Shielded Labs believes that the likelihood of the Orchard vulnerability being exploited previously is low, therefore user assets are safe, and the total amount of tokens is currently normal.

Written by: Zooko Wilcox, Jason McGee

Translation: Luffy, Foresight News

Recently, the Orchard module of Zcash was exposed for a security vulnerability, and everyone is generally concerned about two major questions: Is there any abnormality in the total amount of Zcash tokens? Are user assets safe?

Currently, various discussions intertwine multiple different topics, and many people find it difficult to understand the actual impact of this vulnerability on ordinary users. This article will explore these questions and interpret the meanings behind them one by one.

This Orchard vulnerability mainly raises four key questions:

1. Has the vulnerability been exploited by hackers?
2. Can users retrieve their legitimate assets stored in Orchard normally?
3. Can users independently verify that the total amount of Zcash tokens has not been artificially inflated?
4. How to confirm that the project does not have other similar fraud vulnerabilities?

Has the vulnerability been exploited?

There is currently no conclusion. Overall, the likelihood of the vulnerability being maliciously exploited previously is low, but we cannot completely rule out this possibility for three main reasons:

• For years, many top cryptography experts and security researchers worldwide have been reviewing the Zcash code, and this vulnerability has not been discovered until now. This vulnerability was actively identified by Taylor Hornby from Shielded Labs and was not accidentally exposed. He used artificial intelligence security detection technology and self-developed tools specifically to uncover such hidden defects. Such vulnerabilities have a high threshold, and professionals outside the Zcash codebase find it difficult to locate and exploit them.
• After the vulnerability was exposed, the Zcash development team immediately collaborated with major mining pools to temporarily freeze the Orchard fund pool and pushed a fix, greatly reducing the attack window for hackers.
• In the cryptocurrency field, attacks are mostly aimed at quick profit; once a vulnerability is publicly disclosed, hackers usually immediately cash out. To profit from this vulnerability, hackers would need to transfer forged ZEC from the Orchard fund pool and exchange it for other assets, which would generally leave traces. If the vulnerability had been exploited, relevant evidence should have already emerged. Looking at the history of the industry, hackers typically leave quickly after "success," and would not intentionally hide for months or even years.

Can legitimate assets in Orchard be retrieved?

We believe they can be retrieved normally, provided that the vulnerability was never exploited. If this assessment is accurate, all legitimate assets stored in Orchard by users can be successfully withdrawn.

Conversely, if hackers have already exploited the vulnerability to create fake tokens and transferred them into the fund pool, the current transfer channels will limit the total withdrawal amount, with the withdrawal cap equal to the initial legitimate amount of tokens deposited. In this case, if fake tokens are transferred out first, some users’ legitimate assets may not be fully retrievable.

We believe the probability of the aforementioned extreme scenario occurring is low. If users still have concerns, they can withdraw their assets from the Orchard pool, but before doing so, they need to understand the potential risks of different withdrawal methods:

• Transfer to a public address (t address): The transfer amount and time will be completely public, and assets will form a public association with that address, completely losing privacy.
• Transfer to the Sapling privacy pool: The transfer amount and time will still be recorded, but assets will not be bound to specific addresses or historical transactions, providing better privacy than a public address. It should be noted that Sapling relies on a trusted setup ceremony completed in 2018, which itself poses additional security risks.
• Wallet: Currently, among mainstream self-custody wallets, only YWallet and Zkool support the Sapling pool.
• Other wallets or custodial platforms: There may also be risks of operational errors, software failures, platform risk control issues, and other unexpected problems.

Overall, the risks mentioned above are within a controllable range. Considering the judgment that “the vulnerability has a high probability of not being exploited,” keeping assets in the original privacy wallet is a prudent choice. If operational safety can be ensured, withdrawing assets is also acceptable, and individuals can decide based on their own situation.

Can users independently verify that the total amount of Zcash has not been inflated?

Currently, this is temporarily not possible. Due to the existence of this vulnerability, ordinary users cannot independently verify whether the total amount of tokens in the current privacy pool has been inflated.

However, the planned Ironwood network upgrade will address this issue, and the specific logic is as follows:

This upgrade will completely shut down the Orchard pool, disallowing new assets from being added, and tokens within the pool will not circulate internally; all assets can only be withdrawn through existing channels. The total amount of withdrawals from this set of channels will strictly equal the original number of legitimate tokens deposited, fundamentally preventing excessive outflow of tokens.

After the upgrade is completed, anyone running a node will be able to verify the compliance of the total amount of tokens. Even if fake tokens had existed previously, they would no longer be able to circulate inside the Orchard pool, inflating the overall issuance. Users will not need to speculate on the actions of hackers or other users, as the protocol itself can ensure that there will be no occurrence of token overissue.

This is crucial because Zcash's long-term credibility is based on users being able to independently verify the total amount of tokens. The Ironwood upgrade will restore this ability to users.

How to confirm that there are no other token fraud vulnerabilities in the project?

At this stage, a definitive answer cannot be provided, but we have reason to believe that no similar vulnerabilities currently exist.

Shielded Labs has collaborated with multiple teams to conduct a comprehensive review of the Zcash protocol, focusing on searching for token fraud vulnerabilities. During the review process, the team also used the yet-to-be-released Mythos artificial intelligence model from Anthropic to assist in detection. We will publish an article later detailing the process and results of this review.

As of now, the team has not discovered any new fraud vulnerabilities. This screening involved senior technical personnel, professional security teams, and advanced AI analysis tools, which also gives us more confidence that no other similar high-risk vulnerabilities currently exist.

Meanwhile, we have also joined forces with partners such as the Tachyon project to conduct additional testing to further strengthen security defenses, and related progress will be announced later.

Summary

This Orchard vulnerability raises four core questions: Has the vulnerability been exploited? Can legitimate assets be retrieved? Can the total amount of tokens be verified? Are there other fraud vulnerabilities?

Based on the existing review results, we assess that the likelihood of the vulnerability being exploited previously is very low, therefore user assets are safe, and the total amount of tokens remains normal. After repeated tests by multiple independent teams, we are increasingly confident that the project does not have any other undisclosed fraud vulnerabilities.

However, one undeniable point remains: current users cannot independently verify the total amount of tokens. The upcoming network upgrade will completely resolve this issue. After the upgrade, the Orchard pool will be permanently closed, allowing users to independently verify the total amount of tokens without needing to assess whether token fraud has occurred.