ZEC Co-Founder Responds to Orchard Vulnerability: No Signs of Theft, Orchard Pool to Be Sealed
ZEC Co-Founder Addresses Orchard Vulnerability: No Signs of Theft, Plans to Sunset Orchard Pool
A security vulnerability was recently discovered in Zcash's Orchard shielded pool, raising key concerns. The primary questions are whether the flaw was exploited, if user funds are safe, whether users can verify the total ZEC supply, and if other similar vulnerabilities exist.
Analysis suggests the vulnerability was likely not exploited prior to its discovery. It was found proactively by a researcher using specialized tools, not due to an active breach. The development team and mining pools acted quickly to contain the issue. Typical financially-motivated attacks would likely have left visible on-chain evidence, which has not been observed.
User funds in Orchard are considered safe and should be recoverable, assuming no prior exploitation. If the flaw was never used, all legitimate funds can be withdrawn. The article outlines risks associated with moving funds to transparent addresses or other pools, but concludes that leaving assets in place is a reasonable option.
Currently, users cannot independently verify that the total ZEC supply hasn't been inflated due to this bug. However, the planned Ironwood network upgrade is designed to resolve this. It will permanently close the Orchard pool to new deposits and internal transfers, allowing only withdrawals. This mechanism will cap total withdrawals at the amount of legitimately deposited funds, enabling anyone to cryptographically verify the supply post-upgrade.
Multiple teams, including Shielded Labs, have conducted extensive audits focused on counterfeiting vulnerabilities, assisted by advanced AI tools. No additional flaws of this type have been found so far, increasing confidence that no other similar undisclosed vulnerabilities exist.
In summary, evidence indicates the Orchard bug was probably not used, user funds are secure, and no other counterfeiting flaws are currently known. The upcoming Ironwood upgrade will restore users' ability to independently verify the total ZEC supply, closing this chapter.
Foresight News22h ago
