- Zcash has fixed a critical vulnerability in its node software that could have exposed millions of dollars worth of ZEC.
- The flaw affected proof verification for transactions tied to the deprecated Sprout shielded pool, though no exploit was reported.
Zcash has patched a serious software flaw that, under the wrong circumstances, could have allowed attackers to drain a meaningful amount of ZEC from an older part of the network.
The issue sat inside zcashd, the node software, and centered on transactions involving the legacy Sprout shielded pool.
According to the disclosure, nodes were skipping proof verification in those cases. That is the kind of bug that gets attention quickly in privacy-focused systems, because proof checks are not a side detail. They are part of the core machinery that keeps invalid transfers from being accepted in the first place.
A bug in an old pool, but still a real risk
The vulnerability was disclosed by Alex “Scalar” Sol on March 23, with the public report released on Tuesday. The affected area was not the main current privacy path most users think about today, but the older Sprout pool, which has already been deprecated. Even so, deprecated does not mean harmless. If funds still sit there, the attack surface remains relevant.
What made the flaw especially sensitive was the possibility that invalid transactions could slip past a critical validation step. In practical terms, that could have opened the door to draining funds from the pool without the network catching the problem where it should have.
Zcash says funds remain safe
So far, the important part is this. The bug was fixed before any known exploitation, and the disclosure says all user funds remain safe.
That should calm immediate panic, though it does not erase the broader lesson. Legacy components in crypto systems have a habit of staying economically relevant long after the ecosystem has mentally moved on from them. Old pools, retired logic, deprecated code paths, these things still matter when real assets remain attached.
For Zcash, the episode is less about visible damage and more about the value of catching a serious validation failure before it turns into one. In blockchain security, sometimes the most important story is the exploit that never got the chance.
Disclaimer: The information on this page may come from third parties and does not represent the views or opinions of Gate. The content displayed on this page is for reference only and does not constitute any financial, investment, or legal advice. Gate does not guarantee the accuracy or completeness of the information and shall not be liable for any losses arising from the use of this information. Virtual asset investments carry high risks and are subject to significant price volatility. You may lose all of your invested principal. Please fully understand the relevant risks and make prudent decisions based on your own financial situation and risk tolerance. For details, please refer to
Disclaimer.
Related Articles
James Wynn Memecoin Presale Raises Just $8,000 Amid Scam Allegations
James Wynn launched a memecoin presale, $ASSDAQ, on Solana, raising just $8,000 in ten hours, attracting criticism over past scam allegations. Despite Wynn's claims of trading success, market reluctance signals skepticism about his new project.
GateNews13m ago
CoW Swap Halts Protocol After Website Compromise - Coinspeaker
CoW Swap, the Ethereum-based decentralized exchange aggregator, paused its protocol on April 14, 2026, after attackers seized control of its website domain and redirected users to a malicious site engineered to harvest wallet approvals, with cybersecurity researcher Vladimir S. estimating
Coinspeaker48m ago
Bitcoin's Quantum Defense Plan BIP-361 Draws Criticism Over 1.7M BTC Recovery Gap
Bitcoin developers are working on BIP-361 to protect against quantum computing threats by migrating funds to safer formats, potentially freezing 1.7 million BTC. Charles Hoskinson critiques the plan, arguing it may lead to permanent freezing of vulnerable coins. The debate highlights tensions in adapting Bitcoin's protocols.
GateNews1h ago
Tether 挹注 150M美元救援 Drift Protocol,反觀 Circle 因疏失遭集體訴訟
Drift Protocol faced a $280 million loss due to a hack, prompting Tether to launch a $150 million recovery plan, switching settlement assets to USDT. Meanwhile, Circle faces a lawsuit for failing to freeze stolen funds, highlighting regulatory ambiguities in the crypto industry.
ChainNewsAbmedia2h ago
Circle Faces Class Action Lawsuit Over $280M Drift Protocol Exploit Response
Circle Internet Group is facing a class action lawsuit for failing to quickly halt a $280 million exploit involving its Cross-Chain Transfer Protocol, as investors claim it could have intervened. The lawsuit highlights Circle's prior ability to freeze funds, raising questions about their responsiveness.
GateNews2h ago
Ethereum Foundation: Ketman project identifies 100 North Korean agents within six months
According to an ETH Rangers project recap report published by the Ethereum Foundation on April 17, 2026 (Thursday), within its six-month funding period the Ketman project funded by the Ethereum Foundation identified 100 North Korean IT workers using false identities to infiltrate Web3 organizations, and contacted roughly 53 crypto projects to warn them they may have hired active North Korean agents.
MarketWhisper2h ago
