"Unbounded Inflation": Did It Really Happen? Zcash Founder Addresses Market's Four Major Concerns

Bitsfull2026/06/15 17:307148

概要:

After the Ironwood upgrade, users can personally verify if Zcash has experienced any inflation bug.


Editor's Note: On June 5th, Beijing time, the privacy project Zcash was hit by a new-generation privacy pool Orchard's critical forgery vulnerability. The Zcash token ZEC plummeted, nearly halving to a low of $250.


After ten days of fermentation, the market's panic has somewhat subsided, ZEC's price has rebounded, and today it returned to $500. (Recommended reading "‘Infinite Inflation’ Vulnerability Lurked for Four Years, Privacy Coin ZEC Halved in a Day")


This morning, Zcash founder Zooko Wilcox once again published a lengthy article responding to the market's concerns.


He stated that the Orchard vulnerability was likely not exploited before, legitimate Orchard funds can be recovered, users currently cannot independently verify whether Zcash's supply exceeds the limit, but the Ironwood upgrade will lock the Orchard pool to restore this verification capability. Ongoing reviews have not identified other forgery vulnerabilities, but full certainty will require more work.


The recent Orchard vulnerability has raised important questions about Zcash's supply and user fund security. The discussion has mixed multiple different issues, making it difficult to understand the actual impact of this vulnerability on users. This article attempts to separate these issues and explain their significance to users one by one.


The Orchard vulnerability has raised four key questions:


1. Has the Orchard vulnerability been exploited before?


2. Can legitimate Orchard funds be recovered?


3. Can users verify that Zcash's supply has not been inflated?


4. How do we know there are no other forgery vulnerabilities?


Has the Orchard Bug Ever Been Exploited?


Unknown. We believe the likelihood of past exploitation is low, although it cannot be entirely ruled out. We believe the bug was likely not exploited for three main reasons:


Despite being under continuous scrutiny by many of the world's top cryptographers and security researchers over the years, the bug had not been discovered previously. Its ultimate disclosure was not incidental; it was discovered by Taylor Hornby of Shielded Labs with the intent to proactively identify such security flaws before malicious actors could capitalize on them.


Taylor utilized advanced AI-assisted security research techniques and custom-built tools specifically designed to uncover subtle flaws missed by others, making it more challenging for those less familiar with the Zcash codebase to do so.


Upon discovery, Zcash developers (led by the Zcash Open Development Labs team) swiftly coordinated with mining pools, temporarily freezing the Orchard pool and deploying a fix to limit any window of opportunity for exploitation.


Cryptocurrency bug exploitation is common, with attackers usually seeking to cash out as quickly as possible, especially after a bug is publicly disclosed. To profit from this bug, attackers would need to convert the counterfeit ZEC into valuable assets, often resulting in ZEC flowing out of the Orchard pool through the turnstile mechanism.


If the bug had been exploited prior to the fix, we would expect evidence to have surfaced by now. Historically, cryptocurrency bug exploits have typically been "smash and grab" operations rather than strategies hidden for months or even years like "4D chess."


Can Legitimate Orchard Funds Be Recovered?


We believe they can, as we believe the bug was never exploited. If this holds true, all legitimate Orchard funds can still be fully recovered.



On the other hand, if counterfeiting did indeed occur within Orchard, the existing turnstile mechanism would limit the total migration amount to the sum of legitimate ZEC that entered the pool.


Therefore, if the counterfeit funds were moved before the legitimate funds, users may be unable to recover some or all of their legitimate Orchard funds.



We believe this scenario is unlikely to occur. However, for more cautious users, we still recommend moving your ZEC out of Orchard.


Before proceeding with this operation, they should be aware of the following:


· Transferring funds to the transparent pool (i.e., to a t address) will expose both the transfer amount and time, and these funds will also be publicly associated with that t address.


· Moving funds from the Orchard pool to the Sapling pool will expose the transfer amount and time, but unlike transferring to a t address, it will not link these funds to a specific address or transaction history.


· The security of the Sapling pool relies on the trusted setup ceremony conducted in 2018. Users should be aware of this additional risk depending on the security of this trusted setup.


· To our knowledge, YWallet and Zkool are currently the only widely used and Sapling pool-supporting self-custody Zcash wallets.


· Moving funds to a new wallet or custodial service introduces additional risks, including user error, software bugs, custodial risks, or other unforeseen issues.


Overall, we believe the level of risk mentioned above is moderate.


If your funds are currently held in a shielded self-custody wallet, given our assessment that the previous exploit is unlikely, leaving them there is a reasonable option. Moving them elsewhere if you have a secure way to do so may also be reasonable. Users can reach different conclusions based on their individual circumstances.


Can users verify that Zcash's supply has not been inflated?


Currently, they cannot. The existence of the previous vulnerability makes it impossible for users to independently verify that the ZEC circulating in the shielded pool does not exceed the correct amount.



However, as pointed out in our previous article, the Ironwood upgrade has restored this capability. The diagram below illustrates why.



The proposed network upgrade, by adding the assurance of "no more unknown counterfeiting vulnerabilities" and sealing the Orchard pool, addresses this issue. New funds cannot enter, and pool funds cannot circulate further.


The only remaining path is to exit through the existing turnstile mechanism, which ensures that ZEC leaving the Orchard pool does not exceed the amount that legitimately entered.


This change restores the ability to validate the integrity of the Zcash supply.


Currently, if there were counterfeit funds in the Orchard pool, they could continue to circulate within the pool. With the upgrade, this will no longer be possible. Regardless of whether counterfeiting has occurred, anyone running a node can verify that circulating ZEC does not exceed the correct amount.


Users do not need to wait for funds to move out of Orchard, nor do they need to infer potential actions of an attacker or other users. The protocol itself provides a verifiable assurance: excess ZEC cannot continue to circulate within Orchard and inflate the supply.


This is crucial because Zcash's long-term credibility depends on users being able to independently verify the integrity of its supply. Ironwood restores the users' ability to independently validate whether the protocol's supply restrictions are being enforced.


How do we know there are no other counterfeiting vulnerabilities?


At this time, we cannot be completely certain, but we have reason to believe there are no other vulnerabilities. Shielded Labs and several other teams have been diligently reviewing the Zcash protocol for any additional counterfeiting vulnerabilities.


This includes work done with Anthropic, who shortly before Mythos was paused, used an unreleased Mythos AI model to search for additional vulnerabilities. We plan to share more details about this review and its findings in a subsequent blog post.


As of now, no additional counterfeiting vulnerabilities have been found. The high level of expertise involved in this search, the effort put in, and the advanced AI-assisted analysis give us more confidence that no such undiscovered vulnerabilities remain.


Additionally, we are collaborating with projects like the Tachyon Project to provide further assurances that there are no more counterfeiting vulnerabilities in Zcash. We will elaborate on this in future blog posts.


Conclusion


The Orchard vulnerability presented four key questions: Whether the vulnerability was exploited, if legitimate Orchard funds can be recovered, if users can verify that Zcash's supply has not been inflated, and if there are still undiscovered counterfeiting vulnerabilities.


We consider it unlikely that the previously exploited funds will be used, so the legitimate Orchard funds can be recovered, and the current Zcash supply remains secure. Based on ongoing reviews by multiple independent researchers and teams, we are increasingly confident that there are no other undisclosed counterfeiting vulnerabilities.


However, users cannot currently verify the security of the Zcash supply and should not rely on our assessment—or anyone else’s assessment.


The proposed network upgrade addresses this issue. By sealing the Orchard pool, it restores users' ability to independently verify the security of the Zcash supply. Users no longer need to speculate on whether counterfeiting has occurred; they can verify that the protocol's supply constraints are being followed.



Welcome to join the official BlockBeats community:

Telegram Subscription Group: https://t.me/theblockbeats

Telegram Discussion Group: https://t.me/BlockBeats_App

Official Twitter Account: https://twitter.com/BlockBeatsAsia