Zcash Orchard漏洞四问：曾被利用？资金可追？供应量可验？还有别的吗？

Original Authors: Shielded Labs CEO Jason McGee, Zcash Founder Zooko Wilcox

Compiled by Odaily Planet Daily Qin Xiaofeng (@QinXiaofeng 888 )

Editor's Note: On June 5, Beijing time, it was revealed that the new-generation privacy pool Orchard of the privacy project Zcash had a critical counterfeiting vulnerability. The Zcash token ZEC plummeted, hitting a low near $250. After more than 10 days of fermentation, market panic has subsided somewhat, the ZEC price has recovered, and it returned above $500 today.

This morning, Zcash Founder Zooko Wilcox published another lengthy post addressing market concerns. He stated that the Orchard vulnerability was likely not previously exploited, and legitimate Orchard funds can be recovered. Currently, users cannot independently verify whether the Zcash supply has been exceeded, but the Ironwood upgrade will seal the Orchard pool, restoring this verification capability. Ongoing reviews have not found other counterfeiting vulnerabilities, but more work is needed to be completely certain.

The following is the original text from Zooko Wilcox, compiled by Odaily Planet Daily. Enjoy~

————————————

The recent Orchard vulnerability has raised important questions about the Zcash supply and the security of user funds. The discussion has mixed several different issues, making it difficult to understand the actual impact of the vulnerability on users. This article attempts to separate these issues and explain their significance to users one by one.

The Orchard vulnerability raises four important questions:

1. Was the Orchard vulnerability ever exploited?
2. Can legitimate Orchard funds be recovered?
3. Can users verify that the Zcash supply has not been inflated?
4. How do we know there are no other counterfeiting vulnerabilities?

Was the Orchard vulnerability ever exploited?

Unknown. We believe it is unlikely to have been exploited, though it cannot be completely ruled out. We consider it likely that the vulnerability was not exploited for three reasons:

Despite continuous review by many of the world's top cryptographers and security researchers over the years, the vulnerability was not discovered earlier. Its eventual discovery was not accidental; it was found by Taylor Hornby of Shielded Labs, whose purpose was to proactively identify such security flaws before a malicious attacker could exploit them. Taylor used advanced AI-assisted security research techniques and specially built custom tools designed to find subtle defects missed by others, which would be more difficult for someone not deeply familiar with the Zcash codebase.

Once the vulnerability was discovered, Zcash developers (led by the team at Zcash Open Development Labs) quickly coordinated with mining pools to temporarily freeze the Orchard pool and deploy a fix, thus limiting any opportunity window for an attacker.

Cryptocurrency exploits are common, and attackers typically try to monetize them as quickly as possible, especially after the vulnerability becomes public knowledge. To profit from this vulnerability, an attacker would need to exchange the counterfeit ZEC for valuable assets, which would usually result in ZEC flowing out of the Orchard pool through the turnstile mechanism. If the vulnerability had been exploited before the fix, we would expect to see evidence by now. Historically, cryptocurrency exploits are typically "grab-and-go" operations, not multi-year, hidden strategies like "4D chess."

Can legitimate Orchard funds be recovered?

We believe so, because we think the vulnerability was never exploited. If this judgment is correct, all legitimate Orchard funds can still be fully recovered.

On the other hand, if counterfeiting did occur within Orchard, the existing turnstile mechanism limits the total migration amount to the amount of ZEC that legitimately entered the pool. Therefore, if counterfeit funds are migrated before legitimate funds, users would not be able to recover some or all of their legitimate Orchard funds.

We consider this scenario unlikely. However, for more cautious users, it is still recommended to move their ZEC out of Orchard. But before doing so, they should understand the following points:

• Transferring funds to the transparent pool (i.e., to a t-address) exposes both the amount and time of the transaction, and these funds also become publicly linked to that t-address.
• Transferring funds from the Orchard pool to the Sapling pool exposes the transaction amount and time, but unlike transferring to a t-address, it does not link these funds to a specific address or transaction history.
• The Sapling pool relies on a trusted setup ceremony conducted in 2018. Reliance on the security of this trusted setup is an additional risk users should be aware of.
• To our knowledge, YWallet and Zkool are currently the only widely used self-custody Zcash wallets supporting the Sapling pool.
• Moving funds to a new wallet or custodial service introduces additional risks, including user error, software bugs, custodian risk, or other unforeseen issues.

Overall, we consider the above risks to be moderate. If your funds are currently in a shielded self-custody wallet, given our assessment that prior counterfeiting is unlikely, leaving them there is a reasonable option. If you have a secure way to move funds elsewhere, that could also be reasonable. Users may reach different conclusions based on their own circumstances.

Can users verify that the Zcash supply has not been inflated?

Not currently. The previous existence of this vulnerability made it impossible for users to independently verify that the amount of ZEC circulating in the shielded pool does not exceed the correct amount.

However, as we noted in our previous post, the Ironwood upgrade restores this capability. The diagram below explains why.

The proposed network upgrade addresses this issue by adding the assurance that "no more unknown counterfeiting vulnerabilities exist" and by sealing the Orchard pool. New funds can no longer enter, and funds within the pool can no longer circulate. The only remaining path is to exit through the existing turnstile mechanism, which ensures that no more ZEC exits the Orchard pool than the amount that legitimately entered.

This change restores the ability to verify the soundness of the Zcash supply.

Currently, if counterfeit funds exist in the Orchard pool, they can continue circulating within the pool. After the upgrade, this will no longer be possible. Regardless of whether counterfeiting occurred, anyone running a node can verify that the circulating ZEC does not exceed the correct amount.

Users will not need to wait for funds to migrate out of Orchard, nor will they need to infer the potential actions of attackers or other users. The protocol itself provides verifiable assurance that excess ZEC cannot continue to circulate within Orchard and inflate the supply.

This is important because the long-term credibility of Zcash depends on users being able to independently verify the soundness of its supply. Ironwood restores the user's ability to independently verify that the protocol's supply limit is enforced.

How do we know there are no other counterfeiting vulnerabilities?

We cannot be completely certain yet, but we have reasons to believe there are no other vulnerabilities. Shielded Labs and several other teams have been carefully examining the Zcash protocol for other counterfeiting vulnerabilities. This includes using the unreleased Mythos AI model, with the help of Anthropic, to search for additional vulnerabilities shortly before Mythos was paused. We plan to share more details about this review and its findings in a subsequent blog post.

So far, no other counterfeiting vulnerabilities have been discovered. The high level of expertise, effort, and advanced AI-assisted analysis involved in this search give us greater confidence that no similar vulnerabilities remain undiscovered.

Furthermore, we are collaborating with projects like the Tachyon Project to provide additional assurance that no more counterfeiting vulnerabilities exist in Zcash. We will elaborate further in future blog posts.

Conclusion

The Orchard vulnerability presents four important questions: Was the vulnerability exploited? Can legitimate Orchard funds be recovered? Can users verify the Zcash supply has not been inflated? And are there other undiscovered counterfeiting vulnerabilities?

We believe prior exploitation is unlikely, therefore legitimate Orchard funds can be recovered, and the current Zcash supply is secure. Based on ongoing reviews by multiple independent researchers and teams, we are also increasingly confident that no other undiscovered counterfeiting vulnerabilities exist. However, users are currently unable to verify the security of the Zcash supply, and they should not have to rely on our assessment—or anyone else's.

The proposed network upgrade addresses this issue. By sealing the Orchard pool, it restores users' ability to independently verify the security of the Zcash supply. Users no longer need to judge whether counterfeiting occurred to verify that the protocol's supply limit is respected.