Tornado Cash Fork ZK-SNARK Exploit: Spend-Forgery in Private Transaction Proofs

Executive Summary

In April 2026, a critical vulnerability was disclosed in a widely used fork of Tornado Cash that implements ZK-SNARK-based private transaction proofs. The flaw—dubbed SpendForge—allows malicious actors to forge valid private transaction proofs without the original secret, enabling unauthorized fund withdrawals from privacy pools. Our analysis confirms that the vulnerability affects all forked implementations relying on a vulnerable version of the Groth16 proving system for ZK-SNARK verification. This exploit undermines the core privacy guarantees of Tornado Cash derivatives and poses systemic risk to DeFi ecosystems dependent on zero-knowledge privacy solutions.

Exploitation has been observed in the wild, with attackers draining approximately 3.2 ETH across multiple privacy pools before mitigation. The issue has prompted emergency patches from major forks and renewed scrutiny of ZK-SNARK implementation security across the Ethereum ecosystem.

Key Findings

• Vulnerability Type: Cryptographic forgery in ZK-SNARK proof generation—specifically, the SpendForge exploit in forked Tornado Cash contracts.
• Affected Systems: All forks of Tornado Cash that use a vulnerable Groth16 circuit and verification key, including but not limited to CashFold, MoneroCash, and ZKCash derivatives.
• Root Cause: Insecure handling of the "spend" witness in the proof construction, allowing re-use of commitment openings to forge new withdrawal proofs.
• Impact: Private fund theft, erosion of privacy guarantees, and loss of user trust in ZK-based privacy protocols.
• Exploitation Timeline: First observed on April 5, 2026; mass exploitation peaked April 12–14; emergency patches deployed by April 16.

Detailed Analysis

The ZK-SNARK Foundation of Tornado Cash

Tornado Cash and its forks rely on ZK-SNARKs to prove knowledge of a secret (a nullifier) without revealing it, enabling private deposits and withdrawals. The protocol uses a Groth16 proving system where:

• A secret commitment is created as hash(secret, nullifier).
• A ZK proof is generated over this commitment and nullifier to prove “I know a secret such that the commitment exists and the nullifier hasn’t been used before.”
• The withdrawal contract verifies the proof and checks that the nullifier is new.

This model assumes the proof cannot be forged—i.e., only the owner of the secret can generate a valid proof.

Emergence of the SpendForge Exploit

In late March 2026, a security researcher at ChainLight Labs discovered that a widely distributed fork of Tornado Cash (v2.1.3-fork) contained a critical flaw in the witness preparation step. The vulnerability lies in the way the "spend" witness was constructed in the proof generation script.

Specifically, the exploit leverages:

• Replay of Commitment Opening: The fork reused the same blinding factor and secret scalar across multiple proof generations.
• Predictable Nullifier Generation: The nullifier was derived using a linear function of the secret, enabling algebraic manipulation.
• Flawed Circuit Constraints: The Groth16 circuit did not enforce uniqueness of the secret per proof, only uniqueness of the nullifier.

By exploiting these weaknesses, an attacker could:

1. Generate a valid proof for a withdrawal without knowing the original secret.
2. Replay the same proof or derive new proofs with forged nullifiers.
3. Withdraw funds from the privacy pool without triggering duplicate nullifier checks.

This constitutes a spend-forgery—a proof that “spends” a deposit that was never legitimately committed.

Technical Breakdown of the Attack

The SpendForge attack proceeds as follows:

1. Deposit Simulation: The attacker simulates a deposit by generating a commitment C = hash(secret, nullifier), where nullifier = hash(secret).
2. Witness Reuse: Instead of generating a fresh secret for each withdrawal attempt, the attacker reuses the same secret across multiple withdrawal proofs.
3. Proof Generation with Flawed Script: The fork’s proof script fails to bind the secret to the proof context, allowing the attacker to generate a proof over a modified commitment C' using the same nullifier base.
4. Verification Bypass: The verification key in the forked contract accepts the forged proof because the circuit only enforces:
   • Valid elliptic curve point relations (satisfied by reused parameters).
   • Uniqueness of the nullifier (which the attacker can manipulate via algebraic tricks).
5. Withdrawal Execution: The forged proof passes verification, the nullifier is recorded, and funds are released to the attacker’s address.

Notably, the attack does not require breaking the ZK-SNARK security assumptions (knowledge or computational soundness), but rather exploits a protocol-level logic error in the forked implementation.

Widespread Impact Across Forks

Our investigation revealed that the SpendForge vulnerability was introduced in a popular open-source fork (CashFold v2.1.3) in January 2026. Due to code reuse and copy-paste patterns in the privacy protocol community, the flaw propagated to at least 13 derivative projects, including:

• MoneroCash (fork)
• ZKCash Classic
• PrivacyPool v1.2
• Umbra-ZK (enhanced fork)

Total estimated losses exceed 3.2 ETH (≈ $11.8M at April 2026 prices), though many pools were paused or emptied preemptively.

Detection and Response

Chainalysis and TRM Labs identified anomalous withdrawal patterns on April 5, flagging proofs with identical Groth16 verification keys and reused nullifier patterns. By April 8, a coalition of researchers (including Trail of Bits and OpenZeppelin) published a proof-of-concept exploit and issued a coordinated disclosure.

Emergency patches were deployed by April 16 across affected forks, including:

• Enforcement of unique secrets per proof.
• Addition of a commitment binding term in the Groth16 circuit.
• Upgrade of verification keys and circuit compilation with strict constraints.

Lessons for ZK Privacy Protocols

The SpendForge incident underscores several systemic risks in ZK-based privacy systems:

• Code Reuse Without Audit: Forks often inherit vulnerabilities due to uncritical adoption of upstream code.
• Circuit Logic Over Cryptography: Security often fails not in the ZK proof itself, but in the protocol logic around witness construction and nullifier management.
• Need for Formal Verification: Hand-written circuits (especially Groth16) should be formally verified using tools like Circom + Coq or SAW.
• Nullifier Unpredictability: Nullifiers must be non-linear and secret-dependent to prevent algebraic manipulation.

Recommendations

1. Immediate Actions for Users:
   • Check if your privacy pool is running a vulnerable fork (e.g., CashFold v2.1.3 or derivatives).
   • Withdraw funds to a non-forked privacy protocol or self-custody.
   • Avoid new deposits into affected forks until patched to v2.2.0 or higher.
2. For Protocol Developers:
   • Recompile Groth16 circuits with strict constraints on secret uniqueness and commitment binding.
   • Adopt formal verification for