Zcash disclosed a critical four-year-old vulnerability on Friday that had the potential to create counterfeit coins, according to Shielded Labs, an organization supporting Zcash's development. The bug was fixed earlier this week. Because of Zcash's privacy features that shield transaction details, there is no definitive way to determine using only cryptography whether the vulnerability was exploited, Shielded Labs stated in its disclosure. Privacy coins like Zcash use zero-knowledge proofs to allow users to switch between transparent and shielded address types, creating inherent tradeoffs between transaction privacy and supply auditability.
Zcash Price Falls 33% Following Vulnerability Disclosure
Zcash tanked to its lowest point in over a month following the disclosure. The digital asset recently changed hands around $350, a 33% decrease over the past day, according to CoinGecko, after falling below $265 overnight. Zcash allows users to hide transaction details, featuring a design where they can switch between address types that are either transparent or shielded using zero-knowledge proofs.
Privacy Features Prevent Definitive Audit of Exploit Scope
"There is no definitive way to determine, using only cryptography, whether such exploitation occurred," Shielded Labs said in its disclosure, noting that the four-year-old vulnerability was fixed earlier this week. Rob Hamilton, CEO of Bitcoin insurance firm AnchorWatch, argued on X, "This will happen again in Zcash. You'll just never be able to prove it because you can't audit the supply."
Experts Cite Historical Precedents in Privacy Coin Vulnerabilities
Nic Carter, founding partner of investment firm Castle Island Ventures, told Decrypt that the tradeoff between privacy and auditability is not a foreign concept for people who have followed the crypto market for years. He pointed to a Zcash bug discovered in 2018 that theoretically allowed bad actors to mint counterfeit coins before it was fixed the following year. In 2017, Zcash's chief competitor, Monero, also patched a bug that allowed for the creation of an unlimited number of coins.
"I don't think it's game over for Zcash," Carter added. "Some newcomers to the space, they might be a little perturbed by it, but it's basically part of the deal."
Seth Simmons, COO of Cake Wallet, praised Shielded Labs on X for fixing the exploit quickly, working with stakeholders, and being honest and transparent so Zcash's whole ecosystem could improve. "No Monero folks should be looking to dunk on Zcash," he added. "It's a natural downside to building out privacy as the default in these systems."
AI Model Identifies Vulnerability in Zero-Knowledge Proof Systems
The vulnerability was identified using Anthropic's recently released Claude Opus 4.8 model, according to Shielded Labs. Carlos Guzman, vice president of research at crypto trading firm GSR, told Decrypt that the development carries implications that are "a little bit concerning."
"There aren't many experts that are familiar with these circuits, so they are kind of hard to hack," Guzman added, referring to systems that use zero-knowledge proofs. "But with AI, [...] the ability to find bugs in these systems is getting democratized."
FAQ
What vulnerability did Zcash disclose on Friday?
Zcash disclosed a critical four-year-old vulnerability that had the potential to create counterfeit coins. Shielded Labs stated the bug was fixed earlier this week, but noted there is no definitive way to determine using only cryptography whether the vulnerability was exploited due to Zcash's privacy features.
How did the vulnerability disclosure affect Zcash's price?
Zcash fell 33% over the past day, recently changing hands around $350 according to CoinGecko, after falling below $265 overnight. The digital asset tanked to its lowest point in over a month following the disclosure on Friday.
How was the Zcash vulnerability identified?
The vulnerability was identified using Anthropic's recently released Claude Opus 4.8 model, according to Shielded Labs. Carlos Guzman of GSR told Decrypt that AI is democratizing the ability to find bugs in zero-knowledge proof systems, which are typically hard to hack due to limited expert familiarity with these circuits.
