The Orchard Counterfeiting Vulnerability—And Next Steps

Can someone get Opus 4.8 to perform a full audit of all ZEC held on every major exchange, and also include the shilled pools? This would help us get an accurate total circulating supply/number of all ZEC.

zcash is a public ledger with private pool… the accurate supply is on any node or zcash explorer… the only people that might eventually be affected, if at all this was ever exploited are the coin holder in the private pool orchard.

the supply on any exchange as most don’t support private pool https://arkm.com/explorer/token/zcash

You’re missing the point. If ZEC was exploited, then over the past 4 years those coins could have easily left the pool and been moved to exchanges to be sold. The issue isn’t limited to just the pool, but analyzing what remains in the pool will still shed some light on the situation.

I’m not trying to troll or upset anyone I’m just stating the facts.The only realistic way to do a proper audit is for all exchanges to publicly count and report their total ZEC holdings, along with all major cold wallets reporting the ZEC they hold. This could be done without revealing who owns the coins just the raw numbers.Once those figures are available, they could be added to the amounts held in all the mining pools to calculate the true total circulating supply of ZEC.I don’t believe this will actually happen. It could be done, but it won’t be.

One of the large obstacles on the road to near-flawless integrity is that zk binding sigs and asset conservation were supposed to directly address fabrication issues… mid-transaction. AI should probably be employed immediately in tracking the effectiveness of nullifiers and ensuring that hidden addresses aren’t up to anything entirely out of the ordinary since the vulnerability appeared. Migration protects existing supply, whether tainted or not. On top of that, we have every reason to believe that the vulnerability was unexploited given the angle of difficulty in identifying it. If so, not only is this a non-issue, but the ecosystem has been given a much-needed wakeup call concerning how deeply vulnerabilities need to be probed for.

If you are of the mind that the total supply has been compromised, or believe that it is untrustworthy because of that possibility, nothing short of a full audit will likely allay your concerns. It doesn’t mean that can’t eventually happen in a well-contained environment, but I don’t think it’s possible at the moment. That said, I have no idea if anyone has actually asked the AI to come up with an integrity verification solution yet.

Assuming hypothetically that it was. Zcash in private pool is fungible. The only loser would those that still hold it in the orchard private pool. Inflation bug in private pools, is a drain of the pool simply, or a theft those users.

I’m just stating the facts.The only realistic way to do a proper audit is for all exchanges to publicly count and report their total ZEC holdings, along with all major cold wallets reporting the ZEC they hold.

No because, all infra around zcash support for the most, only transparent transactions. The real circulating supply of Zcash is the ~16,751,384 ZEC. It’s just the trust is broken on orchard pool. But any coins getting out of orchard pool are real zcash. It’s just if someon exploited he has the possibility to withdraw the coin of others from the orchard pool.

Hi everyone,

I’ve been following the Orchard discussions closely and built a small public Orchard Integrity Monitor to track publicly observable accounting signals such as:

• Value Pool Balances

• Supply Integrity

• Historical Pool Evolution

• Post-Patch Orchard Metrics

It doesn’t prove or disprove the existence of hidden counterfeit notes, but I hope it can contribute useful transparency and observable data to the discussion.

Dashboard:

HappyDAO GitHub Pages → Orchard Integrity Monitor

Orchard Integrity Monitor HappyDAO

Feedback is welcome.

In theory and we don’t know for sure if counterfeiting has been going on for years, then the real Zcash belonging to victims would likely have already been withdrawn. This would leave mostly counterfeit ZEC behind in the pool, which cannot be withdrawn.If that’s the case, it raises a big question: Why would anyone continue leaving their Zcash in the pool? It seems extremely risky. Even if the chance of this being true is slim, staying in the pool makes people willing victims. If the counterfeiting scenario is real, they could lose all their ZEC with no insurance or recourse once it’s gone, it’s gone.The smartest move right now would be for everyone to immediately withdraw their ZEC from the pool. This would achieve positive things: like putting this whole nightmare behind us. so what the hell are we waiting for? lets end this drama and move forward !!

I also believe a clear notice should be posted directly in the Zodl app. It should inform all holders that they should withdraw their ZEC from the wallet until the new version is released. This is the responsible thing to do. Many holders may not even be aware of what’s going on, and warning them helps protect their funds and prevents potential losses.

Once again, I’m very thankful to the project team for discovering this issue, fixing it, and transparently informing the community — that’s an A+ in my book. Now we just need to make sure every holder is aware of the situation. Posting a clear notice in the Zodl app would be the right and responsible thing to do.

This is not an accurate statement. The only thing the network currently prevents is withdrawal of amounts bigger than were originally put into the pool, nodes have no way of knowing if a ZEC in the pool is “real” or not. So 4.8M coins went in, 4.8M can come out. If it’s yours or the alleged attacker is only a matter of timing.

So last one out is a rotten Egg?

Update: this thread is about the problem. See also Ironwood which is about the solution.