Zcash Orchard Vulnerability Four Questions: Was It Exploited? Funds Recoverable? Supply Verifiable? Any Others?

Original Author: Jason McGee, CEO of Shielded Labs; Zooko Wilcox, Founder of Zcash  Zooko Wilcox

Compiled by Odaily Planet Daily, Qin Xiaofeng (@QinXiaofeng 888 )

Editor's Note: On June 5, Beijing time, it was revealed that Orchard, the next-generation privacy pool of the privacy project Zcash, had a critical counterfeiting vulnerability. Consequently, the Zcash token ZEC halved in value, dropping to around $250. After more than 10 days of development, market panic has subsided somewhat, and the ZEC price has recovered, returning to $500 today. (Recommended reading: "'Infinite Mint' Bug Lurked for Four Years as Privacy Coin ZEC Halved in a Day")

This morning, Zcash founder Zooko Wilcox published another lengthy statement addressing market concerns. He stated that it is highly likely the Orchard vulnerability was not exploited previously, and legitimate Orchard funds can be recovered; currently, users cannot independently verify if the Zcash supply has been exceeded, but the Ironwood upgrade will seal the Orchard pool, restoring this verification ability; ongoing audits have not found other counterfeiting vulnerabilities, but more work is needed for complete certainty.

The following is the original text from Zooko Wilcox, compiled by Odaily Planet Daily. Enjoy~

————————————

The recent Orchard vulnerability has raised important questions about the Zcash supply and the security of user funds. The discussion has mixed several different issues, making it difficult to understand the actual impact of the vulnerability on users. This article attempts to separate these issues and explain their implications for users one by one.

The Orchard vulnerability raises four important questions:

1. Was the Orchard vulnerability ever exploited?
2. Can legitimate Orchard funds be recovered?
3. Can users verify that the Zcash supply has not been inflated?
4. How do we know there are no other counterfeiting vulnerabilities?

Was the Orchard vulnerability ever exploited?

Unknown. We consider it unlikely that it was previously exploited, although it cannot be completely ruled out. We believe the vulnerability was likely not exploited for three reasons:

Despite continuous review by many of the world's top cryptographers and security researchers over the years, this vulnerability was not discovered previously. Its eventual discovery was not accidental; it was found by Taylor Hornby of Shielded Labs, whose aim was to proactively identify such security flaws before malicious actors could exploit them. Taylor used advanced AI-assisted security research techniques and specially built custom tools designed to uncover subtle defects missed by others, which would be more difficult for someone not deeply familiar with the Zcash codebase.

Once the vulnerability was discovered, Zcash developers (led by the Zcash Open Development Labs team) quickly coordinated with mining pools to temporarily freeze the Orchard pool and deploy a fix, thus limiting any window of opportunity for attack.

Cryptocurrency exploits are common, and attackers typically try to cash out as quickly as possible, especially after a vulnerability is made public. For an attacker to profit from this vulnerability, they would need to exchange the counterfeit ZEC for valuable assets, which would usually cause ZEC to leave the Orchard pool via the turnstile mechanism. If the vulnerability had been exploited before the fix, we would expect evidence to have emerged by now. Historically, cryptocurrency exploits are usually "grab-and-go" operations, not "4D chess" strategies hidden for months or even years.

Can legitimate Orchard funds be recovered?

We believe so, because we believe the vulnerability was never exploited. If this assessment is correct, all legitimate Orchard funds are still fully recoverable.

On the other hand, if counterfeiting did occur in Orchard, the existing turnstile mechanism limits the total migration amount to the ZEC that legitimately entered the pool. Therefore, if counterfeit funds migrated before legitimate funds, users would be unable to recover some or all of their legitimate Orchard funds.

We consider this scenario unlikely. However, for users who are more cautious, it is still recommended to move their ZEC out of Orchard. But before doing so, they should understand the following:

• Transferring funds to a transparent pool (i.e., to a t-address) will expose the transfer amount and time, and these funds will also be publicly linked to that t-address.
• Transferring funds from the Orchard pool to the Sapling pool will expose the transfer amount and time, but unlike transferring to a t-address, it will not link these funds to a specific address or transaction history.
• The Sapling pool relies on a trusted setup ceremony conducted in 2018. Relying on the security of this trusted setup is an additional risk for users to be aware of.
• To our knowledge, YWallet and Zkool are currently the only widely used self-custody Zcash wallets that support the Sapling pool.
• Transferring funds to a new wallet or custodian service introduces additional risks, including user error, software bugs, custodian risk, or other unforeseen issues.

Overall, we assess the above risks as moderate. If your funds are currently in a shielded self-custody wallet, leaving them there is a reasonable choice, given our assessment that prior counterfeiting is unlikely. If you have a secure way to move funds elsewhere, that might also be reasonable. Users may reach different conclusions based on their own circumstances.

Can users verify that the Zcash supply has not been inflated?

Not currently. The prior existence of this vulnerability prevented users from independently verifying that the amount of ZEC circulating in the shielded pool does not exceed the correct amount.

However, as we pointed out in a previous article, the Ironwood upgrade restores this capability. The diagram below illustrates why.

The proposed network upgrade addresses this issue by increasing the assurance that "no more unknown counterfeiting vulnerabilities exist" and sealing the Orchard pool. New funds can no longer enter, and funds within the pool can no longer circulate. The only remaining path is to leave via the existing turnstile mechanism, which ensures that the amount of ZEC exiting the Orchard pool does not exceed the amount that legitimately entered.

This change restores the ability to verify the soundness of the Zcash supply.

Currently, if counterfeit funds exist in the Orchard pool, they could continue to circulate within the pool. After the upgrade, this will no longer be possible. Whether or not counterfeiting occurred, anyone running a node can verify that the circulating ZEC does not exceed the correct amount.

Users do not need to wait for funds to migrate out of Orchard, nor do they need to infer the potential actions of attackers or other users. The protocol itself provides a verifiable guarantee: excess ZEC cannot continue to circulate within Orchard and inflate the supply.

This is important because Zcash's long-term credibility depends on users being able to verify the soundness of its supply themselves. Ironwood restores users' ability to independently verify that the protocol's supply limit is enforced.

How do we know there are no other counterfeiting vulnerabilities?

We cannot be completely certain yet, but we have reason to believe no other vulnerabilities exist. Shielded Labs and several other teams have been diligently reviewing the Zcash protocol for other counterfeiting vulnerabilities. This includes using the yet-to-be-released Mythos AI model, with help from Anthropic, shortly before Mythos was paused, to search for additional vulnerabilities. We plan to share more details about this review and its findings in a follow-up blog post.

So far, no other counterfeiting vulnerabilities have been found. The high level of expertise, effort, and advanced AI-assisted analysis involved in this search gives us increased confidence that no similar vulnerabilities remain undiscovered.

Furthermore, we are collaborating with projects like the Tachyon Project to provide additional assurance that no more counterfeiting vulnerabilities exist in Zcash. We will elaborate on this in future blog posts.

Conclusion

The Orchard vulnerability presents four important questions: Was the vulnerability exploited, can legitimate Orchard funds be recovered, can users verify the Zcash supply hasn't been inflated, and are there other undiscovered counterfeiting vulnerabilities?

We consider it unlikely to have been exploited previously; therefore, legitimate Orchard funds should be recoverable, and the current Zcash supply is safe. Based on the ongoing review by multiple independent researchers and teams, we are also increasingly confident that no other undiscovered counterfeiting vulnerabilities exist. However, users cannot yet verify the safety of the Zcash supply, and they should not have to rely on our assessment—or anyone else's.

The proposed network upgrade solves this problem. By sealing the Orchard pool, it restores users' ability to independently verify the security of the Zcash supply. Users no longer need to determine whether counterfeiting occurred to verify that the protocol's supply limit is being followed.