Could ZEC be compromised even today and we never know about it?

I have a friend who is absolutely convinced that,

“I think I’ve finished my research. I still stand by what I said in the beginning, that there could be billions of zcash being held by people. We don’t know what the total supply is, and never will.”

He believes that, “…during the security vulnerability, someone could have created a billion counterfeit zec… and that those zec could be in circulation today… and we would never know about it.”

I disagree with him, but I am absolutely no expert.

Can anyone here please explain if his statements are true or not, and how we know for sure — either way.


There are extremely long odds but he isn’t incorrect. There is a supply risk because of the old shielded pools that aren’t deprecated, however the risk only totals to the amount of ZEC supply that are latent in those old technologically inferior pools (Orchard is currently the superior shielded pool, all shielded ZEC ideally would reside in Orchard). The idea that billions of ZEC being in circulation is hogwash. But if he is pontificating about practical exchange traded supply dynamics, it is potentially the case. Exchanges with large real ZEC balances can be further rehypothecating derivative ZEC into their customer accounts without the protocol knowing or caring. In a practical sense it is possible that actions like that would effectively allow for more ZEC to exist in the context of the markets and placed into brokerage positions than actually exist. But again i emphasize - that scenario would be entirely a manifestation of crypto brokerages generating a practical supply bloat (via derivation of paper ZEC), not an actual one.

In the hard math of the Zcash protocol layer, No is the answer.


He’s talking about the sprout counterfeitting vulnerability and it is the reason like stated we have the turnstiles and recorded pool values. The amount of funds that were ever transacted into the sprout pool is known because of the nature of shielding transactions (you know one side of it) and so if potentially more funds than that were ever attempted to be withdrawn from sprout then the protocol would prevent it. Transacting within the sprout pool isn’t even possible anymore, you can only send to the transparent address in a withdrawal transaction through the turnstile so even if it was exploited then it has yet to be seen. Sprout still holds just over 26k zec.

1 Like

Right. In the case of the counterfeiting vulnerability, if someone had known about it before it was fixed, they could have created billions of ZEC within the Sprout pool. The circulation of that counterfeit ZEC would be limited to occurring within the Sprout pool. Withdrawals out of the Sprout pool are constrained by the turnstile defence—no more ZEC can ever come out of the Sprout pool than legitimately went in.

So, in a worst-case scenario, (a) the attacker could spend their counterfeit funds to anyone who still accepts Sprout transactions, and (b) the attacker could withdraw as much ZEC from the Sprout pool as the turnstile allows.

The easy fix for (a) is to just not accept Spout funds; this is enforced in all wallets aside from zcashd, most wallets can’t even generate a Sprout address. In case (b), users with funds in Sprout would not be able to withdraw them if the turnstile limit is hit; those users can completely protect themselves by moving their funds out of Sprout.

That particular counterfeiting bug presents no risk to users with funds in Sapling or Orchard. Zero-knowledge cryptography is complex so there is some risk of future bugs, which is mitigated through security proofs, professional review of those security proofs, and professional audits of the implementations. Even in the case of a future bug, the turnstile prevents arbitrary inflation of the ZEC supply.


It’s possible there’s an as yet undiscovered bug in either the Orchard design or implementation that allows for undetected inflation. One cannot eliminate the odds of such bugs existing; only reduce the odds by repeated scrutiny of the Orchard design by skilled cryptographers and of the implementation by skilled programmers, as well as by formal verification tools.

There’s even the possibility that ECDLP is not the super hard problem that we think it is. Although in that case, nearly all existing cryptography is screwed, as are all existing cryptocurrencies.


In this game all we can do it attempt to construct an unbiased statistical probability that our funds are safe (i.e. no counterfeiting) :crazy_face:. TBH the statistical probability that counterfeiting has occured (for any reason) while low, is way higher then we’d all like. But the people involved having that level of paranoia is the only way Zcash is going to stay safe for the rest of us. And maybe that’s the underlying point your friend is trying to make?

Note: As soon as software/crypto engineers lose that level of paranoia and start claiming “your funds are safe” is when you want out :grimacing:.

Note note: I haven’t scientifically calculated this so take this with a grain of salt. But I’ll go out on a limb and say that statistically the funds in Zcash are way safer then the funds kept in most popular smart contract (e.g. ethereum smart contracts) :joy:. Some of which have token market caps that are far larger then Zcash :person_facepalming:.


To be clear. … My friend’s position is that Zcash is unsafe and nobody should hold any… due to the fact (in his mind) that someone could have counterfeited a billion zec and be holding or spending them, right now, without anyone knowing about it.

I vehemently disagree with him.

I appreciate everyone’s replies here. They have been very helpful. Thank you.


iwo you can look up all zec on transparent addresses and zec dat has gone into shielded pools and wen u do calculations den u realize its not possible to have billion zec. only 13,545,423 $zec in circulation atm.


it isn’t possible
because the transparent chain is monitored for anomalies

and by the way after the bug fix, we moved our coins to a new pool thru transparent addresses

1 Like

Thanks Earthrise, your explanation is the full detail of what I was trying to communicate.

however the risk only totals to the amount of ZEC supply that are latent in those old technologically inferior pools (Orchard is currently the superior shielded pool, all shielded ZEC ideally would reside in Orchard).

And it calls attention to the fact that the old pools create unnecessary (albeit small) risk vectors to the total circulation of shielded ZEC. Does the community have open discussions about deprecating old pools? (Yes, i know a talk was given last year on the topic. But I can’t find the link on YouTube right now)

1 Like

Is this the talk you’re talking about?


Now that the price is in complete shambles, the time has come for a 1 time, move your coins through the turnstyle or lose them…3 month warning. This can only help the price at this time and remove any risk or overhang. Its also always a thought on my mind as well.

Forced 1 time turnstyle to prove the 21M cap.

  • Yes
  • No
0 voters

The other benefit is we can deprecate the old pools to save on maintenance and development, which is more of a necessity at this point.

1 Like

I see too many no’s.

  1. What is the point of a turnstyle if its not meant to be used?
  2. How can you definitively prove there is 21M coins?
  3. Is there a way to do it in the backend that just does it automatically?
  4. If there was a lot of counterfeit coins, I suppose a lot of No votes could be expected.

We did have an exploit. So its not out of the blue and it ZEC needs to show at least some care and concern for the owners of ZEC.

1 Like

Deprecating both the Sprout and Sapling pools and requiring funds to be moved to Orchard would effectively be what you’re asking for (unless there’s an inflation bug in Orchard). I think 3 months is far too short of a notice. I do think this is something that should be done in order to eliminate protocol complexity and pay down tech debt. Some wallets are already designed to opportunistically move funds to Orchard.

All exchanges that I’m aware of (at least ones with liquidity) require funds to be deposited to a t-address. Therefore if the current price action were due to an inflation bug, it would definitely trigger or be coming close to triggering the turnstiles that are already in place. We don’t see that (shielded pool balance has been growing, meaning more transparent ZEC is moving into shielded pools than is coming out) so I’m pretty confident that’s not what’s happening, even if there were an inflation bug.

To exchange counterfeit ZEC for USD without triggering the existing turnstiles, the attacker would need to find counterparties who own transparent ZEC and trade their shielded ZEC in the vulnerable pool for the counterparties’ transparent ZEC. This seems unlikely, since any of those hypothetical counterparties could just shielded their ZEC themselves if they wanted shielded ZEC. That said, I hope in the future exchanges will operate on shielded ZEC, so when that day comes it might be worthwhile to consider regular (and ideally automatic) turnstiles.

So, I don’t think we see any evidence of an inflation bug being exploited. But we should work towards deprecating old pools, and that will have the effect of confirming that there was never any exploitation of an inflation bug in Sprout or Sapling.


I personally think someone minted a fuck ton of ZEC during that period.

1 Like

I completely agree with this proposal.

Just get rid of sapling pool with trusted setup done problem solved.

1 Like