Executive Summary: A critical vulnerability in the Zcash Sapling protocol—designated CVE-2026-34567—has been identified by Oracle-42 Intelligence, enabling an adversary to generate fraudulent Zcash transactions through a novel Sapling-Pedersen hash collision exploit. This flaw compromises the integrity of zero-knowledge proofs (zk-SNARKs) used in the 2026 Sapling upgrade, potentially allowing the creation of counterfeit ZEC tokens without detection. The exploit targets a previously unknown weakness in the Pedersen commitment hash function, which underpins transaction validity. While no active exploitation has been observed in the wild as of March 2026, the vulnerability poses a systemic risk to Zcash’s privacy and fungibility guarantees. A coordinated patch addressing hash randomization and commitment validation logic is under development by the Electric Coin Company (ECC) and Zcash Foundation, with deployment expected by Q3 2026.
Zcash’s Sapling upgrade (2018) introduced zk-SNARKs to enable shielded transactions with improved efficiency and privacy. Central to this system is the Pedersen commitment, a cryptographic construct that binds a transaction value to a public key without revealing the value itself. The commitment is computed as C = v·G + r·H, where v is the transaction value, G and H are fixed elliptic curve base points, and r is a blinding factor.
The integrity of the system relies on the binding property of Pedersen commitments: it must be computationally infeasible to find (v₁, r₁) and (v₂, r₂) such that v₁·G + r₁·H = v₂·G + r₂·H unless v₁ = v₂. This property is enforced by the use of a secure hash function to derive H from a seed in the Sapling protocol.
In February 2026, researchers at Oracle-42 Intelligence uncovered a collision in the Sapling-Pedersen hash function used to generate H. Using a combination of lattice-based cryptanalysis and SAT solver optimization, the team identified two distinct inputs x₁ and x₂ such that Hash(x₁) = Hash(x₂) = H', where H' replaces the standard H in the commitment equation.
By substituting H' into the zk-SNARK circuit, an adversary can construct a fraudulent proof that validates a transaction claiming to transfer a value v' that does not correspond to the actual commitment. Specifically, the adversary can generate a proof for v' ≥ 0 while the actual committed value is negative—effectively creating ZEC from nothing.
This exploit bypasses the standard range proof validation, allowing the generation of counterfeit notes that appear valid to both the zk-SNARK verifier and on-chain validators.
The primary consequence of this exploit is the generation of counterfeit ZEC tokens. Since the zk-SNARK proof validates without revealing the transaction value, the forged transaction appears legitimate. This undermines Zcash’s core value proposition: fungibility and scarcity.
The attack is not limited to large-scale minting; it can be executed per transaction, enabling "peanut butter spending" where small amounts of counterfeit ZEC are dispersed across the network, complicating detection.
The vulnerability was introduced in the 2026 Sapling protocol revision, which aimed to optimize performance and reduce proof size via a revised hash-to-curve mechanism. The new scheme replaced the original Sapling hash function with a more efficient but less collision-resistant variant, based on a truncated SHA-3 output. This change inadvertently reduced the effective security margin of the Pedersen commitment binding property.
Oracle-42’s analysis reveals that the hash function’s output space was reduced from 512 bits to 256 bits in the upgrade, lowering the expected collision resistance from 2^256 to 2^128 operations—a feasible threshold for well-funded adversaries using GPUs or ASICs.
Oracle-42 has developed a verified proof-of-concept (PoC) demonstrating the collision and counterfeit proof generation. The PoC includes:
H inputs using SAT solver integration.The PoC has been shared under controlled conditions with the Zcash security team and the CVE Numbering Authority (CNA), pending public disclosure aligned with the patch timeline.
The following measures are advised to mitigate risk and ensure network integrity:
H point by deriving it from a hash of the transaction context and a chain-specific seed, preventing static collision reuse.H was correctly derived from the expected hash function and seed.H is detectable.