Zcash fixes critical flaw in legacy Sprout shielded pool
Zcash developers have resolved a severe security vulnerability in the network’s original shielded pool, Sprout, a bug that theoretically could have allowed attackers to siphon off more than 25,000 ZEC. Despite the seriousness of the issue, no funds were stolen and the problem has now been fully patched.
The vulnerability, uncovered by security researcher Alex “Scalar” Sol, was found in certain versions of the zcashd full node software. According to the disclosure, affected nodes were incorrectly skipping proof verification for transactions that involved the deprecated Sprout shielded pool. In practice, this meant that under the right conditions, malicious actors might have been able to craft invalid transactions that were still accepted as valid by vulnerable nodes.
Sprout was Zcash’s first shielded pool, launched alongside the network in 2016 and representing one of the earliest real-world deployments of zk-SNARKs in a cryptocurrency. It allowed users to transact privately by hiding transaction amounts and addresses, a foundational feature that helped define Zcash’s identity as a privacy-focused asset.
Although Sprout has been closed to new deposits since November 2020, it still holds a nontrivial balance. Roughly 25,424 ZEC remain in the pool, representing funds that users have yet to migrate to newer shielded pools such as Sapling or Orchard. These legacy balances were the ones potentially at risk had the vulnerability been exploited before the patch.
The bug affected software releases dating back to July 2020. The Zcash team addressed the issue in version v6.12.0 of zcashd, released on Tuesday, which restores proper verification of Sprout-related proofs on affected nodes. The disclosure notes that there is no evidence of the bug being exploited in the wild, and the remaining Sprout funds are considered safe.
Major mining pools moved quickly to secure the network once notified. Large operators such as Luxor, F2Pool, ViaBTC, and AntPool had all applied the fix by March 26, helping ensure that newly mined blocks followed the patched consensus rules. This rapid upgrade reduced the window of opportunity for any would-be attacker and shored up network security at the consensus layer.
Importantly, the issue did not impact all Zcash software. The independent Zebra full node implementation was not affected by this specific flaw. In fact, the disclosure notes that if someone had attempted to exploit the bug against a mixed network of vulnerable zcashd nodes and unaffected Zebra nodes, the result would likely have been a chain split. That prospect, while dangerous in its own right, would also have acted as a visible warning sign that something was wrong, rather than allowing silent, undetected inflation.
Despite the gravity of the bug, the Zcash Open Development Team emphasized that the protocol’s built-in “turnstile” mechanism would have limited the damage from a systemic perspective. The turnstile enforces a simple but powerful rule: any coins leaving a shielded pool must have verifiably entered that pool earlier. This design is intended to prevent undetected inflation by ensuring that total outflows cannot exceed documented inflows, even if a pool’s internal accounting were to be compromised.
This incident marks the second time a critical vulnerability has been discovered in Zcash’s shielded pool infrastructure. In 2019, the Zcash team publicly revealed a “counterfeiting” bug in the underlying cryptography, which could theoretically have allowed an attacker to create unlimited ZEC without being noticed. While there was no evidence that the earlier bug was exploited, its existence underscored the complexity and risk inherent in deploying cutting-edge cryptographic systems at scale.
The new Sprout vulnerability reinforces that lesson. Shielded transactions rely on sophisticated zero-knowledge proofs and intricate consensus logic, leaving very little room for implementation mistakes. Even when the core cryptography is sound, bugs in validation, handling of legacy code paths, or configuration logic can open severe attack vectors if not caught in time.
For Zcash users who still hold funds in the Sprout pool, the primary practical implication is straightforward: migration is overdue. Although the recent patch eliminates the immediate risk described in the disclosure, Sprout has long been deprecated, and newer pools such as Sapling and Orchard benefit from years of additional scrutiny, performance improvements, and security hardening. Moving funds out of Sprout reduces exposure to any yet-unknown vulnerabilities in legacy code and aligns users with the network’s current best practices.
For node operators and miners, the incident highlights the importance of staying current with software releases. Running outdated consensus software, especially on privacy-centric networks that evolve rapidly, can expose both operators and the broader network to avoidable dangers. Promptly applying security updates is not just a matter of operational hygiene; it is a key part of maintaining consensus integrity.
From a broader ecosystem perspective, the disclosure also illustrates how multiple layers of defense can mitigate the impact of even serious bugs. In this case, redundancy came from: the diversity of node implementations (zcashd and Zebra), the economic incentives of mining pools to protect their revenue sources, and protocol-level features like the turnstile that constrain total supply. While no system is perfectly secure, overlapping safeguards can significantly reduce the likelihood of catastrophic failure.
The episode is also a reminder that privacy technology does not come for free. Advanced features like zk-SNARK-based shielding add complexity to both code and cryptographic assumptions. Networks that choose this path must commit to continuous security review, formal analysis, external audits, and transparent disclosure when problems are found. Zcash, by publicly documenting its past vulnerabilities and fixes, has effectively turned these crises into case studies that can benefit the broader cryptographic and blockchain research communities.
Looking ahead, the Zcash team is likely to put even more emphasis on decommissioning legacy components like Sprout and encouraging ecosystem-wide migration to newer pools. This may involve upgraded tooling for easy fund migration, user education campaigns, and more explicit deprecation timelines so that funds are not left stranded in outdated pools for years.
For investors and users evaluating Zcash after this disclosure, the main questions are about trust and process rather than immediate risk. The fact that no funds were lost, that major infrastructure providers updated quickly, and that the vulnerability was disclosed and patched transparently all point to a maturing security culture. At the same time, the repeated appearance of critical bugs in legacy shielded pools underscores the need for ongoing caution, code review, and diversification of implementation efforts.
In the end, the newly patched Sprout bug is both a narrow technical fix and a broader signal. Technically, it closes a specific vulnerability path that could have endangered over 25,000 ZEC sitting in an old shielded pool. Strategically, it reinforces the long-term direction of the Zcash project: away from legacy constructions like Sprout and toward more robust, thoroughly vetted, and actively maintained privacy infrastructure.