Zcash Resolves Critical Orchard Vulnerability in Swift Emergency Upgrade

In a rapid response to a critical vulnerability, Zcash developers have temporarily halted transactions in their Orchard privacy pool, effectively triggering an emergency network upgrade aimed at safeguarding user assets and restoring seamless operations.

The Zcash Foundation reported on Thursday that the flaw concerned the zero-knowledge proof circuit of Orchard, potentially allowing for invalid state transitions within the privacy pool. Fortunately, the Foundation emphasized that there is no evidence of any exploitation or unauthorized value creation, and, crucially, user privacy remains intact.

This emergency fix was executed via a two-step upgrade process. The first phase, Zebra 4.5.3, disabled Orchard transactions to prevent any adverse outcomes, followed by the activation of Zebra 5.0.0 that introduced the NU6.2 upgrade to rectify the bug and restore full transaction functionality. This incident underscores the delicate intricacies involved in maintaining privacy infrastructure on decentralized networks, showing the necessity for coordinated action among miners, exchanges, and node operators.

However, the upgrade did not come without its complications. Reports of network instability surfaced, much to the concern of community members. One Zcash block explorer indicated discrepancies, showing block 3,364,601 as the latest mined block at 5:27 a.m. UTC, while claiming it was mined several hours earlier. This confusion led to circulating claims on social media that the Zcash network was momentarily non-operational.

Reacting to the claimed disruptions, Tatyana, a contributor from the Zcash Open Development Lab, confirmed a brief “period of instability” occurred as miners assimilated the new consensus rules. The network's stability was said to have been restored by approximately 3:00 a.m. Eastern Time on June 2.

The vulnerability was first identified on May 29 by independent security researcher Taylor Hornby during a protocol audit for Shielded Labs. Following the discovery, core engineers from ZODL were informed and began discussing remediation strategies to rectify the issue.

Amid discussions of the incident, Mert Mumtaz, CEO of Solana infrastructure firm Helius, assured the community that the network was “not down,” attributing the explorer errors to connection issues with a faulty node. In contrast, other community members expressed concerns about the freeze on Orchard transactions, indicating that miners and developers had intentionally paused the shielded pool to address the identified bug.

During this period, Zcash’s native currency, ZEC, saw a notable dip, falling below $600 before recovering to $614 as the market reacted to the news of the incident.

As Zcash continues to navigate the complexities of maintaining robust privacy features, this incident serves as a reminder of the ever-evolving challenges that stand in the path of cryptocurrency networks striving for resilience and security.

Source: CoinTelegraph Blockchain