Four Questions on the Zcash Orchard Vulnerability: Was it Exploited? Can Funds Be Recovered? Is the Supply Verifiable? Are There Others?

Odaily星球日报Published on 2026-06-15Last updated on 2026-06-15

Abstract

**Summary: Zcash Orchard Vulnerability Analysis** A critical forgery vulnerability was recently discovered in Zcash's Orchard shielded pool, raising concerns about the coin's supply and user funds. The developers, led by Zcash Open Development Labs, acted swiftly to temporarily freeze the pool and deploy a fix. The article addresses four key questions: 1. **Was the vulnerability exploited?** While unknown, the developers believe it is unlikely for several reasons: the bug was difficult to find, using advanced AI tools; the fix was deployed quickly; and typical crypto exploits are fast, with no evidence of abnormal outflows. 2. **Can legitimate Orchard funds be recovered?** If the bug was not exploited, all funds are safe. If exploited, a mechanism limits total withdrawals from the pool to the amount legitimately entered, potentially blocking some legitimate funds. The developers deem this unlikely but advise cautious users to consider moving funds, noting the privacy and risk trade-offs of moving to transparent or Sapling pools. 3. **Can users verify Zcash's total supply?** Not currently. The vulnerability temporarily broke the ability for users to independently verify that no extra ZEC was created. 4. **Are there other forgery bugs?** Ongoing audits by multiple teams, including using advanced AI analysis, have so far found no others, increasing confidence. The proposed "Ironwood" network upgrade is the core solution. It will **seal** the Orchard pool, preventing ne...

Original Authors: Jason McGee, CEO of Shielded Labs, and Zooko Wilcox, Founder of Zcash

Compiled by|Odaily Planet Daily Qin Xiaofeng (@QinXiaofeng 888 )

Editor's Note: On June 5th, Beijing time, privacy project Zcash was revealed to have had a critical counterfeiting vulnerability in its new-generation privacy pool, Orchard. The Zcash token, ZEC, briefly plummeted by half, hitting a low near $250. After about ten days of developments, market panic has somewhat subsided, ZEC's price has recovered somewhat, and it returned to $500 today.

This morning, Zcash founder Zooko Wilcox once again published a lengthy post responding to market concerns. He stated that the Orchard vulnerability was likely not previously exploited, and legitimate Orchard funds can be recovered; currently, users cannot independently verify whether the Zcash supply has been inflated, but the Ironwood upgrade will seal the Orchard pool, restoring this verification capability; ongoing audits have not discovered other counterfeiting vulnerabilities, but more work is needed to be completely certain.

The following is the original text by Zooko Wilcox, compiled by Odaily Planet Daily, enjoy~

————————————

The recent Orchard vulnerability has raised important questions about Zcash's supply and the safety of user funds. The discussion has mingled several distinct issues, making it difficult to understand the actual impact of the vulnerability on users. This article attempts to separate these questions and explain what they each mean for users.

The Orchard vulnerability raises four important questions:

Was the Orchard vulnerability ever exploited?
Can legitimate Orchard funds be recovered?
Can users verify that Zcash's supply has not been inflated?
How do we know there are no other counterfeiting vulnerabilities?

Was the Orchard vulnerability ever exploited?

Unknown. We believe it's unlikely to have been exploited before, though we cannot rule it out entirely. We think the vulnerability was likely *not* exploited for three reasons:

Despite years of ongoing review by many of the world's top cryptographers and security researchers, the vulnerability was not previously discovered. Its eventual discovery was not accidental; it was found by Taylor Hornby of Shielded Labs with the explicit purpose of proactively identifying such security vulnerabilities before a malicious attacker could. Taylor used advanced AI-assisted security research techniques and custom-built tools specifically designed to find subtle flaws that others might miss. Doing this would be even more difficult for someone not deeply familiar with the Zcash codebase.

Once the vulnerability was discovered, Zcash developers (led by the Zcash Open Development Labs team) quickly coordinated with mining pools to temporarily freeze the Orchard pool and deployed a fix, thereby limiting the opportunity window for any attack.

Cryptocurrency exploits are common, and attackers typically seek to cash out as quickly as possible, especially after a vulnerability becomes public. For an attacker to profit from this vulnerability, they would need to exchange counterfeit ZEC for valuable assets, which would typically involve ZEC leaving the Orchard pool via the turnstile mechanism. If the vulnerability had been exploited before the fix, we would expect to have seen evidence by now. Historically, cryptocurrency exploits are usually "smash-and-grab" operations, not "4D chess" strategies hidden for months or years.

Can legitimate Orchard funds be recovered?

We believe so, because we believe the vulnerability was never exploited. If this assessment is correct, all legitimate Orchard funds remain fully recoverable.

On the other hand, if counterfeiting *did* occur in Orchard, the existing turnstile mechanism would limit the total amount migrated to the amount of ZEC that legitimately entered the pool. Therefore, if counterfeit funds were migrated ahead of legitimate funds, users would be unable to recover some or all of their legitimate Orchard funds.

We consider this scenario unlikely. However, for more cautious users, moving their ZEC out of Orchard is still advised. But before doing so, they should understand the following:

Moving funds to a transparent pool (i.e., to a t-address) reveals both the amount and the timing of the transfer, and these funds become publicly linked to that t-address.
Moving funds from the Orchard pool to the Sapling pool reveals the amount and timing of the transfer, but unlike moving to a t-address, it does not link these funds to a specific address or transaction history.
The Sapling pool relies on a trusted setup ceremony performed in 2018. Relying on the security of that trusted setup is an additional risk users should note.
To our knowledge, YWallet and Zkool are currently the only widely used, self-custody Zcash wallets that support the Sapling pool.
Moving funds to a new wallet or a custodial service introduces additional risks, including user error, software bugs, custodian risk, or other unforeseen problems.

Overall, we consider the above risks moderate. If your funds are currently in a shielded, self-custody wallet, leaving them there is a reasonable choice given our assessment that prior counterfeiting was unlikely. If you have a secure way to move them elsewhere, that could also be reasonable. Users may reasonably reach different conclusions based on their circumstances.

Can users verify that Zcash's supply has not been inflated?

Not yet. The prior existence of this vulnerability meant users could not independently verify that the ZEC circulating in the current shielded pools did not exceed the correct amount.

However, as we noted in a previous post, the Ironwood upgrade restores this capability. The diagram below illustrates why.

The proposed network upgrade addresses this by adding the guarantee that "no more unknown counterfeiting vulnerabilities exist" and by sealing the Orchard pool. New funds can no longer enter, and funds within the pool can no longer circulate. The only remaining path is to leave via the existing turnstile mechanism, which ensures that no more ZEC can leave the Orchard pool than legitimately entered it.

This change restores the ability to verify the soundness of the Zcash supply.

Currently, if counterfeit funds exist in the Orchard pool, they can continue to circulate within the pool. After the upgrade, this is no longer possible. Regardless of whether counterfeiting ever happened, anyone running a node will be able to verify that no more ZEC is in circulation than the correct amount.

Users won't need to wait for funds to migrate out of Orchard, or infer what attackers or other users might have done. The protocol itself provides a verifiable guarantee that excess ZEC cannot continue circulating within Orchard and inflating the supply.

This is important because Zcash's long-term credibility depends on users being able to independently verify the soundness of its supply. Ironwood restores users' ability to independently verify that the protocol's supply limit is being enforced.

How do we know there are no other counterfeiting vulnerabilities?

We are not yet completely certain, but we have reasons to believe there are none. Shielded Labs and multiple other teams have been carefully reviewing the Zcash protocol for additional counterfeiting vulnerabilities. This includes using a yet-to-be-released Mythos AI model to search for additional vulnerabilities, with help from Anthropic, shortly before Mythos was paused. We plan to share more details about this review and its findings in a follow-up blog post.

So far, no other counterfeiting vulnerabilities have been found. The high level of expertise, effort, and advanced AI-assisted analysis involved in this search gives us greater confidence that no similar vulnerabilities remain undiscovered.

Furthermore, we are working with projects like the Tachyon Project to provide additional assurance that there are no more counterfeiting vulnerabilities in Zcash. We will elaborate on this in future blog posts as well.

Conclusion

The Orchard vulnerability presents four important questions: Was the vulnerability exploited, can legitimate Orchard funds be recovered, can users verify that Zcash's supply has not been inflated, and are there other undiscovered counterfeiting vulnerabilities.

We believe it was likely not exploited previously, and therefore legitimate Orchard funds are recoverable and the current Zcash supply is safe. We are also increasingly confident, based on ongoing reviews by multiple independent researchers and teams, that there are no other undiscovered counterfeiting vulnerabilities. However, users currently cannot verify the safety of the Zcash supply, and they should not have to rely on our assessment—or anyone else's.

The proposed network upgrade solves this. By sealing the Orchard pool, it restores users' ability to independently verify the safety of the Zcash supply. Users no longer need to judge whether counterfeiting occurred in order to verify that the protocol's supply limits are being upheld.

The Foundation of SpaceX's Trillion-Dollar Valuation: Who is Dividing Up Musk's Annual Tens of Billions in Capital Expenditure?

SpaceX's trillion-dollar valuation is built on its three core businesses: Starlink (profitable, 60% of revenue), rockets (driving down launch costs), and AI (a major investment area). This creates a financial cycle: Starlink funds rocket development, which enables low-cost launches for AI hardware, generating future revenue. This cycle fuels annual capital expenditures of tens of billions, flowing to a vast supply chain. Suppliers are categorized by their replaceability. The first group includes irreplaceable players like NVIDIA (GPU/CUDA ecosystem), Eutelsat (critical radio spectrum), Filtronic (specialized amplifiers), Materion (strategic beryllium), and STMicroelectronics (antenna chips). The second group consists of hard-to-replace suppliers due to high switching costs, such as Honeywell (flight control), Carpenter Technology (specialty alloys), Hexcel (carbon fiber), Broadcom (data exchange), and Linde (industrial gases). The third group comprises high-volume, cost-critical suppliers for mass-produced items like Starlink terminals. Key names include Wistron NeWeb (primary manufacturer) and several A-share companies like Shenzhen Sunway (connectors), Pies New Materials (forgings), Western Superconducting (alloys), and Yingliu (castings). Other niche players include Trimble (timing), Astronics (power distribution), and CTS (thermal management). The article argues that investing in these suppliers, rather than SpaceX stock directly, offers an alternative opportunity. The rationale is threefold: procurement is just beginning to scale, SpaceX's IPO brings new transparency to its supply chain, and the situation mirrors early stages of past "super terminal" ecosystems like Apple or Tesla. While risks exist (commodity cycles, geopolitical factors, technology shifts), the core thesis is that SpaceX's massive, ongoing procurement will translate into reliable revenue for its key suppliers, regardless of its own stock price volatility.

marsbit8m ago

The Foundation of SpaceX's Trillion-Dollar Valuation: Who is Dividing Up Musk's Annual Tens of Billions in Capital Expenditure?

marsbit8m ago

SpaceX's Trillion-Dollar Valuation Base: Who's Sharing in Musk's Annual Tens of Billions in Capital Expenditure?

**Title: The Foundation of SpaceX's Trillion-Dollar Valuation: Who Benefits from Musk's Annual $100 Billion Capital Expenditure?** This article argues that investors seeking to benefit from SpaceX's growth might find greater opportunities in its supply chain rather than directly investing in the company itself, drawing parallels to historical successes with Apple, Tesla, and NVIDIA suppliers. **SpaceX's Business Model & Cash Flow:** SpaceX generates revenue from three main areas: 1. **Starlink:** Its profitable core, earning $11.3B in 2023 (60% of revenue), funding other ventures. 2. **Rockets (Falcon/Starship):** Requires $3B+ in annual R&D but achieves the world's lowest launch costs. 3. **AI:** Currently unprofitable (-$6B+ in 2023), investing heavily in ground-based supercomputers (220,000 GPUs) and future orbital data centers. The cycle is: Starlink profits → fund cheaper rockets → low-cost launches deploy AI hardware → AI compute rentals generate future revenue. This cycle drives annual procurement spending of tens of billions of dollars. **The Supply Chain Beneficiaries:** Suppliers are categorized by their replaceability: **1. Nearly Irreplaceable (High Barriers to Entry):** * **NVIDIA:** Powers the Colossus supercomputer; its CUDA ecosystem creates immense switching costs. * **Eutelsat (SATS):** Controls critical radio spectrum for satellite communications; holds a ~3% stake in SpaceX. * **Filtronic (FTC):** Supplies millimeter-wave signal amplifiers for Starlink satellites; SpaceX constitutes 83% of its revenue. * **Materion (MTRN):** Global leader in beryllium production, a strategic material used in Starship structures. * **STMicroelectronics (STM):** Supplies phased-array antenna chips for Starlink satellites. **2. Replaceable, but Switching Cost is Prohibitively High:** * **Honeywell (HON):** Provides flight control and inertial navigation systems with decades of certification. * **Carpenter Technology (CRS):** Manufactures ultra-pure specialty steel alloys for Raptor engines. * **Hexcel (HXL):** Supplies custom carbon fiber composites developed over a decade with SpaceX. * **Broadcom (AVGO):** Manages high-speed data switching. * **Linde Group:** Supplies industrial gases (liquid oxygen/nitrogen) from facilities built near SpaceX launch sites. **3. High-Volume, Cost-Critical Manufacturing:** Focuses on mass-producing components like Starlink user terminals (target: 30 million units). * **Key Players:** Wistron NeWeb (6285, primary terminal manufacturer), several Chinese A-share companies (e.g., Sunway Communication, PAX New Materials, Western Metal Materials, Yingliu Co.), and smaller US firms like Trimble (TRMB, timing systems). **Why Now?** Three factors make the supply chain opportunity timely: 1. **Volume Ramp-Up:** SpaceX plans 100 launches in 2026, aims for 30 million Starlink terminals, and will deploy AI data centers, meaning procurement will accelerate. 2. **Increased Transparency:** The IPO provides public financial data, allowing investors to track supplier order growth. 3. **Historical Precedent:** The current phase is likened to Tesla's early mass-production stage (circa 2018), suggesting a long growth runway for suppliers. **Conclusion:** The article posits that while investing in SpaceX stock is betting on Elon Musk's ambitious vision at a high valuation, investing in its established suppliers is a bet on the tangible, recurring revenue from its massive procurement budget, which is largely decoupled from day-to-day stock price volatility.

链捕手11m ago

SpaceX's Trillion-Dollar Valuation Base: Who's Sharing in Musk's Annual Tens of Billions in Capital Expenditure?

链捕手11m ago

World Cup Upset! Polymarket User Loses Nearly $1 Million

A prediction market trader lost nearly $1 million after underdog Cape Verde held soccer powerhouse Spain to a 0-0 draw in their World Cup group stage match. On Polymarket, a user named "betoor619" had built a roughly $1.1 million position when Spain's implied win probability was around 92%, a low-risk, low-return strategy that backfired spectacularly. The result defied models like Goldman Sachs', which gave Spain a 25% championship probability. Cape Verde's 40-year-old goalkeeper, Vozinha, was the hero with seven key saves. The event highlights the growing scale of crypto-based prediction markets like Polymarket, where total trading volume for this single match reached $64 million.

marsbit12m ago

World Cup Upset! Polymarket User Loses Nearly $1 Million

marsbit12m ago

The U.S. Government Blocked the Anthropic Model. It Wasn't About 'Jailbreaking' at All.

Last Friday, the U.S. Commerce Department issued an enforcement letter that forced Anthropic to take its two most advanced AI models, Fable 5 and Mythos 5, offline. The stated reason was unspecified national security concerns, initially linked to potential "jailbreaks" of the models' safeguards. However, new details suggest the action stemmed more from a deteriorating relationship between the Trump administration and Anthropic, rather than a genuine technical threat. According to reports, the government cited a little-known export control regulation, compelling Anthropic to block access for all non-U.S. persons, including its own international employees. The company complied, shutting down the models without a court order or specific technical details from the government. Cybersecurity expert Katie Moussouris revealed she was privately shown a research paper detailing a potential safeguard bypass in Fable 5. She argued the described method was minor and did not warrant an export ban, stating that attempts to "fix" it would only weaken the model's defensive capabilities. Moussouris and other experts have since called for the order to be revoked, warning it dangerously removes advanced cybersecurity tools from U.S. defenders. Analysts like Justin Hendrix suggest the move appears retaliatory and sets a dangerous precedent, signaling that the U.S. government can unilaterally shut down a tech company's products. The incident has raised concerns about the reliability of American AI and the potential for political interference in the tech industry, serving as a warning to the broader sector.

marsbit15m ago

The U.S. Government Blocked the Anthropic Model. It Wasn't About 'Jailbreaking' at All.

marsbit15m ago

Ray Dalio: AI Bull Market Continues to Soar, Should Investors Go All In or Cash Out and Leave the Field?

In his latest notes, Ray Dalio addresses a critical question for investors amid the AI-driven stock market surge: how should one allocate assets during a transformative technological revolution? Dalio emphasizes that technological advancement does not automatically make related stocks attractive. Historical tech cycles—marked by excitement, crowding, volatility, and eventual shakeouts—show that even long-term winners like Microsoft and Apple experienced severe drawdowns. Today's AI sector faces similar uncertainties: overinvestment, intensifying competition, geopolitical tensions (e.g., Taiwan's chip supply), tax policy shifts, anti-AI sentiment, and potential disruption from future technologies like quantum computing. Dalio's core argument focuses on the highly concentrated market structure, where a few tech giants dominate major indices. He warns investors against unknowingly holding concentrated, correlated exposures. Instead of chasing a handful of AI leaders, he advocates for a robust, diversified portfolio of 15 or more high-quality, uncorrelated investments, risk-balanced to match an investor's volatility tolerance. Mathematically, such diversification significantly improves the risk-return ratio—for example, holding 15 uncorrelated assets can boost the ratio by over four times compared to a single concentrated bet. Dalio cautions that future equity returns appear low, with his bubble indicator suggesting real returns could be negative over the next 5-10 years. He stresses that knowing what you don't know is as important as knowing what you do. In an environment of high uncertainty and concentration, avoiding large, concentrated bets on AI stocks is prudent. The optimal strategy is disciplined diversification—the "holy grail" of investing—to navigate this technologically driven cycle with lower risk and comparable or better returns.

marsbit18m ago

Ray Dalio: AI Bull Market Continues to Soar, Should Investors Go All In or Cash Out and Leave the Field?