- Core Thesis: A severe vulnerability was discovered in Zcash's privacy pool, Orchard, allowing unlimited and undetectable counterfeiting of ZEC. Although patched, the inability to prove it was never exploited over the past nearly four years has led market participants to doubt the credibility of ZEC's supply, causing the price to crash over 30%.
- Key Elements:
- The vulnerability was discovered by security researcher Taylor Hornby on May 29, who successfully wrote an exploit locally capable of generating unlimited counterfeit ZEC, though it was not deployed on the mainnet.
- The flaw originated from an "incomplete constraint" in an elliptic curve multiplication check within the Orchard circuit, allowing an attacker to bypass the "asset conservation" verification and create assets out of thin air.
- The Zcash team patched the vulnerability through an emergency soft/hard fork within four days, but market panic stems from the fact the bug had been latent for nearly four years since its introduction in May 2022.
- Zcash's Turnstile Accounting mechanism can limit the total amount of assets flowing out of Orchard, preventing the total supply cap from being breached, but it cannot directly prove that counterfeit assets have never existed historically within the pool.
- To rebuild trust, Shielded Labs is planning a network upgrade, deploying a new privacy pool and performing a verifiable migration of assets from the old pool to ultimately prove supply integrity.
- The discovery process is noteworthy: Taylor utilized the newly released general-purpose AI model Claude Opus 4.8 to assist in reviewing and writing the exploit code, signaling AI's expanding capabilities into the security domain.
Odaily reported that on May 29, 2026, Taylor Hornby discovered a critical counterfeiting vulnerability in Zcash's Orchard pool. Taylor Hornby reported the vulnerability to the Zcash Open Development Lab, and after coordinated efforts, a fix was completed on June 2. The vulnerability could have been exploited to secretly create an unlimited number of counterfeit ZEC within Zcash Orchard. Due to the privacy features of Orchard, it is cryptographically impossible to determine whether the vulnerability was exploited before the fix was deployed.
The vulnerability had existed since Orchard's activation in May 2022 until an emergency fix was deployed on June 1, 2026. Taylor Hornby, with the assistance of AI tools, wrote a complete exploit program and generated an infinite, undetectable amount of counterfeit ZEC in a local test environment. Shielded Labs is currently collaborating with other Zcash developers to explore network upgrade proposals that would allow anyone to verify the integrity of Zcash's supply.
Odaily reported that OKX market data shows ZEC dropped to 250 USDT and is currently trading at 263 USDT, representing a 24-hour decline of 54.61%.
Earlier reports indicated that Zcash fixed a vulnerability that could allow unlimited minting of ZEC. Due to the nature of privacy pools, it is impossible to verify whether this vulnerability was exploited, but it also cannot be proven that it was used to mint additional ZEC tokens.
Odaily, Cypherpunk, the company managing the ZEC treasury, stated that all software has vulnerabilities. Historically, Bitcoin once "over-minted" 184 billion BTC due to a bug. However, this does not mean abandoning blockchain technology; rather, security should be enhanced through formal verification and provable correctness.
Cypherpunk emphasized that with the development of AI technology, vulnerability detection will become faster and broader, but the key lies in who can discover issues before malicious actors. Zcash will demonstrate this capability through an upcoming update.
