TL;DR
On June 5, Zcash founder Zooko Wilcox published a rare security retrospective.
The article revealed that security researcher Taylor Hornby discovered on May 29 a critical counterfeiting vulnerability in Zcash's latest-generation privacy pool, Orchard. An attacker could construct a transaction that should not pass verification and generate unlimited and undetectable counterfeit ZEC within Orchard.
This was not a theoretical risk. Taylor has already written a full exploit in a local testing environment that successfully generated counterfeit ZEC. If the same exploit were deployed on the mainnet, an attacker could theoretically create an unlimited amount of counterfeit assets in their mainnet wallet.
Following the public disclosure, ZEC briefly plummeted over 30%. CoinMarketCap data shows that ZEC dropped to as low as $408.39 within 24 hours, about a third from its recent high of $610.47. Unfortunately, this was one of the few recent gems in the crypto world with an outstanding wealth effect, highly praised by numerous big players, now shattered by this vulnerability.
At a glance, this seems to be another familiar crypto security incident: vulnerability found, developers patch urgently, market panics.
However, the real crux of the Orchard incident is that while the vulnerability has been fixed, the Zcash community cannot directly answer another more sensitive question:
Has anyone exploited this vulnerability in the past four years?
Four Days Emergency Fix, Orchard Temporarily Halted
Orchard is Zcash's next-generation privacy payment protocol launched in 2022 and is one of the main privacy pools used by Zcash. Users can conceal balances, transaction amounts, and fund flows, while proving transactions comply with the rules to the network through zero-knowledge proofs.
According to the timeline disclosed by Zooko, Shielded Labs, and the Zcash community, Taylor discovered an anomaly during a targeted security review of the Orchard circuit on May 29 and immediately privately disclosed the vulnerability to the Zcash Open Development Lab (ZODL). Shielded Labs, based in Switzerland and donation-funded, is an independent organization supporting the Zcash ecosystem, actively participating in Zcash's protocol development, security, and network sustainability, but not affiliated with the Zcash Foundation or ZODL.
Within hours of receiving the report, ZODL engineers confirmed the existence of the issue and began seeking a fix. To prevent exposing the vulnerability, which could be exploited through a direct code patch, the team initially opted to temporarily deactivate Orchard: no new Orchard outputs could be created, and spending existing funds in Orchard was also prohibited.
Following coordination with developers, miners, node operators, exchanges, and infrastructure providers, an emergency soft fork was implemented on June 2. Subsequently, Zcash performed a hard fork upgrade to refresh the verification keys of the Orchard circuit and restored Orchard functionality on June 3. Transparent addresses and Sapling shielded pools could continue operating during this period.
From vulnerability disclosure to fix completion, the entire process took only a few days. In terms of emergency response speed, this was considered a successful containment.
However, the market did not return to calmness post-vulnerability fix because the remedy addressed the future, not the past.
The Market's Concern Is Not That an Attack Will Happen, But That an Attack May Have Happened
Typical security incidents usually involve a relatively clear scale of loss. For instance, in a smart contract breach, the assets siphoned off by the attacker can be traced on-chain, or in the case of a cross-chain bridge exploit, the fund flow and affected addresses can be quantified.
The Orchard event is different.
As per Shielded Labs' explanation, this vulnerability could have been leveraged to clandestinely mint infinite and undetectable fake ZEC within Orchard. Due to Orchard's inherent privacy features, it is cryptographically challenging for external parties to definitively ascertain whether this attack vector was utilized before the vulnerability was patched.
This implies that the market is not facing a concrete loss figure but rather an unquantifiable uncertainty:
If someone had indeed discovered and exploited the vulnerability in the past, has there been any forged ZEC within Orchard? If so, to what extent? Are these assets still held within the shielded pool? Have they ever leaked out gradually through normal transactions?
More importantly, this risk window did not just open on May 29. Shielded Labs states that the vulnerability has been present since Orchard activated in May 2022 and persisted until the emergency fix in June 2026. In other words, the issue remained latent for almost four years.
What the market is truly concerned about is not what occurred between May 29 and June 2, but whether any imperceptible anomalies have taken place in the past four years.
This is also the core reason for ZEC's plummet of over 30%.
What the market sold off was not just a vulnerability but a repricing of the credibility of the supply.
A Mathematical Constraint Oversight Leading to the Risk of "Infinite Inflation"
When we see the words "infinite inflation bug," our initial reaction is that a hacker gained admin privileges or accessed some protocol backdoor.
The reality is more foundational.
Orchard's security relies on a set of zero-knowledge proof circuits (Orchard circuit). Users can shield the specifics of transactions, but they must prove to the network that their transactions adhere to protocol rules. One of the most crucial rules is asset conservation: a transaction cannot arbitrarily create new value.
In essence, users can keep private how much ZEC they own and to whom they send ZEC, but the network must be able to verify:
The spent assets indeed came from legitimate inputs.
The issue Taylor discovered lies in an elliptic curve multiplication check within the Orchard circuit.
Shielded Labs describes it as an "under-constrained element," meaning a circuit element with incomplete constraints. As the relevant mathematical relationships were not fully constrained, an attacker could feed arbitrary incorrect data into the elliptic curve multiplication process, yet the validation process might still pass.
In other words, the attacker does not need to break cryptographic algorithms or control network nodes.
They just need to construct a set of data that should not exist, causing the system to incorrectly believe the transaction still satisfies asset conservation.
Once this erroneous proof is accepted by the network, the originally non-existent ZEC can be considered a legitimate asset and continue to exist within Orchard.
This is also why Shielded Labs used extremely harsh language:
unlimited, undetectable counterfeit ZEC
The real danger lies not only in the "unlimited," but more in the "undetectable."
There is an important distinction between the two statements
In its announcement following the upgrade, the Zcash Foundation stated that no evidence of exploited vulnerabilities has been found, no unauthorized value creation has been detected, and user funds and privacy remain unaffected. The announcement also emphasized that Zcash's original Turnstile Accounting mechanism can trace the value flow between different pools of funds and protect the total supply cap of 21 million ZEC.
Meanwhile, Shielded Labs has made it clear that cryptographic proof alone is insufficient and that counterfeit ZEC has never occurred in Orchard's history.
These two statements may seem contradictory, but they actually address issues on two different levels.
Zcash's original Turnstile Accounting can be understood as a "turnstile" between different funding pools. The system can count how much legitimate assets have entered Orchard in total and restrict the amount of assets that can flow out of Orchard.
Assuming Orchard originally contained only 1 million legitimate ZEC, even if an attacker internally counterfeited more assets, the system would not allow the total outflow to exceed the legitimate amount. This helps prevent an easy breach of the total supply cap of the entire Zcash network.
However, this mechanism cannot directly prove that there has never been counterfeit currency inside Orchard.
If counterfeit assets remain within Orchard or gradually replace genuine assets within the legal outflow limit, the existing statistical mechanism may not provide a definitive historical conclusion.
Regarding this almost arguably the longest-running encrypted privacy project, all we know is that there is currently no evidence of abnormal inflation, but the community still cannot definitively prove that there has never been counterfeit assets inside Orchard.
This is precisely the type of risk that is most challenging for the market to handle.
The issue is not how many counterfeit coins have been discovered, but that no one can definitively confirm that counterfeit coins have never existed.
How Does Zcash Re-Prove There Are No Counterfeit Coins in Orchard?
The vulnerability fix is just the first step.
Shielded Labs has indicated that they are working with other Zcash developers on a new network upgrade proposal. The proposal includes deploying a new privacy pool and mandating Turnstile Accounting for all assets migrated out of Orchard.
This is equivalent to setting up a new migration gate for Orchard.
Assets from the old Orchard must follow verifiable rules to enter the new privacy pool. The system can recompute the scale of legitimate assets that have flowed out and determine if there are additional ZEC that cannot be validly migrated.
If the upgrade is successfully implemented, anyone can verify the integrity of Zcash's supply and further prove that there are no counterfeit assets in Orchard.
The significance of this proposal is not just fixing the code but rebuilding market trust in Orchard.
Because in a privacy system, trust does not come from "we believe no attack has occurred" but should come from "anyone can verify that no attack has occurred."
Shielded Labs themselves have acknowledged that the probability of prior exploitation was low. The vulnerability remained hidden for many years, making detection extremely difficult. Taylor actively sought out such issues in a dedicated security research project. After the vulnerability was disclosed, the ecosystem rapidly closed the attack window within a few days.
However, Shielded Labs also emphasizes that users should not rely solely on the development team's subjective judgment.
What the market needs is proof.
Why Was a Vulnerability Hidden for Four Years Discovered Now?
The Orchard incident has another detail that is easily overlooked by the market.
On May 28, Anthropic released Claude Opus 4.8.
One day later, Taylor discovered the Orchard vulnerability.
According to Zooko's postmortem with Shielded Labs, shortly after the release of Opus 4.8, Taylor used it for a highly targeted Orchard circuit audit and discovered an issue on May 29. Subsequently, aided by Opus 4.8, he crafted a full exploit program, generating infinite and undetectable fake ZEC in a local environment.
This detail is noteworthy not because AI can now independently conduct cryptographic audits.
Public information does not support such an exaggerated conclusion.
Taylor himself is a seasoned security researcher. Shielded Labs also noted that he employed a combination of traditional security research methods, a custom AI toolchain, and specially crafted prompts. Opus 4.8 was a critical tool in the audit process but not the sole factor.
What is truly remarkable is that Taylor was not using the Anthropic Claude Mythos Preview, a specialized model designed for network security scenarios with restricted access, but the newly released general-purpose model Opus 4.8.
The positioning of Anthropic's Mythos Preview is as an advanced model with significant vulnerability discovery and exploitation capabilities. Due to the potential misuse risk, Anthropic did not directly open this model to the public but provided access to a curated set of partners through Project Glasswing.
In contrast, Opus 4.8 is a general-purpose model accessible to regular developers. Anthropic emphasized in its release notes that it has improvements in code analysis, complex task execution, and bug identification.
This highlights a more noteworthy signal from the Orchard incident:
The ability to discover high-value vulnerabilities is transitioning from a few specialized security models to general-purpose models.
A general-purpose model publicly released just one day ago, guided by a professional researcher, has already been involved in auditing complex zero-knowledge proof circuits and helped uncover a critical vulnerability hidden for nearly four years.
This does not mean that cryptographic experts are no longer crucial.
On the contrary, Taylor's experience, the choice of audit targets, and the ability to validate the model's outputs remain at the core of the entire process.
But the combination of experts and AI is significantly reducing the cost of discovering complex vulnerabilities.
The Vulnerability Has Been Patched, But the Market Is Still Waiting for Answers
For Zcash, the most urgent attack window has been closed.
The Orchard feature has been restored, the verification circuit has been updated, and there is currently no evidence that the vulnerability has been maliciously exploited.
However, ZEC's plummet of over 30% indicates that the market is concerned about more than just whether the code has been fixed.
The market is still waiting for a more thorough answer:
Has there been any counterfeiting of ZEC within Orchard in the past four years?
If the new Shielded Pool and Turnstile Accounting upgrade can be smoothly implemented, the community will eventually have the opportunity to prove the supply integrity and rebuild market trust.
But until this proof is complete, the Orchard incident still holds an unresolved mystery:
Those theoretically infinitely creatable counterfeited ZECs, did they never exist, or were they once hidden where no one could directly see?
Welcome to join the official BlockBeats community:
Telegram Subscription Group: https://t.me/theblockbeats
Telegram Discussion Group: https://t.me/BlockBeats_App
Official Twitter Account: https://twitter.com/BlockBeatsAsia
