Gate News message, April 1, privacy coin Zcash disclosed and fixed a critical security vulnerability. Security researcher Alex “Scalar” Sol disclosed on March 23 that the flaw stemmed from zcashd nodes skipping proof verification when processing transactions involving the Sprout privacy pool, which could be exploited by malicious miners to transfer more than 25,000 ZEC (about $6.5 million) from the deprecated Sprout pool.
Official statements said the vulnerability had been present since July 2020, but it was not actually exploited, and users’ funds were always safe. The development team released version v6.12.0 to complete the fix, and major mining pools completed the upgrade rollout within days. In addition, unaffected Zebra full-node implementations have the ability to trigger chain forks, providing extra protection if the vulnerability were exploited.
As disclosed, while the Sprout pool was shut down for new deposits in November 2020, there were still about 25,424 ZEC not yet migrated. Even if the vulnerability were exploited, Zcash’s turnstile mechanism could prevent inflationary issuance, ensuring the total supply could not be breached. The flaw was discovered with AI assistance, and the researcher will receive a total bounty of 200 ZEC (about $51,000). Notably, Zcash previously fixed a serious defect in 2019 that could lead to unlimited inflation.
Disclaimer: The information on this page may come from third parties and does not represent the views or opinions of Gate. The content displayed on this page is for reference only and does not constitute any financial, investment, or legal advice. Gate does not guarantee the accuracy or completeness of the information and shall not be liable for any losses arising from the use of this information. Virtual asset investments carry high risks and are subject to significant price volatility. You may lose all of your invested principal. Please fully understand the relevant risks and make prudent decisions based on your own financial situation and risk tolerance. For details, please refer to
Disclaimer.
Related Articles
North Korea Denies Crypto Theft as $577M Stolen in 2026
The Democratic People's Republic of Korea has denied allegations of state-sponsored cryptocurrency theft, even as blockchain intelligence firm TRM Labs reported that DPRK-linked actors stole approximately $577 million in the first four months of 2026. A spokesperson for the regime's Foreign Ministry
CryptoFrontier2h ago
X User Steals $175,000 in DRB from Bankr via Grok Prompt Injection on May 4
According to BlockBeats, on May 4, X user @Ilhamrfliansyh used a prompt injection attack on Grok to steal $175,000 in DRB tokens from Bankr's wallet. The attacker crafted a malicious tweet encoded in Morse code that Grok decoded and relayed to @bankrbot, which was interpreted as a blockchain
GateNews2h ago
ZachXBT Flags Polyarb as Fake Prediction Market With an Active Wallet Drainer
Onchain investigator ZachXBT has warned that Polyarb, a site presenting itself as a prediction market platform, is running an active wallet drainer and is gaining reach through prominent crypto accounts replying to its posts.
Key Takeaways:
ZachXBT warned on May 4, 2026, that Polyarb hosts an act
Coinpedia5h ago
Solana Co-Founder Warns AI Could Crack Post-Quantum Cryptography at 2026 Breakpoint
According to Solana co-founder Anatoly Yakovenko, speaking at the 2026 Solana Breakpoint conference in Amsterdam, artificial intelligence poses a greater existential threat to blockchain security than quantum computers. Yakovenko warned that AI models could exploit subtle mathematical patterns in po
GateNews9h ago
North Korea terror attack verdict holder seizes $71 million of Kelp DAO ETH: Arbitrum’s “centralized intervention” turned into a legal handle
On May 1, the U.S. District Court for the Southern District of New York issued a restraining order prohibiting the disposition of 30,766 ETH (about $71 million) prior to the bifurcated hearing, to be used for DeFi United’s compensation program. The ETH source was the April KelpDAO cross-chain bridge hack; after it was frozen by the Arbitrum Security Committee, it was incorporated into DAO governance. The compensation was funded through fundraising such as Aave. The plaintiff claims the hacker is linked to North Korea’s Lazarus Group, and the court ordered that the matter be decided again at the bifurcated hearing.
ChainNewsAbmedia11h ago
