On Wednesday, Zcash (ZEC) activated a hard fork at block height 3,364,600 to resolve a critical bug affecting its Orchard shielded transaction pool. This vulnerability was linked to a soundness issue in the zero-knowledge proof circuit, which validates private transactions and could have allowed for unauthorized creation of ZEC, posing risks of inflation or invalid state transitions.
The Zcash Foundation announced that there is currently “no evidence of unauthorized value creation,” although confirming this is challenging due to the nature of the privacy design. The issue was first identified on May 29th by independent researcher Taylor Hornby during a protocol audit for Shielded Labs. In response, developers coordinated privately with miners and exchanges to implement an emergency soft fork that temporarily halted all actions on the affected pool.
This incident marks the second occurrence of a serious bug in Zcash, following a similar issue in 2018 that theoretically allowed unlimited counterfeiting. The latest response has sparked discussions about the centralized governance surrounding Zcash and the unique risks associated with its privacy features. Researcher Peter Todd emphasized the potential dangers of inflation exploits in Zcash, highlighting that about 30% of the ZEC supply is held in the shielded pool, which could significantly impact holders if any inflation were to go undetected.