Zcash Sprout bug patched in zcashd v6.12.0; 25,424 ZEC safe

Zcash has patched a critical zcashd proof-check bypass flaw tied to the legacy Sprout shielded pool. The Zcash Sprout bug, present from July 2020 until the release of v6.12.0, could have skipped verification in certain Sprout transaction scenarios and exposed about 25,000+ ZEC (25,424 ZEC) to potential draining. Security researcher Alex “Scalar” Sol disclosed the issue on March 23. Major mining pools (Luxor, F2Pool, ViaBTC, AntPool) deployed the fix by March 26, while the Zebra full node implementation was not affected. Zcash also said its “turnstile” mechanism would likely have prevented broader supply inflation, and attempted exploitation would probably have triggered a chain fork. No exploitation has been detected, and user funds are confirmed safe. For traders, the key point is that the Zcash Sprout patch via v6.12.0 reduces technical tail-risk around this deprecated privacy component, so short-term market impact should be limited.
Neutral
This news is likely neutral for ZEC because the bug was patched quickly (zcashd v6.12.0) and no real exploitation or fund loss has been reported. The disclosure does highlight ongoing verification-layer and legacy shielded-pool risks, which can slightly raise perceived tail-risk for privacy-coin infrastructure. However, Zcash’s mitigations (turnstile constraints, likely chain-fork behavior, and unaffected Zebra nodes) reduce the probability of broader damage, limiting any immediate negative repricing. Any effect on prices is therefore more about sentiment around privacy infrastructure than about immediate supply or balance-sheet impact.