Zcash Orchard CVE-2026-54496
CRITICALSeverity by source
AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:H/A:L
Any unauthenticated network participant can submit a crafted proof (AV:N/PR:N/UI:N); a circuit-library flaw compromises separate consensus integrity (S:C); impact is double-spend/forgery (I:H), no data disclosure (C:N), limited availability (A:L).
Primary rating from GitHub Advisory.
CVSS VectorGitHub Advisory
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:H/A:L
Lifecycle Timeline
1Blast Radius
ecosystem impact- 2 cargo packages depend on halo2_gadgets (1 direct, 1 indirect)
Ecosystem-wide dependent count for version 0.5.0.
DescriptionGitHub Advisory
Summary
A soundness vulnerability in the variable-base scalar multiplication gadget of halo2_gadgets allowed a malicious prover to produce a valid proof for an Orchard Action with an *under-constrained* base point. Because this gadget enforces the diversified-address-integrity condition of the Orchard Action statement, the flaw let a prover satisfy that condition for an arbitrary (pk<sub>d</sub>, g<sub>d</sub>, ivk) triple, effectively bypassing the check that binds an Action to the correct incoming viewing key - and therefore to the correct nullifier (nf) and spend validating key (ak) - of the note being spent.
The main practical consequence is that an adversary could have performed a double-spend within the Orchard pool, resulting in a balance violation: the same note could be spent multiple times, each time revealing a distinct, valid-looking nullifier. The total ZEC supply was protected by Zcash's turnstile mechanism, which bounds value flowing out of any pool, so unbounded inflation of the overall supply was not possible; the exposure was inflation of value *within* the Orchard pool up to the turnstile-enforced limit.
Exploiting the vulnerability via a double-spend is undetectable on-chain. Exploitation only requires setting private circuit inputs to chosen values, and nullifiers produced by a double-spend are indistinguishable from honest nullifiers, so the zero-knowledge property hides any signature of the attack.
Alternatively, an adversary could (before the fix) have stolen funds by forging a spend authorization for an existing note. To do so they would have to know the note plaintext, which in practice they might obtain by knowing the corresponding incoming viewing key. For example, this could be used to bypass the protection provided by holding spending keys on a hardware wallet, if the linked software wallet were compromised. This form of exploitation cannot be detected via the turnstile (which might be a motivation to exploit the vulnerability in this way rather than via balance violation). It can be detected by the legitimate holder of stolen funds being unable to spend them, or by seeing the note's nullifier on-chain - but this cannot necessarily be distinguished from compromise of the spending key by other means.
The vulnerability has existed since the Orchard pool was introduced in the NU5 network upgrade (activated May 31, 2022). There is no evidence it was exploited prior to remediation.
Note that use of the vulnerability, either for balance violation or for theft of funds, would need to have occurred before it was remediated. Theft would be in principle detectable from that point (since the real nullifier would appear on-chain). Balance violation would not be detectable at the point of exploitation.
Root cause
The defect is in the double-and-add implementation of variable-base scalar multiplication in halo2_gadgets/src/ecc/chip/mul/incomplete.rs. For performance, the algorithm uses incomplete point-addition formulas in its intermediate stage. (Incomplete addition is safe here in principle: the first and last stages use complete addition, and reaching a degenerate case would require breaking discrete log.)
The base point is fed into the incomplete-addition stage via assign_advice(), which assigns a witness value (a private circuit input) without introducing a constraint that ties that value to the actual base the algorithm is supposed to operate on:
region.assign_advice(|| "x_p", self.double_and_add.x_p, row + offset, || x_p)?;
region.assign_advice(|| "y_p", self.y_p, row + offset, || y_p)?;*(halo2_gadgets/src/ecc/chip/mul/incomplete.rs, around L309-L310 at commit 32a87582dfb0ad9364ef3ffe71751ceab2a502ea.)*
The existing q_mul_2 constraint forces the base values used *across* the incomplete-addition loop to be equal to one another, but nothing forces them to equal the actual base. A malicious prover therefore has complete freedom to choose the base used by the loop. Given target pk<sub>d</sub>, g<sub>d</sub>, and ivk, the prover can solve for the base value that makes the computed [ivk] g<sub>d</sub> equal the desired pk<sub>d</sub>, satisfying the diversified-address-integrity equation pk<sub>d</sub><sup>old</sup> = [ivk] g<sub>d</sub><sup>old</sup> for inputs that an honest prover could never satisfy.
Why this enables a double-spend
The Orchard Action statement constrains the nullifier of the spent note to be derived from the correct nullifier key nk, which in turn is bound to the correct incoming viewing key ivk, via ivk = Commit<sup>ivk</sup><sub>rivk</sub>(Extract<sub>ℙ</sub>(ak<sup>ℙ</sup>), nk). The diversified-address-integrity check pk<sub>d</sub> = [ivk] g<sub>d</sub> is what normally guarantees the prover used the correct ivk -and hence the correct nk- for the note. With that check bypassable:
- The prover picks a fresh, incorrect nk for the note being spent. Since nk feeds the nullifier computation, a wrong nk yields a different nullifier for the same note.
- Other circuit constraints still force the prover to derive ivk honestly from that wrong nk, producing a wrong ivk for the note - which would normally be caught by the integrity check.
- The prover uses the under-constrained base to satisfy pk<sub>d</sub> = [ivk] g<sub>d</sub> anyway, defeating the check.
- Each distinct wrong nk produces a distinct valid nullifier, allowing the note to be spent repeatedly.
Why this enables theft
The spend validating key, ak<sup>ℙ</sup> (essentially equivalent to ak), is also constrained via ivk = Commit<sup>ivk</sup><sub>rivk</sub>(Extract<sub>ℙ</sub>(ak<sup>ℙ</sup>), nk). As above, the diversified-address-integrity check is what normally guarantees the prover used the correct ivk -and hence the correct ak- for the note. With that check bypassable:
- The prover picks an ak for which they know the private key, ask.
- They construct a transaction that spends the victim's notes, and sign it using that ask.
Impact
- Integrity: High. A malicious prover could spend Orchard notes multiple times, inflating value within the Orchard pool. This is bounded only by the turnstile limit on the pool. Alternatively, the prover could authorize spending other users' notes without having the spending key.
- Confidentiality: None. The zero-knowledge property is intact; no private data is disclosed. This is also why the attack leaves no observable on-chain signature.
- Availability: Not directly affected by the bug. (The coordinated response temporarily disabled Orchard actions as a mitigation; that was an operational choice, not an effect of the vulnerability.) On the other hand, either theft of funds, or inability to spend funds due to a future turnstile violation could be considered an availability consequence.
Affected versions
halo2_gadgets< 0.5.0orchard< 0.14.0zcash_primitives< 0.28.0zcashd< 6.20.0zebrad< 5.0.0
Patches
The circuit-level fix replaces the first-iteration assign_advice() calls for the base point with copy_advice(), introducing a copy constraint that requires the first base value to equal the correct base. Combined with the existing q_mul_2 equality constraint across the loop, this transitively constrains every base value in the incomplete-addition stage to the correct base, closing the freedom the attacker relied on.
Because remediating a zero-knowledge circuit changes the pinned verifying key, the network-level fix required a hard fork (NU6.2). NU6.2 re-enables Orchard with the corrected circuit and routes Orchard proofs to a per-circuit verifying key (InsecurePreNu6_2 / FixedPostNu6_2).
halo2_gadgets0.5.0orchard0.14.0zcash_primitives0.28.0zebrad5.0.0 (NU6.2); 4.5.3 ships the interim soft-fork mitigationzcashd6.20.0 (NU6.2)
Workarounds / mitigations
There is no client-side workaround for the underlying soundness flaw short of the circuit fix. The deployed interim mitigation (Zebra 4.5.3 / equivalent) was a soft fork that rejected all Orchard-containing transactions and blocks, fully neutralizing exploitation until NU6.2 activated.
Downstream projects that depend on the affected crates should:
- Upgrade
halo2_gadgets,orchard, andzcash_primitivesto the patched versions above. - Audit any other use of
assign_advice()(and similar non-constraining assignment APIs) where the intended invariant is that a witnessed value equals a known/fixed value; such sites should usecopy_advice()(or otherwise enforce an explicit constraint).
Indicators / detection
Exploitation produces no distinguishing on-chain signature. The turnstile mechanism, which tracks total ZEC across all value pools, provides a ground-truth supply check and confirmed the total supply remained intact. Heuristic analysis of Orchard transaction arity (e.g. patterns of duplicate-then-consolidate behavior) is possible but inconclusive against normal shielded-activity variance.
Timeline (MDT)
| Date / Time | Event |
|---|---|
| 2022-05-31 11:50 | Vulnerable NU5 upgrade activates (bug introduced) |
| 2026-05-29 (evening) | Vulnerability discovered during a protocol audit |
| 2026-05-29 23:53 | Responsibly disclosed to ZODL core engineers |
| 2026-05-30 06:30 | Disclosure acknowledged by ZODL |
| 2026-06-01 (~21:30) | Emergency soft-fork mitigation activated (block 3,363,426) |
| 2026-06-03 00:05 EDT | NU6.2 hard fork activates, Orchard re-enabled with fix (block 3,364,600) |
Credits
Discovered and responsibly disclosed by Taylor Hornby, independent security researcher, during a protocol audit conducted on behalf of Shielded Labs. Analysis and remediation was led by ZODL engineers Jack Grigg, Daira-Emma Hopwood, and Kris Nuttycombe, with Zebra patch work by Arya Solhi (Zcash Foundation).
Resources
- Zcash Foundation: *Zebra 4.5.3 and 5.0.0: Emergency Soft Fork and NU6.2 Activation* - https://zfnd.org/zebra-4-5-3-and-5-0-0-emergency-soft-fork-and-nu6-2-activation/
- Affected source (pre-fix):
halo2_gadgets/src/ecc/chip/mul/incomplete.rs@ commit32a87582dfb0ad9364ef3ffe71751ceab2a502ea, L309-L310
AnalysisAI
Proof-system soundness bypass in the Zcash Orchard shielded pool lets a malicious prover forge valid zero-knowledge proofs that satisfy the diversified-address-integrity check pk_d = [ivk] g_d for arbitrary key triples, breaking the binding between an Action and the note's real incoming viewing key, nullifier, and spend authorizing key. The flaw enables an undetectable double-spend within the Orchard pool (bounded only by Zcash's turnstile supply limit) and, given knowledge of a note plaintext, theft of another user's funds by forging spend authorization. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires a custom/modified Orchard prover that sets the private (witness) base-point inputs to attacker-chosen values in the variable-base scalar multiplication gadget; a stock wallet cannot trigger this. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | This is a genuine high-priority integrity flaw, not an inflated high-CVSS score. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | A malicious prover runs a modified Orchard proving implementation, picks a fresh incorrect nullifier key nk for a note they already spent, and lets the honest constraints derive the corresponding wrong ivk. They then solve for an under-constrained base point so the scalar-mult gadget still satisfies pk_d = [ivk] g_d, producing a valid proof carrying a brand-new, honest-looking nullifier - and repeat to double-spend the same note up to the turnstile limit. … |
| Remediation | Vendor-released patch: upgrade to halo2_gadgets 0.5.0, orchard 0.14.0, zcash_primitives 0.28.0, zebrad 5.0.0, and zcashd 6.20.0, which ship the NU6.2 circuit fix that replaces the first-iteration assign_advice() base-point calls with copy_advice(), adding a copy constraint that (together with q_mul_2) transitively binds every base value in the incomplete-addition stage to the correct base. … Detailed patch versions, workarounds, and compensating controls in full report. |
Recommended ActionAI
Within 24 hours: conduct a comprehensive audit of all Zcash nodes, wallets, and holdings; determine current node versions and assess upgrade requirements. …
Sign in for detailed remediation steps and compensating controls.
Threat intelligence, references, and detailed analysis are available after sign-in.
Same technique Information Disclosure
View allShare
External POC / Exploit Code
Leaving vuln.today
GHSA-ww9q-8r59-xv46