Zcash Orchard 취약점에 대한 네 가지 질문: 악용된 적이 있나? 자금을 추적할 수 있나? 공급량을 검증할 수 있나? 다른 문제는 없나?Ironwood 업그레이드 이후, 사용자는 Zcash가 초과 발행되었는지 직접 검증할 수 있습니다.

• 핵심 의견: Zcash 창립자가 Orchard 취약점 사건에 대해 답변하며, 해당 취약점이 이전에 악용되었을 가능성은 낮고, 합법적인 자금은 회수 가능하지만, 사용자는 현재 ZEC 공급량이 기준치를 초과했는지 독립적으로 검증할 수 없다고 밝혔습니다. 제안된 Ironwood 업그레이드는 Orchard 풀을 봉쇄하여 이러한 검증 능력을 복원할 예정입니다.
• 핵심 요소:
  1. 취약점이 악용되지 않은 세 가지 이유: 초기에 최고의 암호학자들에 의해 발견되지 않음; 발견 후 개발팀이 신속하게 Orchard 풀을 동결하고 수정함; 악용되었다면 공격자는 일반적으로 즉시 현금화했을 것이나 관련 증거가 나타나지 않음.
  2. 합법적인 자금 회수 가능: 위조가 발생하지 않았다면 모든 합법적인 Orchard 자금은 회수 가능합니다. 사용자는 자금을 투명 풀 또는 Sapling 풀로 이전할 경우 거래 세부정보가 노출되고 추가 위험이 발생할 수 있다는 점에 유의해야 합니다.
  3. 검증 능력 복원: Ironwood 업그레이드는 Orchard 풀을 봉쇄하여 신규 자금 유입을 차단하고, 기존 자금은 전환 메커니즘을 통해서만 유출되도록 하여, 사용자가 ZEC 공급량의 안전성을 독립적으로 검증할 수 있는 능력을 복원합니다.
  4. 지속적인 검토 결과: 현재까지 다른 위조 취약점은 발견되지 않았으며, 검토에는 고급 전문가와 AI 보조 분석이 포함되어 유사한 취약점이 없을 것이라는 신뢰도를 높였습니다.

Original author: Shielded Labs CEO Jason McGee, Zcash Founder Zooko Wilcox

Compiled by Odaily Planet Daily Qin Xiaofeng (@QinXiaofeng 888 )

Editor's Note: On June 5, Beijing time, the privacy project Zcash was exposed for a critical counterfeiting vulnerability in its new-generation privacy pool, Orchard. Zcash's token, ZEC, halved, dropping to around $250. After about 10 days of fermentation, market panic has somewhat subsided, and the ZEC price has recovered, returning to $500 today. (Recommended reading: "A Vulnerability Lurking for Four Years for Unlimited Minting, Privacy Coin ZEC Halved in a Day")

This morning, Zcash founder Zooko Wilcox published another lengthy post addressing market concerns. He stated that it is highly probable the Orchard vulnerability was not previously exploited, and legitimate Orchard funds can be recovered; currently, users cannot independently verify if the Zcash supply has been exceeded, but the Ironwood upgrade will seal the Orchard pool, restoring this verification capability; ongoing audits have not revealed other counterfeiting vulnerabilities, but more work is needed for absolute certainty.

The following is the original text from Zooko Wilcox, compiled by Odaily Planet Daily. Enjoy~

————————————

The recent Orchard vulnerability has raised important questions about the Zcash supply and user fund security. The discussion has mixed several different issues, making it difficult to understand the actual impact of the vulnerability on users. This article aims to separate these issues and explain their significance to users one by one.

The Orchard vulnerability raises four key questions:

1. Was the Orchard vulnerability ever exploited?
2. Can legitimate Orchard funds be recovered?
3. Can users verify that the Zcash supply has not been inflated?
4. How do we know there are no other counterfeiting vulnerabilities?

Was the Orchard vulnerability ever exploited?

Unknown. We believe it is unlikely that it was exploited, although it cannot be completely ruled out. We believe the vulnerability was likely not exploited for three reasons:

Despite years of continuous review by many of the world's top cryptographers and security researchers, this vulnerability was not previously discovered. Its eventual discovery was not accidental; it was found by Taylor Hornby of Shielded Labs, whose goal was to proactively identify such security vulnerabilities before a malicious attacker could exploit them. Taylor used advanced, AI-assisted security research techniques and specially built custom tools designed to find subtle flaws that others missed. These tasks are much more difficult for those not deeply familiar with the Zcash codebase.

Once the vulnerability was discovered, Zcash developers (led by the Zcash Open Development Labs team) quickly coordinated with mining pools to temporarily freeze the Orchard pool and deploy a fix, thereby limiting any opportunity window for an attack.

Cryptocurrency exploits are common, and attackers typically try to cash out as quickly as possible, especially after the vulnerability becomes public. For an attacker to profit from this vulnerability, they would need to exchange the counterfeited ZEC for valuable assets, which would typically require the ZEC to leave the Orchard pool via the turnstile mechanism. If the vulnerability had been exploited before the fix, we would expect evidence to have emerged by now. Historically, cryptocurrency exploits are usually "grab-and-go" operations, not strategies hidden like "4D chess" for months or years.

Can legitimate Orchard funds be recovered?

We believe so, because we believe the vulnerability was never exploited. If this judgment is correct, all legitimate Orchard funds remain fully recoverable.

On the other hand, if counterfeiting did occur within Orchard, the existing turnstile mechanism limits the total migrated amount to the ZEC legally entering the pool. Therefore, if counterfeit funds were migrated before legitimate funds, users would be unable to recover some or all of their legitimate Orchard funds.

We consider this scenario unlikely. However, for more cautious users, it is still recommended to transfer their ZEC out of Orchard. But before doing so, they should be aware of the following points:

• Transferring funds to a transparent pool (i.e., to a t-address) exposes both the transfer amount and time, and these funds become publicly linked to that t-address.
• Transferring funds from the Orchard pool to the Sapling pool exposes the transfer amount and time, but unlike transferring to a t-address, it does not link these funds to a specific address or transaction history.
• The Sapling pool relies on a trusted setup ceremony performed in 2018. Relying on the security of this trusted setup is an additional risk users should note.
• To our knowledge, YWallet and Zkool are currently the only widely used self-custody Zcash wallets supporting the Sapling pool.
• Transferring funds to a new wallet or custodial service introduces additional risks, including user error, software bugs, counterparty risk, or other unforeseen issues.

Overall, we assess the above risks as moderate. If your funds are currently in a shielded self-custody wallet, leaving them there is a reasonable choice given our assessment that prior counterfeiting is unlikely. Moving funds elsewhere could also be reasonable if you have a secure way to do so. Users may reach different conclusions based on their own circumstances.

Can users verify that the Zcash supply has not been inflated?

Not currently. The prior existence of this vulnerability prevented users from independently verifying that the amount of ZEC in circulation within the shielded pool does not exceed the correct amount.

However, as we pointed out in our previous article, the Ironwood upgrade restores this capability. The diagram below explains why.

The proposed network upgrade addresses this issue by increasing the assurance that "no more unknown counterfeiting vulnerabilities exist" and by sealing the Orchard pool. New funds can no longer enter, and funds within the pool can no longer circulate. The only remaining path is to leave via the existing turnstile mechanism, which ensures that no more ZEC leaves the Orchard pool than what was legally deposited.

This change restores the ability to verify the soundness of the Zcash supply.

Currently, if counterfeit funds exist in the Orchard pool, they could continue to circulate within the pool. After the upgrade, this will no longer be possible. Regardless of whether counterfeiting occurred or not, anyone running a node can verify that the amount of ZEC in circulation does not exceed the correct amount.

Users do not need to wait for funds to migrate out of Orchard or infer the potential actions of attackers or other users. The protocol itself provides a verifiable guarantee: surplus ZEC cannot continue to circulate within Orchard and inflate the supply.

This is important because Zcash's long-term credibility depends on users being able to verify the soundness of its supply themselves. Ironwood restores users' ability to independently verify that the protocol's supply limit is enforced.

How do we know there are no other counterfeiting vulnerabilities?

We cannot be completely certain yet, but we have reason to believe there are no other vulnerabilities. Shielded Labs and several other teams have been meticulously reviewing the Zcash protocol for other counterfeiting vulnerabilities. This includes using an unreleased Mythos AI model, shortly before Mythos was paused, with the help of Anthropic, to search for additional vulnerabilities. We plan to share more details about this review and its findings in a subsequent blog post.

So far, no other counterfeiting vulnerabilities have been found. The high level of expertise, effort, and advanced AI-assisted analysis involved in this search gives us increased confidence that no similar vulnerabilities remain undiscovered.

Furthermore, we are working with projects like the Tachyon Project to provide additional assurance that no more counterfeiting vulnerabilities exist in Zcash. We will elaborate on this in future blog posts.

Conclusion

The Orchard vulnerability presents four important questions: Was the vulnerability exploited, can legitimate Orchard funds be recovered, can users verify the Zcash supply has not been inflated, and are there other undiscovered counterfeiting vulnerabilities.

We believe prior exploitation is unlikely, therefore legitimate Orchard funds can be recovered, and the current Zcash supply is secure. Based on the ongoing review by multiple independent researchers and teams, we are also increasingly confident that no other undiscovered counterfeiting vulnerabilities exist. However, users cannot currently verify the security of the Zcash supply themselves, and they should not have to rely on our assessment—or anyone else's.

The proposed network upgrade solves this problem. By sealing the Orchard pool, it restores users' ability to independently verify the security of the Zcash supply. Users no longer need to determine whether counterfeiting occurred to verify that the protocol's supply limit is being followed.