The Zcash Open Development Lab (ZODL) recently issued a critical security disclosure concerning vulnerabilities identified and subsequently patched in both zcashd and Zebra clients. These security flaws included an Orchard action-encoding bug capable of crashing nodes when processing certain Orchard transactions, a consensus enforcement gap between the two implementations that posed a risk of triggering a chain fork, a defect that could disable enforcement of zcashd’s turnstile accounting, and undefined behavior stemming from unchecked integer arithmetic within pool balance calculations.

In response to these discoveries, ZODL promptly released zcashd v6.12.1, and the Zcash Foundation followed with the release of Zebra v4.3.1. These updates were designed to address the four aforementioned vulnerabilities, specifically resolving the Orchard action-encoding bug and a related consensus-split issue that could arise between the two clients.

Crucially, the patches were deployed in a coordinated effort, with mining pools representing a supermajority of the network’s hash power and the primary operator running Zebra in mining production having implemented the fixes prior to public disclosure. This proactive measure ensured that there was no evidence of any of the bugs being exploited, nor were the vulnerabilities utilized to affect the consensus chain. Zcash has affirmed that all user funds remained secure, user privacy was not compromised, and none of these vulnerabilities could have been used to inflate the ZEC supply.

Beyond the security updates, the Zcash network has seen significant positive developments. The Zcash Shielded Pool recently achieved an all-time high, with 31% of all ZEC now residing in the encrypted pool, a substantial increase from 11% a year ago. Furthermore, 59% of all Zcash transactions are now shielded, demonstrating a growing adoption of its privacy features.

Zcash is also actively preparing for future cryptographic challenges by testing NIST-standardized lattice-based cryptography, including ML-KEM and ML-DSA, to ensure post-quantum readiness. This initiative comes in light of recent research, such as Google's March 31 paper, which indicated that quantum threats might be twenty times closer than previously anticipated. Concurrently, the Zcash Network's hash rate has reached a new all-time high of 16.54 GS/s, signaling strong and ongoing commitment from its miners.