Blockchain researcher ZachXBT has discovered a privacy vulnerability in the integration of Zashi Wallet and cross-chain transaction protocol NEAR Intents. The independent researcher wrote on the X thread on Tuesday that he tested the system to find “exploitable design flaws” while investigating fraudsters.
Zashi is a self-custodial crypto wallet developed by Electric Coin Co., the same team behind Zcash (ZEC), a privacy-oriented cryptocurrency launched in 2016. This wallet allows users to send, receive, and spend ZEC while keeping their financial activities hidden from intermediary, corporate, or government surveillance.
Zack XBT I wrote He talked about how he tested Zashi’s integration with NEAR Intents due to the “recent hype” and wondered if it would be able to maintain the same level of anonymity that Zcash users expect from shielded transactions.
Investigators identify privacy flaws in migrating SOL to Zcash
In his experiment, ZachXBT bridged 1 SOL from Solana to Zcash using a NEAR intent to the Zash wallet. It then secured the funds for privacy after verifying both the source and destination transactions.
The blockchain security sleuth then funded the Ethereum address with 0.005 ETH using Zashi’s “CrossPay” feature, which allows users to spend shielded ZEC and send the equivalent value in another cryptocurrency.
3/ Now let’s say you want to anonymously deposit funds from your Zashi wallet to your ETH address using shielded ZEC. So, use the “Crosspay” feature via Near Intents and receive 0.005 ETH to the following address:
0x6dda3649f19191a9df465f4010019f2f59c34bc4 pic.twitter.com/5cMDG83MN9
— Zach XBT (@zachxbt) October 21, 2025
Although the main transfer completed a few minutes later, ZachXBT discovered that an unexpected refund transaction of 0.001598 ZEC was sent to the same transparent address that originally secured the funds.
According to a well-followed cryptocurrency security researcher, automatic refunds created a visible link between shielded and unshielded addresses, compromising the privacy that Zcash’s shielded system was supposed to protect.
Refund transactions are publicly traceable on the Zcash blockchain, and anyone could have matched the NEAR Intents system with the timing and amount of the refund itself.
“Someone could simply match the timing/amount from the Near Intents address and identify the ZEC refund txns. This would allow someone to de-anonymize it since the T-address that originally secured the ZEC is static and the refund is unsecured,” ZachXBT speculated.
Zashi Wallet promises updates to resolve traceability issues
Web3 security researchers revealed that the flaw stems from the way NEAR Intents handles refunds for cross-chain transactions. In his example, the Near Intents Zcash address used was public, meaning the refund transaction was processed transparently and not within Zcash’s shielded pool.
Zashi’s integration reuses the same transparent address for refunds, making its relevance clear to on-chain analysts.
After identifying the flaw, ZachXBT said he contacted the Zashi development team, who acknowledged the problem and confirmed plans to introduce ephemeral addresses.
These temporary wallet addresses will be erased after each transaction to reduce traceability if the update is implemented as intended. They also said that NEAR Intents will include sealed refunds in a future update.
Despite the flaws, ZachXBT dubbed Zashi a “fun wallet experience for privacy” and noted that it fixes some user interface and experience issues encountered with Monero. privacy coin.
“We are considering offering the service to individual traders and boutique funds who want to anonymize their activities,” he said, adding that those interested can contact him directly about collaboration.
When a follower said his idea was similar to what cybersecurity consultants hire to break into secure systems and identify weaknesses, ZachXBT agreed.
NEAR Intents Protocol hits all-time high of $2 billion
According to NEAR Intents, user activity and transaction volume has skyrocketed and is now over $2 billion. data From Dune Analytics.
Daily blockchain monthly volume on the intent-based system increased by 379%, with over 457,000 users since September 21st.
NEAR Intents is a multi-chain transaction protocol that automates cross-chain actions through an intent-based mechanism. Instead of manually bridging or exchanging tokens, the user, or an AI agent acting on the user’s behalf, broadcasts a desired outcome, such as exchanging one token for another.
In the past 24 hours, users made $65 million worth of token trades, with ZEC accounting for 10% of the total. The wallet currently supports two live features: Zashi Swaps and CrossPay, which were launched earlier this month.
Want to present your project in front of top crypto people? Find out in our next industry report where data meets impact.
