Dragonfly Partner: Only 1% of Funds in Zcash Privacy Pool Have Been Decloaked, Suggesting Holders Don’t Believe the Vulnerability Has Been Exploited
BlockBeats News, June 6th, Dragonfly partner Haseeb Qureshi explained a recently patched Zcash vulnerability, stating that if the vulnerability had been exploited before the fix, it would have resembled more of a privacy pool drain. If an attacker minted counterfeit privacy ZEC, they would need to rapidly sell before others discovered the same vulnerability; however, the primary trading venues for ZEC are mostly transparent ZEC, not privacy ZEC. Attackers cannot directly sell newly minted privacy ZEC on Binance or Coinbase but must first de-shield the ZEC.
In this scenario, the ones truly affected would be passive privacy holders, while transparent ZEC is entirely visible, making it easy to enforce that transparent ZEC does not exceed the max supply. If someone tries to de-shield and move more ZEC than the supply cap, they will be stopped at the exit. For users holding transparent ZEC, including exchange users and those involved in ZEC price discovery, the vulnerability will not have a marginal impact, and the loss will be fully borne by privacy holders. The team's next step will be to deploy new turnstiles and new privacy pools in the upcoming upgrade to verify that the privacy pool has not been inflated. He likened this to a "headcount at the end of a field trip," ensuring no extra people sneak onto the bus.
Haseeb also stated that while AI discovered the vulnerability, AI will also bring an entire category of fixes, namely formal verification. He is optimistic about formal verification becoming the direction for securing all industry software and believes that the cryptographic formal verification structurally prevents implementation vulnerabilities. The market is panicking, but true privacy holders facing potential losses are not panicking. Currently, only 1% of the 30% of the privacy pool has been de-shielded, which, to him, is the clearest signal that those truly at risk do not believe the vulnerability has been exploited. He expressed that the size of the privacy pool is a prediction market for this vulnerability.
