Zcash Fixes Critical Node Bug That Could Have Put Millions in ZEC at Risk

• Zcash has fixed a critical vulnerability in its node software that could have exposed millions of dollars worth of ZEC.
• The flaw affected proof verification for transactions tied to the deprecated Sprout shielded pool, though no exploit was reported.

Zcash has patched a serious software flaw that, under the wrong circumstances, could have allowed attackers to drain a meaningful amount of ZEC from an older part of the network.

The issue sat inside zcashd, the node software, and centered on transactions involving the legacy Sprout shielded pool.

According to the disclosure, nodes were skipping proof verification in those cases. That is the kind of bug that gets attention quickly in privacy-focused systems, because proof checks are not a side detail. They are part of the core machinery that keeps invalid transfers from being accepted in the first place.

A bug in an old pool, but still a real risk

The vulnerability was disclosed by Alex “Scalar” Sol on March 23, with the public report released on Tuesday. The affected area was not the main current privacy path most users think about today, but the older Sprout pool, which has already been deprecated. Even so, deprecated does not mean harmless. If funds still sit there, the attack surface remains relevant.

What made the flaw especially sensitive was the possibility that invalid transactions could slip past a critical validation step. In practical terms, that could have opened the door to draining funds from the pool without the network catching the problem where it should have.

Zcash says funds remain safe

So far, the important part is this. The bug was fixed before any known exploitation, and the disclosure says all user funds remain safe.

That should calm immediate panic, though it does not erase the broader lesson. Legacy components in crypto systems have a habit of staying economically relevant long after the ecosystem has mentally moved on from them. Old pools, retired logic, deprecated code paths, these things still matter when real assets remain attached.

For Zcash, the episode is less about visible damage and more about the value of catching a serious validation failure before it turns into one. In blockchain security, sometimes the most important story is the exploit that never got the chance.