Compass Investments

– The Zcash Foundation announced Wednesday that developers have patched a serious vulnerability in the Orchard secure pool that could allow invalid state transitions, potentially enabling double-spending within the pool.

According to the notice, Zcash researcher Taylor Hornby, who conducts ongoing protocol audits on behalf of Shielded Labs, discovered a critical weakness in Orchard’s zero-disclosure proof scheme on May 29 and notified Zcash Open Development Lab (ZODL) core engineers the same day.

A vulnerability in a system is a flaw that can allow a system to accept something it should reject. In this case, a successful exploitation could allow the Orchard pool to accept invalid state transitions, potentially allowing a double spend in Orchard, but without the ability to increase the total amount of ZEC protected by the Zcash turnstile mechanism, the fund explained.

After the weakness was discovered, Zcash developers, miners and infrastructure operators privately coordinated the preparation of a patch, keeping the details secret to avoid potential exploits.

the first attempt at a soft fork encountered technical difficulties, but engineers promptly released an updated patch that was successfully activated on June 2, temporarily suspending Orchard-related transactions. On June 3, the network completed a full NU6.2 hardfork upgrade, restoring Orchard functionality with the patched code and finally fixing the vulnerability.

The Foundation stated that there is no evidence that the bug has been exploited, as no unauthorized value creation has been recorded. Additionally, they confirmed that the total ZEC remains safe and the issue did not affect the confidentiality of funds stored in any Zcash pool.

After the update, reports of the network not working spread on social media, causing confusion among community members. A number of posts claimed that Zcash has not released blocks for more than four hours.

However, Mert Mumtaz, CEO of Solan infrastructure company Helius, refuted these claims, stating that the network was not down, but that the explorer applications were connected to the wrong node.

In a series of posts on X, Zcash blockchain researcher CipherScan confirmed the issue, explaining that its nodes were being updated to support the recent NU6.2 network update.

What really happened is that Zcash released a coordinated network update (NU6.2) that required all node operators to perform the update. Important distinction. (…) Blockchain explorers are just readers. They receive data from a node, analyze it, and display it. If the node is updated or resynchronized, the explorer becomes obsolete, the report says.

Despite the resulting confusion, the price of ZEC continued to go against the general market trend, rising 8% intraday and retesting the $636 level on Wednesday morning. Notably, the cryptocurrency has risen about 20% over the past two days while most of the market mengalami declined.