TLDR:
- Security researcher Alex “Scalar” Sol reported four Zcash vulnerabilities on April 4, 2026, via coordinated disclosure channels.
- A crafted Orchard transaction with an all-zeros randomized key could crash any reachable zcashd or Zebra node instantly.
- A turnstile accounting bug introduced in zcashd v5.10.0 could be triggered by routine peer-to-peer duplicate block headers.
- Mining pools ViaBTC, Luxor, F2Pool, AntPool, and Foundry all deployed patches before the public release on April 17, 2026.
Zcash vulnerabilities have been patched across two full-node implementations following a coordinated security disclosure.
On April 17, 2026, Zcash Open Development Lab released zcashd v6.12.1, while the Zcash Foundation released Zebra v4.3.1. Security researcher Alex “Scalar” Sol reported the issues on April 4, 2026.
Four vulnerabilities were addressed, covering a node crash bug, a consensus enforcement gap, and a turnstile accounting bypass. No user funds were compromised, and no ZEC supply inflation occurred at any point.
Four Bugs Identified Across Both Zcash Full-Node Clients
The most directly exploitable bug was an Orchard transaction crash present in both zcashd and Zebra. A crafted transaction with an all-zeros randomized key encoding could immediately crash any node processing it.
Repeated broadcasting of such a transaction could effectively prevent nodes from participating in the network. No transactions triggering this condition were found on the Zcash mainnet before the patch.
A related enforcement gap also existed between the two implementations. Zebra already enforced a protocol requirement on ephemeral public keys within Orchard actions, but zcashd did not.
This meant a crafted transaction could be accepted by zcashd while being rejected by Zebra. Such a transaction could have forced a visible chain fork between nodes running different clients.
A separate bug in zcashd, introduced with v5.10.0 in August 2024, could disable turnstile accounting under certain conditions.
Receiving a duplicate block header from a peer could silently reset pool balance tracking to null. This condition could arise from ordinary peer-to-peer network behavior, not only from deliberate attack. The turnstile tracks ZEC balances across shielded and transparent value pools and serves as a critical safety layer.
Even so, this bug was not independently exploitable to steal or inflate ZEC. The official disclosure confirmed that “exploiting it to steal funds would require a separate, independent balance vulnerability on top of it.”
Any resulting turnstile violation would also have been publicly visible as a detectable chain anomaly. No such anomaly occurred on the Zcash mainnet before the fix was deployed.
Mining Pools Deploy Patches Before Public Disclosure
Zcash Open Development Lab addressed the disclosure directly, stating: “Mining pools representing a supermajority of the network’s hash power, and the primary operator running Zebra in mining production, deployed patches prior to this disclosure.”
ZODL engineers Kris Nuttycombe and Daira-Emma Hopwood authored the zcashd patches and reviewed each other’s work.
Nuttycombe addressed the Orchard crash, enforcement gap, and turnstile accounting bug. Hopwood authored hardening patches for integer overflow undefined behavior and exception safety.
Mining pools ViaBTC, Luxor, F2Pool, and AntPool — each running zcashd — were contacted directly for coordination. Foundry, which runs Zebra in mining production, also deployed its patch ahead of public release.
The Zcash Foundation’s Conrado Gouvêa separately developed and delivered the Zebra patch. This outreach ensured network stability was preserved throughout the entire disclosure process.
The zcashd v6.12.1 release also included broader hardening changes beyond the core vulnerability fixes. A chain supply value checkpoint was added at NU6.1 activation to enable future corruption detection.
Integer overflow protections were added across pool balance accumulation routines in multiple code paths. These additions provide an extra defense layer against edge-case exploitation scenarios.
This marks the second set of Zcash vulnerabilities disclosed within a month. On X, Zcash Open Development Lab stated: “We have no evidence that any of these bugs were exploited.
User funds and privacy were never at risk, and no ZEC supply inflation was possible.” Alex “Scalar” Sol also reported the March 2026 Sprout verification vulnerability through the same coordinated channels. Users running either zcashd or Zebra should upgrade to the latest patched versions immediately.
The post Zcash Patches Four Critical Vulnerabilities Across Both Full-Node Implementations appeared first on Blockonomi.