Could ZEC be compromised even today and we never know about it?

I have a friend who is absolutely convinced that,

“I think I’ve finished my research. I still stand by what I said in the beginning, that there could be billions of zcash being held by people. We don’t know what the total supply is, and never will.”

He believes that, “…during the security vulnerability, someone could have created a billion counterfeit zec… and that those zec could be in circulation today… and we would never know about it.”

I disagree with him, but I am absolutely no expert.

Can anyone here please explain if his statements are true or not, and how we know for sure — either way.


There are extremely long odds but he isn’t incorrect. There is a supply risk because of the old shielded pools that aren’t deprecated, however the risk only totals to the amount of ZEC supply that are latent in those old technologically inferior pools (Orchard is currently the superior shielded pool, all shielded ZEC ideally would reside in Orchard). The idea that billions of ZEC being in circulation is hogwash. But if he is pontificating about practical exchange traded supply dynamics, it is potentially the case. Exchanges with large real ZEC balances can be further rehypothecating derivative ZEC into their customer accounts without the protocol knowing or caring. In a practical sense it is possible that actions like that would effectively allow for more ZEC to exist in the context of the markets and placed into brokerage positions than actually exist. But again i emphasize - that scenario would be entirely a manifestation of crypto brokerages generating a practical supply bloat (via derivation of paper ZEC), not an actual one.

In the hard math of the Zcash protocol layer, No is the answer.


He’s talking about the sprout counterfeitting vulnerability and it is the reason like stated we have the turnstiles and recorded pool values. The amount of funds that were ever transacted into the sprout pool is known because of the nature of shielding transactions (you know one side of it) and so if potentially more funds than that were ever attempted to be withdrawn from sprout then the protocol would prevent it. Transacting within the sprout pool isn’t even possible anymore, you can only send to the transparent address in a withdrawal transaction through the turnstile so even if it was exploited then it has yet to be seen. Sprout still holds just over 26k zec.

1 Like

Right. In the case of the counterfeiting vulnerability, if someone had known about it before it was fixed, they could have created billions of ZEC within the Sprout pool. The circulation of that counterfeit ZEC would be limited to occurring within the Sprout pool. Withdrawals out of the Sprout pool are constrained by the turnstile defence—no more ZEC can ever come out of the Sprout pool than legitimately went in.

So, in a worst-case scenario, (a) the attacker could spend their counterfeit funds to anyone who still accepts Sprout transactions, and (b) the attacker could withdraw as much ZEC from the Sprout pool as the turnstile allows.

The easy fix for (a) is to just not accept Spout funds; this is enforced in all wallets aside from zcashd, most wallets can’t even generate a Sprout address. In case (b), users with funds in Sprout would not be able to withdraw them if the turnstile limit is hit; those users can completely protect themselves by moving their funds out of Sprout.

That particular counterfeiting bug presents no risk to users with funds in Sapling or Orchard. Zero-knowledge cryptography is complex so there is some risk of future bugs, which is mitigated through security proofs, professional review of those security proofs, and professional audits of the implementations. Even in the case of a future bug, the turnstile prevents arbitrary inflation of the ZEC supply.


It’s possible there’s an as yet undiscovered bug in either the Orchard design or implementation that allows for undetected inflation. One cannot eliminate the odds of such bugs existing; only reduce the odds by repeated scrutiny of the Orchard design by skilled cryptographers and of the implementation by skilled programmers, as well as by formal verification tools.

There’s even the possibility that ECDLP is not the super hard problem that we think it is. Although in that case, nearly all existing cryptography is screwed, as are all existing cryptocurrencies.


In this game all we can do it attempt to construct an unbiased statistical probability that our funds are safe (i.e. no counterfeiting) :crazy_face:. TBH the statistical probability that counterfeiting has occured (for any reason) while low, is way higher then we’d all like. But the people involved having that level of paranoia is the only way Zcash is going to stay safe for the rest of us. And maybe that’s the underlying point your friend is trying to make?

Note: As soon as software/crypto engineers lose that level of paranoia and start claiming “your funds are safe” is when you want out :grimacing:.

Note note: I haven’t scientifically calculated this so take this with a grain of salt. But I’ll go out on a limb and say that statistically the funds in Zcash are way safer then the funds kept in most popular smart contract (e.g. ethereum smart contracts) :joy:. Some of which have token market caps that are far larger then Zcash :person_facepalming:.


To be clear. … My friend’s position is that Zcash is unsafe and nobody should hold any… due to the fact (in his mind) that someone could have counterfeited a billion zec and be holding or spending them, right now, without anyone knowing about it.

I vehemently disagree with him.

I appreciate everyone’s replies here. They have been very helpful. Thank you.

1 Like

iwo you can look up all zec on transparent addresses and zec dat has gone into shielded pools and wen u do calculations den u realize its not possible to have billion zec. only 13,545,423 $zec in circulation atm.


it isn’t possible
because the transparent chain is monitored for anomalies

and by the way after the bug fix, we moved our coins to a new pool thru transparent addresses

1 Like

Thanks Earthrise, your explanation is the full detail of what I was trying to communicate.

however the risk only totals to the amount of ZEC supply that are latent in those old technologically inferior pools (Orchard is currently the superior shielded pool, all shielded ZEC ideally would reside in Orchard).

And it calls attention to the fact that the old pools create unnecessary (albeit small) risk vectors to the total circulation of shielded ZEC. Does the community have open discussions about deprecating old pools? (Yes, i know a talk was given last year on the topic. But I can’t find the link on YouTube right now)

1 Like

Is this the talk you’re talking about?