Key facts
- Zcash restored transaction functionality after an emergency network upgrade.
- A critical vulnerability was discovered in the Orchard shielded pool's zero-knowledge proof circuit.
- The vulnerability could have allowed invalid state transitions within the Orchard pool.
- The Zcash Foundation stated there was no evidence of exploitation or unauthorized value creation.
- User privacy was not affected by the vulnerability.
- The fix involved a two-step emergency upgrade: disabling Orchard actions then re-enabling it with a corrected circuit.
Zcash has successfully restored transaction functionality following an emergency network upgrade to address a critical vulnerability found in the Orchard shielded pool. The Zcash Foundation confirmed that the vulnerability affected the zero-knowledge proof circuit within Orchard and had the potential to permit invalid state transitions. However, the Foundation emphasized that there was no evidence to suggest the bug was exploited, no unauthorized value creation was detected, and crucially, user privacy remained unaffected. The resolution was implemented through a two-step emergency upgrade process. Initially, Zebra version 4.5.3 was used to temporarily disable Orchard actions. Subsequently, Zebra version 5.0.0 activated the NU6.2 upgrade, which re-enabled Orchard with a corrected circuit, thereby resolving the issue. The Zcash Open Development Lab noted that the network experienced brief instability as miners upgraded their systems.