Zcash Orchard Pool Counterfeiting Bug Hidden for Four Years, Disclosed by Quantstamp
Quantstamp published a breakdown of a counterfeiting vulnerability in Zcash's Orchard shielded pool that remained undetected for four years before disclosure. The bug could have allowed unauthorized token creation within the privacy pool. The disclosure was separate from the previously reported Aztec V4 vulnerability.
Zcash Bug: four years of privacy that wasn't quite there
A counterfeiting flaw sat inside Zcash's Orchard shielded pool for four years without anyone noticing. The bug could have let someone quietly mint coins out of thin air — inside the very pool designed to make transactions invisible to outsiders.
That combination is uncomfortable. The privacy worked. The integrity didn't.
This doesn't kill the thesis on privacy coins — a patched bug is a patched bug. But it does ask an honest question: how much of Zcash's security rested on the assumption that what couldn't be seen also couldn't be tampered with?