Original authors: Shielded Labs CEO Jason McGee, Zcash founder Zooko Wilcox

Compiled｜Odaily Planet Daily Qin Xiaofeng（@QinXiaofeng888）

Editor's note: On June 5, Beijing time, the privacy project Zcash was revealed to have a critical forgery vulnerability in the next-generation privacy pool Orchard, causing the Zcash token ZEC to plummet to around $250. After about ten days of fermentation, market panic has eased, and the ZEC price has also rebounded, returning to $500 today.

This morning, Zcash founder Zooko Wilcox issued a lengthy response to market concerns. He stated that the likelihood of the Orchard vulnerability being exploited was quite low, and legitimate Orchard funds could be recovered; currently, users cannot independently verify whether the Zcash supply has exceeded the limit, but the Ironwood upgrade will preserve the Orchard pool and restore this verification capability; no other forgery vulnerabilities have been found during continuous review, but full certainty will require more work.

Below is the original text from Zooko Wilcox, compiled by Odaily Planet Daily, enjoy～

————————————

The recent Orchard vulnerability has raised important questions about Zcash's supply and user fund security. The discussion has mixed numerous different topics, making it difficult to understand the actual impact of the vulnerability on users. This article attempts to separate these issues and explain their significance to users one by one.

The Orchard vulnerability raises four important questions:

1. Has the Orchard vulnerability ever been exploited?
2. Can legitimate Orchard funds be recovered?
3. Can users verify that the supply of Zcash has not been inflated?
4. How do we know that there are no other forgery vulnerabilities?

Has the Orchard vulnerability ever been exploited?

Unknown. We believe the likelihood of previous exploitation is low, although it cannot be completely ruled out. We think the vulnerability has likely not been exploited for three reasons:

Despite being continuously reviewed by many of the world's top cryptographers and security researchers over the years, the vulnerability was not discovered until recently. Its eventual discovery was not by chance; it was identified by Taylor Hornby of Shielded Labs, whose goal was to proactively identify such security vulnerabilities before malicious attackers could exploit them. Taylor used advanced AI-assisted security research techniques and a custom-built tool specifically designed to find subtle flaws that others missed, which would be more difficult for those not familiar with the Zcash codebase.

Once the vulnerability was discovered, Zcash developers (led by the Zcash Open Development Labs team) quickly coordinated with mining pools to temporarily freeze the Orchard pool and deploy a fix, thus limiting any opportunity window for an attack.

Exploitation of vulnerabilities in cryptocurrency is common, and attackers usually cash out as quickly as possible, especially after a vulnerability is publicly disclosed. To profit from this vulnerability, attackers would need to exchange forged ZEC for valuable assets, which typically leads to ZEC flowing out of the Orchard pool through a turnstile mechanism. If the vulnerability had been exploited before the fix was implemented, we expect evidence would have emerged by now. Historically, cryptocurrency exploitation has usually been "grab-and-run" operations rather than strategies that remain hidden for months or even years like a "4D chess" approach.

Can legitimate Orchard funds be recovered?

We believe they can, because we think the vulnerability has never been exploited. If this assessment is correct, all legitimate Orchard funds can still be fully recovered.

On the other hand, if forgery did occur in the Orchard, the existing turnstile mechanism would limit the total amount transferred to the legitimate amount of ZEC that entered the pool. Therefore, if forged funds were moved ahead of legitimate funds, users would be unable to recover part or all of the legitimate Orchard funds.

We believe this scenario is unlikely to happen. However, for more cautious users, it is still recommended to transfer their ZEC out of Orchard. But before taking this action, they should understand the following points:

• Transferring funds to a transparent pool (i.e., to a t address) will expose the transfer amount and the transfer time, and these funds will also be publicly linked to that t address.
• Transferring funds from the Orchard pool to the Sapling pool will expose the transfer amount and transfer time, but unlike transferring to a t address, it will not associate these funds with a specific address or transaction history.
• The Sapling pool relies on a trusted setup ceremony conducted in 2018. Relying on the security of that trusted setup poses an additional risk for users.
• To our knowledge, YWallet and Zkool are currently the only widely used self-custody Zcash wallets that support the Sapling pool.
• Transferring funds to a new wallet or custodial service introduces additional risks, including user error, software defects, custodial risks, or other unforeseen issues.

Overall, we believe that the level of risk is moderate. If your funds are currently held in a shielded self-custody wallet, given our assessment that previous forgery is unlikely, it is a reasonable choice to leave them there. If you have a secure way to transfer funds elsewhere, that may also be a reasonable option. Users can draw different conclusions based on their individual circumstances.

Can users verify that the supply of Zcash has not been inflated?

Not currently. The existence of the vulnerability previously prevented users from independently verifying whether the ZEC circulating in the current shielded pool does not exceed the correct amount.

However, as we pointed out in a previous article, the Ironwood upgrade restores this capability. The following diagram illustrates the reason.

The proposed network upgrade addresses this issue by increasing the guarantee of "no more unknown forgery vulnerabilities" and preserving the Orchard pool. New funds can no longer enter, and funds within the pool can no longer circulate. The only remaining pathway is to exit through the existing turnstile mechanism, which ensures that the ZEC flowing out of the Orchard pool does not exceed the legitimate amount that entered it.

This change restores the ability to verify the integrity of Zcash supply.

Currently, if there are forged funds in the Orchard pool, they can continue to circulate within the pool. After the upgrade, this will no longer be possible. Regardless of whether forgery has occurred, anyone running a node can verify that the circulating ZEC does not exceed the correct amount.

Users do not need to wait for funds to exit Orchard, nor do they need to infer the potential behavior of attackers or other users. The protocol itself provides verifiable guarantees: excess ZEC cannot continue to circulate within Orchard and inflate the supply.

This is important because the long-term credibility of Zcash depends on whether users can independently verify the integrity of its supply. Ironwood restored users' ability to independently verify whether the protocol's supply limits are being enforced.

How do we know that there are no other forgery vulnerabilities?

We cannot be completely certain at this point, but we have reason to believe that no other vulnerabilities exist. Shielded Labs and several other teams have been carefully reviewing the Zcash protocol for other forgery vulnerabilities. This included searching for additional vulnerabilities using the unreleased Mythos AI model, with the assistance of Anthropic, shortly before Mythos was suspended. We plan to share more details about this review and its findings in subsequent blog posts.

So far, no other forgery vulnerabilities have been found. The high level of expertise involved in this search, the effort invested, and the advanced AI-assisted analysis have increased our confidence that no similar vulnerabilities remain undiscovered.

Furthermore, we are working with projects like the Tachyon Project to provide additional assurances that no more forgery vulnerabilities exist in Zcash. We will provide further clarification in future blog posts.

Conclusion

The Orchard vulnerability presents four important questions: Has the vulnerability ever been exploited, can legitimate Orchard funds be recovered, can users verify that the supply of Zcash has not been inflated, and whether there are other undiscovered forgery vulnerabilities.

We believe the likelihood of previous exploitation is low, therefore legitimate Orchard funds can be recovered, and the current supply of Zcash is safe. Based on the ongoing reviews by multiple independent researchers and teams, we are also increasingly confident that no other undiscovered forgery vulnerabilities exist. However, users currently cannot verify the safety of the Zcash supply, nor should they rely on our assessment—or anyone else's assessment.

The proposed network upgrade addresses this issue. By preserving the Orchard pool, it restores the ability of users to independently verify the safety of the Zcash supply. Users no longer need to determine whether forgery has occurred to verify whether the protocol's supply limits are being complied with.

免责声明：本文章仅代表作者个人观点，不代表本平台的立场和观点。本文章仅供信息分享，不构成对任何人的任何投资建议。用户与作者之间的任何争议，与本平台无关。如网页中刊载的文章或图片涉及侵权，请提供相关的权利证明和身份证明发送邮件到support@aicoin.com，本平台相关工作人员将会进行核查。