Back

Critical Vulnerability Discovered in Zcash Orchard Pool Allows Unlimited Counterfeit Minting

Severity: High (Score: 68.2)

Sources: Panewslab, Decrypt.Co, Blockhead.Co, Mexc, Theblock.Co

Published: 2026-06-05 · Updated: 2026-06-06

Keywords: zcash, vulnerability, founder, forgery, orchard, critical, details

Severity indicators: critical, vulnerability

Summary

On May 29, 2026, security researcher Taylor Hornby uncovered a critical vulnerability in Zcash's Orchard shielded pool, enabling the potential minting of unlimited counterfeit ZEC tokens. The flaw, which had existed since the pool's launch in May 2022, was discovered using Anthropic's Opus 4.8 AI model. Following the disclosure, Zcash developers swiftly patched the vulnerability on June 1, 2026. However, the nature of the vulnerability makes it impossible to cryptographically verify if any counterfeit ZEC was created before the patch. The price of ZEC plummeted by over 30% following the announcement, reflecting market concerns about the integrity of the token supply. Zcash founder Zooko Wilcox emphasized that the vulnerability had evaded scrutiny from top cryptographers for years, suggesting a low likelihood of prior exploitation. Shielded Labs is proposing a network upgrade to enhance supply verification and prevent future issues. The incident highlights the challenges of maintaining privacy while ensuring security in cryptocurrency systems. Key Points: • A critical vulnerability in Zcash's Orchard pool allows unlimited counterfeit ZEC minting. • The flaw existed undetected since May 2022 and was discovered using AI-assisted methods. • Zcash developers patched the vulnerability quickly, but market concerns led to a 30% drop in ZEC price.

Detailed Analysis

**Impact** The vulnerability affects all users of the Zcash Orchard shielded pool, active since May 2022, potentially impacting the entire ZEC supply within this privacy pool. The flaw allowed undetectable creation of unlimited counterfeit ZEC tokens, risking inflation of the shielded supply without on-chain detection. Market capitalization dropped by billions as ZEC price fell 30–40%, with intraday declines near 50% from highs above $700. The incident impacts cryptocurrency holders, exchanges, and related financial services globally, given Zcash’s broad user base and market presence. **Technical Details** The vulnerability is a soundness bug in the Orchard zero-knowledge proof circuit related to an under-constrained elliptic curve multiplication check, allowing invalid proofs that create counterfeit ZEC. Discovered by security researcher Taylor Hornby using Anthropic’s Opus 4.8 AI model, he developed and tested a full exploit locally capable of minting unlimited counterfeit tokens. The flaw existed since Orchard’s launch in May 2022 and was disclosed privately on May 29, 2026. No CVE identifiers were provided. The attack vector involves crafting invalid transaction inputs that bypass cryptographic constraints, affecting the validation stage of the transaction kill chain. No evidence of exploitation on mainnet exists. **Recommended Response** Apply the emergency patch deployed via the NU6.2 hard fork on June 3, 2026, which fixes the zero-knowledge circuit vulnerability and re-enables Orchard transactions. Monitor for any anomalous shielded pool activity and prepare for the proposed network upgrade introducing a new shielded pool with enforced turnstile accounting to verify supply integrity. Maintain heightened vigilance on wallet and node software versions to ensure all components are updated. No specific IOCs are available due to the privacy-preserving nature of the protocol.

Source articles (9)

  • Zcash founder reveals details of a serious forgery vulnerability in Orchard, stating that ... — Panewslab · 2026-06-05
    PANews reported on June 5th that Zcash founder Zooko Wilcox posted on the X platform that security researcher Taylor Hornby discovered a serious forgery vulnerability in the Zcash Orchard pool on May…
  • Claude AI Finds Critical Vulnerability in Zcash — Blockhead.Co · 2026-06-05
    Zcash founder Zooko Wilcox has publicly disclosed the details of a critical forgery vulnerability in the Orchard shielded pool that was discovered, patched, and resolved through an emergency network u…
  • Zcash was found to have a vulnerability in its issuance scheme by AI, causing ZEC to ... — Panewslab · 2026-06-05
    On June 5th, Zcash founder Zooko Wilcox disclosed on the X platform that security researcher Taylor Hornby discovered a critical forgery vulnerability in the Zcash Orchard privacy pool on May 29th. Th…
  • Morning Minute: Massive ZCash Exploit Found by Claude, Extent Unknown — Decrypt.Co · 2026-06-05
    Morning Minute is a daily written by Tyler Warner . The analysis and opinions expressed are his own and do not necessarily reflect those of Decrypt. And c heck out our new daily news show covering all…
  • Id1520762610 — podcasts.apple.com · 2026-06-05
    A -generation media company capturing the most compelling narratives in emerging technology. Hosted on Acast. See acast.com/privacy for more information. Bitcoin sellers are finally taking a break. Bu…
  • Security researcher finds Zcash vulnerability allowing 'unlimited' counterfeit minting; ZEC drops 31% — Theblock.Co · 2026-06-05
    A security researcher discovered a critical vulnerability in Zcash's Orchard transaction pool that could be exploited to create an "unlimited" amount of counterfeit tokens within the pool. Shielded La…
  • Zcash Patches Critical Bug Enabling Unlimited Counterfeit ZEC Minting as Price Crashes 41% — News.Bitcoin · 2026-06-05
    Zcash developers have patched a critical flaw in the Orchard shielded pool that a security researcher showed could forge an unlimited supply of counterfeit ZEC. The token fell more than 40% as the dis…
  • The Zcash Orchard Vulnerability — Mexc · 2026-06-06
    On May 29, 2026—one day after Anthropic released its powerful Opus 4.8 model—a security researcher named Taylor Hornby made a discovery that sent shockwaves through the Zcash ecosystem. Hired by Shiel…
  • ZEC Crashes 38% as Zcash Discloses 'Critical Counterfeiting Vulnerability' — Decrypt.Co · 2026-06-06
    Zcash plunged double digits overnight after developers disclosed a critical vulnerability in the protocol's Orchard shielded pool that could have allowed undetectable counterfeiting for over four year…

Timeline

  • 2026-05-29 — Vulnerability discovered by Taylor Hornby: Taylor Hornby found a critical flaw in Zcash's Orchard pool that could mint unlimited counterfeit ZEC tokens using AI tools.
  • 2026-06-01 — Vulnerability patched: Zcash developers implemented an emergency patch to fix the vulnerability in the Orchard pool.
  • 2026-06-05 — Public disclosure of vulnerability: Zooko Wilcox publicly disclosed the vulnerability, leading to a significant drop in ZEC price by over 30%.
  • 2026-06-06 — Market reaction continues: ZEC price remains volatile as users question the integrity of the token supply following the vulnerability disclosure.

Related entities

  • Zero-day Exploit (Attack Type)
  • Shielded Labs (Company)
  • Zcash Foundation (Company)
  • ZODL (Company)
  • ZODL Team (Company)
  • Zcash (Platform)
  • Halo 2 (Platform)
  • Halo 2 Proving System (Platform)
  • NU5 (Platform)
  • Nu6.2 (Platform)
  • Orchard (Platform)
  • Orchard Circuit (Platform)
  • Orchard Privacy Pool (Platform)
  • Orchard Shielded Pool (Platform)
  • Zk-SNARKs (Platform)
  • acast.com (Domain)
  • bitcoin.com (Domain)
  • Anthropic Opus 4.8 (Tool)
  • Anthropic Opus 4.8 Model (Tool)
  • Claude Opus 4.8 (Tool)
  • Critical Counterfeiting Vulnerability (Vulnerability)
  • Orchard Vulnerability (Vulnerability)
Loading threat details...

Threat Not Found

The threat cluster you're looking for doesn't exist or has been removed.

Return to Feed