I wanted to write up my experience from the recent vulnerability disclosure I did across zcashd and zebra, and from both the opening and the closing of the ZCG bug bounty program that followed. Together, they point to one place where Zcash could get genuinely stronger.
Context
I reported an exploit chain in zcashd involving a drain of the Sprout pool, that could be amplified by a turnstile-bypass vuln on targeted node, leading to a realistic path to a temporary unlimited-mint and sell on CeX and DeX, where zcashd is still the major implementation used. Separate bugs could have crashed all zebra nodes running, while some others could have created a consensus split between zebra and zcashd, delaying detection of the potential unlimited-mint-and-sell.
The Zcash devs response was genuinely excellent: confirmed fast, patched, coordinated with the major mining pools, and shipped within one or two days. Nothing got exploited, and they really deserve a lot of credit for that. And that’s really what matter after all.
This remains an estimate, but my view is that the issue would likely have become visible after roughly one to three hours. On-chain, a few hours is a long time, more than enough for a temporary minting window to create value that could be moved and sold before anyone could realistically react. And the issue touched the property the whole system ultimately rests on: sound money.
So the downside prevented was not a bounded loss. It was potential damage to the credibility of the project itself, along with a direct hit on potentially over 100M$ of available liquidity. In my view, if exploited, this would have posed a serious reputational hit and existential risk to Zcash.
My honest questions
What preventing that actually worth? And did the kinds of rewards that were offered so far set a strong enough precedent for this class of issue?
This time, honesty and goodwill carried the day. But a network securing billions in value can’t, long-term, depend on whoever finds the next critical bug deciding to do the right thing. At that scale, the disclosure path has to be built on structure and clear incentives, not on hoping the next call goes the same way.
With the recently opened bug bounty program now closed, what does the disclosure path even look like today for someone who lands on a finding of such disruptive severity?
The program was, in effect, the formal answer to that question. With it gone, the answer defaults back to goodwill, to whatever sense of duty anyone happens to show up with. That’s the gap worth closing before the next one arrives, not after.
A program like this has one job above almost everything else: to make sure the project is the first place a researcher goes with a critical finding. Rewards need to be proportional to the harm prevented, and the process needs to be clear enough that responsible disclosure is the obvious path. When a serious vulnerability exists, who hears about it first can decide how the story ends.
There’s a quieter pattern underneath all of this: harm is usually priced honestly only after it has happened. An exploit gets valued in full, a near-miss almost never does.
We are good at recognizing the cost of damage in hindsight. We are much worse at recognizing that same cost upfront, when it can still be avoided.
My suggestions for the future
- A clearly defined, ecosystem-benchmarked top reward tier for existential-class issues because a top-tier monetary network should offer top-tier incentives for anything that threaten issuance, proof integrity, signatures.
- An established platform like HackerOne, Immunefi, or HackenProof to provide structured triage, clear expectations, and a reliable path for serious reports to reach the developer team.
Both come back to the same thing: that the next person who finds something has a real and strong incentive to do the right thing, not just the moral one.
The best security outcomes are the quiet ones. The only risk in that quiet is that it can make the work feel, in hindsight, like it mattered less than it did. Prevented damage keeps its value, maybe especially when everything goes right.
I have my own bias. I’ve been making the case, that my disclosure was undervalued considering the risk it presented; after @ZCG declined rougly a week ago, what got proposed as a last-resort option was submitting a Zcash retro grant proposal for Q3, which, realistically, is praise and hope, 6 months in. And that’s exactly the kind of friction that turns the legitimate path into a real obstacle. I don’t want the next person who lands on something to face the same, or to weigh it as a reason not to come. I know I’m not arguing this from the outside.
That’s exactly why I’d rather raise the structural point now than have anyone else arrive at it the same way I did.
The community has a role to play here: helping decision-makers, supporting a carefully designed structure, and voting for one where needed. That is the best way to make sure Zcash is stronger the next time it really counts. Some exploits are just not fixable,