{"id":24808,"date":"2026-04-01T08:44:08","date_gmt":"2026-04-01T08:44:08","guid":{"rendered":"https:\/\/bitunikey.com\/news\/zcash-patches-critical-bug-affecting-the-sprout-shielded-pool\/"},"modified":"2026-04-01T08:44:15","modified_gmt":"2026-04-01T08:44:15","slug":"zcash-patches-critical-bug-affecting-the-sprout-shielded-pool","status":"publish","type":"post","link":"https:\/\/bitunikey.com\/news\/zcash-patches-critical-bug-affecting-the-sprout-shielded-pool\/","title":{"rendered":"Zcash patches critical bug affecting the Sprout shielded pool"},"content":{"rendered":"<p><\/p>\n<div class=\"post-detail__content blocks\">\n<p>Zcash has patched a major vulnerability that would have allowed bad actors to drain funds from the protocol\u2019s deprecated Sprout shielded pool.<\/p>\n<div id=\"cn-block-summary-block_363b4d62e92bd90f5bbd7278a8a59651\" class=\"cn-block-summary\">\n<div class=\"cn-block-summary__nav tabs\">\n        <span class=\"tabs__item is-selected\">Summary<\/span>\n    <\/div>\n<div class=\"cn-block-summary__content\">\n<ul class=\"wp-block-list\">\n<li>Zcash patched a critical flaw in zcashd nodes that skipped proof verification in the legacy Sprout pool, a bug that could have exposed more than 25,000 ZEC to potential draining.<\/li>\n<li>The vulnerability remained present from July 2020 until the release of v6.12.0, with no exploitation detected and all user funds confirmed safe.<\/li>\n<\/ul><\/div>\n<\/div>\n<p><!-- .cn-block-summary --><\/p>\n<p>A disclosure <a rel=\"nofollow\" target=\"_blank\" href=\"https:\/\/zodl.com\/zcashd-sprout-verification-vulnerability\" target=\"_blank\" rel=\"nofollow\">report<\/a> from security researcher Alex \u201cScalar\u201d Sol, published on Tuesday, claims that a critical flaw was discovered in zcashd nodes that resulted in skipping proof verification for transactions involving the legacy Sprout pool.<\/p>\n<h1 class=\"wp-block-heading\">No user funds lost<\/h1>\n<p>Zcash\u2019s Sprout pool is the original \u201cshielded pool\u201d that launched with the network in 2016. It was the first implementation of zero-knowledge proofs (zk-SNARKs) in a production cryptocurrency, allowing users to send and receive ZEC privately.<\/p>\n<p>Although the pool was closed to new deposits in November 2020, it still holds approximately 25,424 ZEC, which are yet to be migrated to newer shielded pool versions.<\/p>\n<p>    <!-- .cn-block-related-link --><\/p>\n<p>According to the disclosure, the vulnerability spanned releases from July 2020 onward but was fixed through v6.12.0, which was released on Tuesday. So far, the flaw has not been exploited, and user funds remain safe.<\/p>\n<p>Major mining pools, including Luxor, F2Pool, ViaBTC, and AntPool, have already deployed the fix by March 26, the report added.<\/p>\n<p>The report added that the Zebra full node implementation was not affected. In the event of an attempted exploit, it would have resulted in a chain fork, acting as an additional safeguard.<\/p>\n<p>Despite the severity of the issue, the Zcash Open Development Team has clarified that the network\u2019s \u201cturnstile\u201d mechanism, which enforces that any coins exiting the Sprout pool must have previously entered it, would have prevented broader supply inflation.<\/p>\n<p>For the Zcash network, this marks the second time a critical, systemic vulnerability has been uncovered within its shielded pools. In 2019, the Zcash team disclosed a \u201ccounterfeiting\u201d bug, a flaw in the underlying cryptography that could have allowed an attacker to create an infinite amount of ZEC without detection.<\/p>\n<p>    <!-- .cn-block-related-link --><\/p><\/div>\n","protected":false},"excerpt":{"rendered":"<p>Zcash has patched a major vulnerability that would have allowed bad actors to drain funds from the protocol\u2019s deprecated Sprout shielded pool. Summary Zcash patched a critical flaw in zcashd&hellip;<\/p>\n","protected":false},"author":1,"featured_media":8432,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[1],"tags":[],"class_list":["post-24808","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-cryptocurrency"],"_links":{"self":[{"href":"https:\/\/bitunikey.com\/news\/wp-json\/wp\/v2\/posts\/24808","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/bitunikey.com\/news\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/bitunikey.com\/news\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/bitunikey.com\/news\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/bitunikey.com\/news\/wp-json\/wp\/v2\/comments?post=24808"}],"version-history":[{"count":1,"href":"https:\/\/bitunikey.com\/news\/wp-json\/wp\/v2\/posts\/24808\/revisions"}],"predecessor-version":[{"id":24809,"href":"https:\/\/bitunikey.com\/news\/wp-json\/wp\/v2\/posts\/24808\/revisions\/24809"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/bitunikey.com\/news\/wp-json\/wp\/v2\/media\/8432"}],"wp:attachment":[{"href":"https:\/\/bitunikey.com\/news\/wp-json\/wp\/v2\/media?parent=24808"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/bitunikey.com\/news\/wp-json\/wp\/v2\/categories?post=24808"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/bitunikey.com\/news\/wp-json\/wp\/v2\/tags?post=24808"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}