated?

Not yet. The previous existence of this vulnerability prevented users from independently verifying whether the amount of ZEC in circulation within the current shielded pool does not exceed the correct amount.

Image

However, as we noted in our previous article, the Ironwood upgrade restored this capability. The diagram below explains why.

Image

The proposed network upgrade addresses this issue by providing assurance that no further unknown forgeries are possible and by shielding the Orchard pool. New funds can no longer enter, and funds within the pool can no longer circulate. The only remaining pathway is through the existing exit mechanism, which ensures that the amount of ZEC exiting the Orchard pool does not exceed the amount that legitimately entered.

This change restores the ability to verify the soundness of Zcash's supply.

Currently, if counterfeit funds exist in the Orchard pool, they can continue circulating within the pool. After the upgrade, this will no longer be possible. Anyone running a node can verify that the amount of ZEC in circulation does not exceed the correct amount, regardless of whether counterfeiting ever occurred.

Users do not need to wait for funds to migrate out of Orchard or speculate on the actions of attackers or other users. The protocol itself provides verifiable guarantees: excess ZEC cannot continue circulating within Orchard and inflating the supply.

This is important because Zcash’s long-term credibility depends on users’ ability to independently verify the integrity of its supply. Ironwood restores users’ ability to independently verify that the protocol’s supply limits are enforced.

How do we know there are no other forged vulnerabilities?

We cannot yet confirm with absolute certainty, but we have reason to believe no other vulnerabilities exist. Shielded Labs and several other teams have been carefully reviewing the Zcash protocol for additional forgery vulnerabilities. This included, shortly before Mythos was paused, using an unreleased Mythos AI model with assistance from Anthropic to search for additional vulnerabilities. We plan to share more details about this review and its findings in a follow-up blog post.

No other forged vulnerabilities have been discovered so far. The high level of expertise, extensive effort, and advanced AI-assisted analysis involved in this search give us greater confidence that no similar vulnerabilities remain undiscovered.

In addition, we are collaborating with projects such as Tachyon Project to provide additional assurance that no further spoofing vulnerabilities exist in Zcash. We will elaborate further in future blog posts.

Conclusion

The Orchard vulnerability presents four critical issues: whether the vulnerability was ever exploited, whether legitimate Orchard funds can be recovered, whether users can verify that Zcash's supply has not been inflated, and whether other undiscovered forgery vulnerabilities still exist.

We believe the此前被利用的可能性不大, therefore legitimate Orchard funds can be recovered, and the current Zcash supply is secure. Based on ongoing review by multiple independent researchers and teams, we are also increasingly confident that no other undiscovered forgery vulnerabilities exist. However, users currently cannot verify the security of the Zcash supply themselves, and they should not rely on our assessment—or anyone else’s.

The proposed network upgrade addresses this issue. By locking the Orchard pool, it restores users' ability to independently verify the security of Zcash's supply. Users no longer need to determine whether counterfeiting has occurred to verify that the protocol's supply limits are being upheld.

Source:Show original
Disclaimer: The information on this page may have been obtained from third parties and does not necessarily reflect the views or opinions of KuCoin. This content is provided for general informational purposes only, without any representation or warranty of any kind, nor shall it be construed as financial or investment advice. KuCoin shall not be liable for any errors or omissions, or for any outcomes resulting from the use of this information. Investments in digital assets can be risky. Please carefully evaluate the risks of a product and your risk tolerance based on your own financial circumstances. For more information, please refer to our Terms of Use and Risk Disclosure.