Zcash Dodges a $6.5M Bullet: Sprout Pool Bug Squashed Before Anyone Could Say 'Infinite Counterfeit'

A ticking time bomb buried in Zcash’s legacy code could’ve let a rogue miner pull off the heist of the decade—25,000 ZEC from the zombie Sprout pool, good for about $6.5 million in today’s terms—except someone hit Ctrl+Alt+Fix before the degen with the fastest ASIC could even load their exploit script.

Enter Alex "Scalar" Sol, the digital Sherlock of the Zcash underworld, who sniffed out the flaw and dropped the mic (and the bug report) on March 23. Turns out, zcashd nodes had been casually ghosting proof verification for Sprout-era shielded transactions like a blockchain version of “I didn’t see the memo.” No verification? That’s the crypto equivalent of leaving your Lambo keys in the ignition at a Defcon afterparty.

The bug had been chilling in releases since July 2020—basically longer than some altcoins have been alive. But panic was short-lived: Zcash devs pushed out v6.12.0 on Tuesday like a hot fix from the crypto gods. By March 25, Luxor was patched and flexing on Twitter, with F2Pool, ViaBTC, and AntPool all hopping on the update train by the 26th. Coordination win—rare in crypto, but it happens when the money’s on fire.

Thankfully, Zebra—the cooler, rustier cousin of zcashd—was immune. Had anyone tried to exploit this mess, Zebra would’ve hard-forked the offender into oblivion, like a bouncer ejecting a fake-ID’d party crasher. It’s not just a node; it’s a moral compass with a consensus engine.

Sol didn’t go full detective solo—AI was his Watson, assisting in the digital forensics. He reported the flaw to Shielded Labs, who then pinged the Zcash Open Development Lab (ZODL). Jack "str4d" Grigg, who apparently codes in his sleep, whipped up the patch faster than you can say “zero-knowledge proof.” Shoutout to Grigg—man’s got more patches than a NASA mission.

For playing by the rules and not just shorting ZEC and running, Sol gets a 200 ZEC bounty—over $51,000, split like a crypto potluck by Shielded Labs, ZODL, the Zcash Foundation, and Bootstrap (each tossing in 50 ZEC like it’s gas money). That’s what we call “responsible disclosure with a side of alpha.”

The Sprout pool itself has been on life support since November 2020, when devs pulled the plug on new deposits. But like that one DeLorean in your garage that still runs, it’s technically active—holding 25,424 ZEC that lazy or forgetful users haven’t migrated to Sapling or Orchard. That’s not a typo—people really just left $6.5M sitting in legacy code. YOLO stonks, I guess.

Even if a hacker had gone full wolf on the fold, Zcash’s “turnstile” mechanism would’ve kept the money supply from going full Weimar Republic. The turnstile ensures every ZEC exiting Sprout had to enter legitimately—no counterfeiting allowed. So while attackers could’ve drained the pool, they couldn’t inflate the supply beyond the sacred 16.63 million ZEC cap. Inflation protection: activated.

This isn’t Zcash’s first brush with existential doom. Back in 2019, the network dodged an actual “infinite counterfeit” bug—because apparently, Z