On June 4, Zooko Wilcox, a founder of Zcash, shared a detailed update regarding the recent bug fixing and security issues on the network.
Zcash Founder Says Bug Was Real and Exploitable
In the official announcement, the Zcash team stated that the bug on the network was “real and exploitable.”
Zcash, which is the leading privacy-based blockchain network, has recently unveiled a major bug present in its most important privacy feature. On May 29, they publicly revealed this problem and started preparing ways to fix this issue before it came to the attention of hackers.
This was a major bug that could allow someone to create fake ZEC tokens without staying in the limelight.
In order to do regular security checks by auditing Zcash privacy features, Shielded Labs has hired Taylor Hornby, a security researcher. During the audit, he found a big hole in a part of Zcash called the Orchard shielded pool. This feature is used to hide all details of a transaction by using advanced mechanisms like zero-knowledge proofs.
The bug was present inside the Orchard circuit, which is used to check whether a transaction is valid or not. This bug could allow anyone to feed wrong information into a calculation while showing it as valid on the network. If a hacker has found this bug and exploited it, they could have generated unlimited fake ZEC tokens inside the Orchard pool without any kind of detection.
This bug has been present in the system since the launch of Orchard in May 2022. Zcash has very strong privacy features, and this is why there was no easy way to find out whether anyone had exploited this bug before it was fixed.
“What makes this particularly challenging is that, due to the privacy properties of Orchard and the nature of the bug, there is no definitive way to determine, using only cryptography, whether such exploitation occurred before the vulnerability was discovered and fixed. We believe it is important to be transparent about that uncertainty,” stated in the official post on X.
Zcash Team Took Quick Action to Fix Bug Before Any Cyberattack
After this issue came to the notice, Taylor informed the issue to the Zcash Open Development Lab (ZODL). In order to fix the bug present in the shielded pool, ZODL has introduced a plan.
On June 2, the network implemented a soft fork to pause Orchard transactions in order to prevent any cyber attack. After that, on June 3, the team announced a hard fork NU6.2 to fix the circuit and turn on Orchard in a secure manner.
The team has mentioned that it is very unlikely that this bug was used to exploit the blockchain network in the past. The reason behind this is that the experts have used advanced AI tools to detect this bug, and it was difficult to track such bugs manually.
However, ZODL has also shared a disclaimer regarding the issue. The post said, “Our assessment is that exploitation of this vulnerability was unlikely. However, we do not believe that users should rely on our assessment, or anyone else’s. Shielded Labs is exploring —with the help of other Zcash developers—a proposed Network Upgrade to allow anyone to verify the integrity of the Zcash supply and to prove the non-existence of counterfeit Zcash in the Orchard pool. The proposal involves deploying a new shielded pool and enforcing turnstile accounting on all coins from the Orchard pool.”
This post comes after a network faced an outage-like situation after many blockchain explorers failed to update to the latest version. This has sparked a panic in its users; however, later on, the Zcash co-founder shared an update regarding the issue, saying that the network never went down in reality.
