A critical vulnerability in the zcashd node that could allow the withdrawal of 25,000 ZEC from the Sprout pool has been fixed with emergency patch v6.12.0.
A critical security vulnerability in the Zcash network's node software has been discovered and successfully fixed before it could be exploited.
According to a report published on March 25, security researcher Alex “Scalar” SOL discovered a vulnerability on March 23 that showed zcashd nodes were skipping proof-of-stake verification for transactions involving the Sprout pool, an older component of the network that stopped accepting new deposits in November 2020 but was still active with approximately 25,424 ZEC not yet migrated to newer versions, equivalent to about $6.5 million at the time of publication.
Rapid response chain preserves user assets.
Immediately after SOL reported the issue to Shielded Labs, the organization urgently coordinated with Zcash Open Development Lab (ZODL), where engineer Jack “str4d” Grigg was directly involved in building the patch.
Version v6.12.0 was released on Tuesday, and major mining pools reacted quickly: Luxor confirmed deployment on March 25, while F2Pool, ViaBTC, and AntPool completed updates on March 26. The vulnerability affects all versions released from July 2020 to the present, meaning it existed for almost five years undetected.
Notably, even in a mining scenario, losses are limited by internal safeguards. Zcash 's "turnstile" mechanism requires every coin leaving the Sprout pool to have proof of prior inclusion, thereby preventing any supply inflation exceeding the network's total supply of approximately 16.63 million ZEC .
Simultaneously, deploying Zebra nodes unaffected by the vulnerability will trigger chain splitting if an exploit occurs, providing an additional layer of independent defense. This layered protection design is highly valued by the security community, especially when the vulnerability lies in a component that has been removed from official use but not yet removed from the system.
Notably, SOL discovered the vulnerability with the help of AI, a security research method that is becoming increasingly popular in the cryptocurrency field. In recognition of his contribution, SOL received a total reward of 200 ZEC (equivalent to over $51,000), contributed equally from four organizations: Shielded Labs, ZODL, Zcash Foundation, and Bootstrap.
This isn't the first time Zcash has faced a serious vulnerability. In 2019, the network addressed a bug that allowed for the creation of an unlimited amount of fake crypto assets; however, it was also patched in time. The market reacted positively to this news, with ZEC surging more than 14% in 24 hours, reaching above $255.
