In brief
- Zcash plummeted in price following the disclosure of a critical, four-year-old vulnerability.
- Because of Zcash’s privacy features, the bug’s scope couldn’t definitively be determined in terms of counterfeit coins.
- Some said tradeoffs between privacy and auditability are “part of the deal,” pointing to bugs patched in years past.
Shielding funds from prying eyes has long been Zcash’s forte, but investors’ unease on Friday indicated that the privacy coin’s core feature can also resemble an Achilles' heel.
Following the disclosure of a bug that had the potential to unleash a wave of counterfeit coins, Zcash tanked to its lowest point in over a month. The digital asset recently changed hands around $350, a 33% decrease over the past day, according to CoinGecko, after falling below $265 overnight.
Zcash allows users to hide transaction details, featuring a design where they can switch between address types that are either transparent or shielded using a technology known as zero-knowledge proofs. That appears to be why investors are spooked.
“There is no definitive way to determine, using only cryptography, whether such exploitation occurred,” Shielded Labs, an organization that supports Zcash’s development, said in a disclosure, noting that the four-year-old vulnerability was fixed earlier this week.
Nic Carter, founding partner of investment firm Castle Island Ventures, told Decrypt that the development may be disconcerting, but the tradeoff between privacy and auditability is not a foreign concept for people who have followed the crypto market for years.
He pointed to a Zcash bug discovered in 2018 that theoretically allowed bad actors to mint counterfeit coins before it was fixed the following year. In 2017, Zcash’s chief competitor, Monero, also patched a bug that allowed for the creation of an unlimited number of coins.
“I don’t think it’s game over for Zcash,” Carter added. “Some newcomers to the space, they might be a little perturbed by it, but it’s basically part of the deal.”
Members of Monero’s community echoed that sentiment, including Cake Wallet COO Seth Simmons. He praised Shielded Labs on X for fixing the exploit quickly, working with stakeholders, and being honest and transparent so Zcash’s whole ecosystem could improve.
“No Monero folks should be looking to dunk on Zcash,” he added. “It’s a natural downside to building out privacy as the default in these systems.”
Still, the privacy coin has been increasingly positioned by analysts and advocates as a privacy-enhanced alternative to Bitcoin, and backers of the largest digital asset by market cap took the opportunity to highlight pitfalls associated with on-chain privacy.
“This will happen again in Zcash,” Rob Hamilton, CEO of Bitcoin insurance firm AnchorWatch, argued on X. “You'll just never be able to prove it because you can’t audit the supply.”
Beyond Zcash, the vulnerability that Shielded Labs said was identified using Anthropic's recently released Claude Opus 4.8 model carries implications that are “a little bit concerning,” Carlos Guzman, vice president of research at crypto trading firm GSR, told Decrypt.
Whether or not artificial intelligence will benefit bad actors or organizations that strengthen protocols more remains an open question, but complex cryptography is becoming less of a barrier to detecting critical flaws, Guzman said.
“There aren’t many experts that are familiar with these circuits, so they are kind of hard to hack,” Guzman added, referring to systems that use zero-knowledge proofs. “But with AI, [...] the ability to find bugs in these systems is getting democratized.”