ZEC Co-Founder Responds to Orchard Vulnerability: No Signs of Theft, Orchard Pool to Be Sealed

Authors: Zooko Wilcox, Jason McGee

Compiled by: Luffy, Foresight News

Recently, a security vulnerability was exposed in Zcash's Orchard module, raising two major concerns for the community: Is the total supply of ZEC tokens abnormal? Are user assets safe?

Current discussions intertwine several different topics, making it difficult for many to understand the actual impact of this vulnerability on ordinary users. This article will address these issues, explaining the underlying meanings one by one.

This Orchard vulnerability primarily raises four key questions:

1. Has the vulnerability been exploited by hackers?
2. Can users' legitimate assets stored in Orchard be withdrawn normally?
3. Can users independently verify that the total supply of Zcash has not been artificially inflated?
4. How can we confirm that the project does not contain other similar token forgery vulnerabilities?

Has the Vulnerability Been Exploited?

Currently, there is no definitive conclusion. Overall, the likelihood of the vulnerability being maliciously exploited previously is low, but we cannot rule it out with 100% certainty. There are three main reasons:

• For many years, numerous top global cryptographers and security researchers have been reviewing the Zcash code, and this vulnerability remained undiscovered. This vulnerability was proactively found by Shielded Labs' Taylor Hornby during targeted investigations, not accidentally exposed. He leveraged AI-powered security detection technology and custom tools specifically designed to uncover this type of hidden flaw. Such vulnerabilities have a high technical barrier; it would be difficult for individuals not specialized in the Zcash codebase to find and exploit them.
• Upon the vulnerability's exposure, the Zcash development team immediately collaborated with major mining pools to temporarily freeze the Orchard pool and push a fix, significantly narrowing the window of opportunity for attackers.
• Most attacks in the cryptocurrency space aim for quick profits. Once a vulnerability is public, hackers typically cash out immediately. To profit from this vulnerability, a hacker would need to transfer the forged ZEC out of the Orchard pool and exchange it for other assets. Such operations generally leave traces. If the vulnerability had been exploited long ago, evidence should have emerged by now. Throughout industry history, hackers' modus operandi is typically "strike and disappear quickly," not deliberately hiding for months or even years.

Can Legitimate Assets in Orchard Be Withdrawn?

We believe they can be withdrawn normally, provided the vulnerability has never been exploited. If this assessment holds true, all legitimate assets users have deposited into Orchard can be successfully transferred out.

Conversely, if hackers have already used the vulnerability to create counterfeit tokens and transferred them into the pool, the existing withdrawal channels would cap the total withdrawal amount. The withdrawal limit would equal the total amount of legitimate tokens initially deposited. In this scenario, if counterfeit tokens are withdrawn first, some users' legitimate assets might not be fully recovered.

We consider the likelihood of this extreme scenario to be low. If users still have concerns, they can move their assets out of the Orchard pool. However, before doing so, it's important to understand the potential risks of different withdrawal methods:

• Transferring to a transparent address (t-address): The transfer amount and time will be fully public, and the assets will become publicly associated with that address, completely losing privacy.
• Transferring to the Sapling shielded pool: The transfer amount and time will still be recorded, but it won't link the assets to a specific address or transaction history, offering better privacy than transparent addresses. Note that Sapling relies on a trusted setup ceremony completed in 2018, which itself carries additional security considerations.
• Wallets: Among mainstream self-custody wallets, currently only YWallet and Zkool support the Sapling pool.
• Other wallets or custodial platforms: There may also be risks of operational errors, software faults, platform risk controls, and other unexpected issues.

Overall, these risks are manageable. Combined with the assessment that "the vulnerability was most likely not exploited," keeping assets in the original shielded wallet is a prudent choice. If users can ensure operational safety, withdrawing assets is also a viable option. Users should decide based on their individual circumstances.

Can Users Independently Verify That Zcash's Total Supply Has Not Been Inflated?

Currently, this is not possible. Due to the existence of this vulnerability, ordinary users cannot independently verify whether the total token supply within the shielded pools has been inflated.

However, the planned Ironwood network upgrade will address this issue. The logic is as follows:

This upgrade will permanently close the Orchard pool, disallowing new asset deposits. Tokens within the pool will no longer be able to move internally; all assets can only be withdrawn through the original channels. The total withdrawal amount from these channels strictly equals the amount of legitimate tokens originally deposited, fundamentally preventing any excess outflow of tokens.

After the upgrade is complete, anyone running a node will be able to verify that the total token supply is compliant. Even if counterfeit tokens were created in the past, they will no longer be able to circulate within the Orchard pool, artificially inflating the total supply. Users won't need to speculate about the actions of hackers or other users; the protocol itself will guarantee that token over-issuance cannot occur.

This point is crucial. Zcash's long-term credibility is built on users' ability to independently verify the total token supply. The Ironwood upgrade will restore this capability to users.

How to Confirm the Project Has No Other Token Forgery Vulnerabilities?

At this stage, we cannot give an absolute answer, but we have reason to believe no similar vulnerabilities currently exist.

Shielded Labs, in collaboration with several teams, conducted a comprehensive review of the Zcash protocol, specifically searching for token forgery vulnerabilities. During this process, the team also utilized Anthropic's not-yet-publicly-released Mythos AI model for auxiliary detection. We will publish a follow-up article detailing the process and results of this review.

To date, the team has not discovered any new forgery vulnerabilities. This review assembled experienced technical personnel, professional security teams, and advanced AI analysis tools, which further strengthens our confidence that there are currently no undisclosed high-risk vulnerabilities of the same type.

Simultaneously, we are collaborating with partners like the Tachyon project to conduct additional inspections, further strengthening our security defenses. Related progress will also be announced later.

Summary

This Orchard vulnerability raises four core questions: whether the vulnerability was exploited, whether legitimate assets can be withdrawn, whether the total token supply can be verified, and whether other forgery vulnerabilities exist.

Based on the current investigation results, we assess that the likelihood of the vulnerability being exploited previously is low. Therefore, user assets are safe, and the total token supply currently remains normal. After repeated inspections by multiple independent teams, we are increasingly confident that the project currently has no other undiscovered forgery vulnerabilities.

However, one point is unavoidable: currently, users cannot independently verify the total token supply. The upcoming network upgrade will completely solve this problem. After the upgrade, the Orchard pool will be permanently closed, allowing users to independently verify the total token supply without needing to judge whether token forgery has ever occurred.