Zcash developers and researchers are discussing whether a new shielded pool could help restore supply verification confidence after a recently patched Orchard vulnerability.
Shielded Labs, an independent Swiss-based Zcash support organization, said in a security update on Friday that it is exploring a proposed network upgrade that would deploy a new shielded pool and enforce “turnstile accounting” on coins moving from Orchard, giving users a clearer way to verify the integrity of funds moving out of the pool.
The group said the proposal is still subject to further explanation and community review. Shielded Labs said it plans to publish a follow-up post next week explaining how the upgrade would work and what tradeoffs it could involve.
Zcash Open Development Lab (ZODL) founder Josh Swihart said in a separate X post that a second Orchard pool could, in principle, be targeted for Zcash’s NU7 upgrade at the end of July. However, he said he was not taking a fixed position on whether the community should build a second Orchard pool.
The discussion follows an emergency Zcash upgrade that patched an Orchard vulnerability Shielded Labs said could have allowed counterfeit ZEC within the pool, though it said prior exploitation was unlikely.
Cointelegraph reached out to ZODL, the Zcash team and Shielded Labs for comment but had not received a response by publication.
Source: Josh Swihart
ZEC falls after vulnerability disclosure
In the security update, Shielded Labs said the Orchard vulnerability could have allowed a bad actor to create an unlimited amount of counterfeit ZEC within the Orchard pool. The group said there is no cryptographic way to prove whether the bug had been exploited before it was fixed, though it believes that prior exploitation is unlikely.
As Cointelegraph reported on Wednesday, Zcash developers temporarily suspended Orchard transactions after discovering the vulnerability and restored functionality through an emergency network upgrade.
On Friday, ZEC fell by around 50% from a daily high of $550.30 to as low as $264.80 after the team publicly disclosed the vulnerability, according to CoinGecko data. The token had recovered to $308.07 at the time of writing, still down sharply from its Friday high.
Zcash token’s 24-hour price chart. Source: CoinGecko
While the market crashed, some community members defended the team’s response to the incident. Justin Bons, founder and chief investment officer of CyberCapital, said the market was overreacting because the bug had been fixed and “the good guys caught it first.”
Gemini co-founder Cameron Winklevoss said the discovery reflected Zcash’s investment in security researchers rather than a reason for alarm, arguing that bugs are inevitable in layer-1 networks and that the key issue is whether teams can find and fix them before attackers do.
Related: Crypto exploit losses in May fall 90% over month to $68M: CertiK
Formal verification enters security debate
The incident renewed discussion around formal verification, a method that uses mathematical proofs to check whether software or cryptographic circuits follow their intended specifications.
Zcash developer and cryptography researcher Sean Bowe said that shielded protocols provide privacy by relying on cryptographic assumptions to preserve supply integrity. He said the long-term answer is to make shielded protocols and their implementations formally verifiable.
Swihart echoed that view, saying the Orchard vulnerability was a flaw in the circuit’s handwritten rules rather than in the underlying cryptography. He said formal verification could reduce human review to a concise specification and allow computers to check whether the circuit matches those rules.
Wei Dai, a research partner at blockchain venture firm 1kx, also said in an X post that the Orchard circuit bug appeared “obvious in retrospect” but had been missed by diligent protocol designers, cryptographers and auditors. He said expanding formal verification coverage is “probably the only long-term solution.”
Magazine: Bitcoin miners are pivoting to AI, so why is the hashrate near ATHs?
#Zcash #Developers #Weigh #Shielded #Pool #Orchard #Bug