Four Questions on the Zcash Orchard Vulnerability: Was It Exploited? Can Funds Be Recovered? Is the Supply Verifiable? And Are There Others?

marsbitPublished on 2026-06-15Last updated on 2026-06-15

Abstract

Zcash Orchard Bug: Four Key Questions Answered A critical forgery vulnerability was discovered in Zcash's Orchard privacy pool, raising four major concerns for users. 1. **Was the Orchard bug exploited?** The likelihood is considered low. The bug was found proactively using advanced AI-assisted tools and was promptly patched, limiting any potential attack window. If exploitation had occurred, evidence would likely have surfaced by now. 2. **Can legitimate Orchard funds be recovered?** It is believed so, based on the assessment that the bug was not exploited. If forgery did happen, existing "turnstile" mechanisms could prevent full recovery of legitimate funds if forged coins were moved out first, though this scenario is deemed unlikely. Users can choose to move funds, but this carries risks like loss of privacy or new wallet/software issues. 3. **Can users verify Zcash's total supply?** Currently, no. The vulnerability's prior existence prevented independent verification of the shielded supply. The proposed "Ironwood" network upgrade will restore this ability by sealing the Orchard pool, allowing anyone running a node to verify that the circulating ZEC does not exceed the correct amount. 4. **Are there other forgery bugs?** Ongoing intensive audits by multiple teams, including AI-assisted analysis, have not found additional forgery vulnerabilities, increasing confidence that none remain. Further work and collaborations are planned to provide additional guarantees. In co...

Original Authors: Jason McGee, CEO of Shielded Labs; Zooko Wilcox, Founder of Zcash

Compiled | Odaily Planet Daily Qin Xiaofeng (@QinXiaofeng 888 )

Editor's Note: On June 5th, Beijing time, the privacy project Zcash was reported to have had a critical forging vulnerability in its new-generation privacy pool, Orchard. The price of Zcash's native token, ZEC, plummeted by nearly half, hitting a low of around $250. After about ten days of developments, market panic has somewhat subsided, and the price of ZEC has rebounded, returning to $500 today.

This morning, Zcash founder Zooko Wilcox published another lengthy article responding to key market concerns. He stated that it is highly likely the Orchard vulnerability was not previously exploited, and legitimate Orchard funds can be recovered. Currently, users cannot independently verify whether the Zcash supply exceeds its limit, but the upcoming Ironwood upgrade will seal the Orchard pool, restoring this verification capability. Ongoing audits have not uncovered other forging vulnerabilities, but absolute certainty requires more work.

Below is the full text by Zooko Wilcox, compiled by Odaily Planet Daily, enjoy~

————————————

The recent Orchard vulnerability has raised critical questions about Zcash's supply and user fund safety. The discussion has conflated several distinct issues, making it difficult to understand the practical impact of the vulnerability on users. This article attempts to separate these questions and explain what each means for users.

The Orchard vulnerability raises four major questions:

  1. Was the Orchard vulnerability ever exploited?
  2. Can legitimate Orchard funds be recovered?
  3. Can users verify that the Zcash supply has not been inflated?
  4. How do we know there aren't other forging vulnerabilities?

Was the Orchard vulnerability ever exploited?

Unknown. We consider it unlikely that it was exploited previously, though we cannot rule it out entirely. We believe the vulnerability likely went unused for three reasons:

Despite years of continuous scrutiny by top cryptographers and security researchers worldwide, the vulnerability was not previously discovered. Its discovery was not accidental; it was found by Taylor Hornby of Shielded Labs with the express purpose of proactively identifying such security flaws before malicious actors could. Taylor used advanced AI-assisted security research techniques and custom-built tools specifically designed to find subtle flaws others might miss, a task that would be more difficult for those not deeply familiar with the Zcash codebase.

Upon discovery, Zcash developers (led by the Zcash Open Development Labs team) quickly coordinated with mining pools to temporarily freeze the Orchard pool and deployed a fix, limiting any potential attack window.

Cryptocurrency exploits are common, and attackers typically cash out as quickly as possible, especially after a vulnerability is made public. For an attacker to profit from this vulnerability, they would need to exchange forged ZEC for valuable assets, which usually involves moving ZEC out of the Orchard pool via the turnstile mechanism. Had the vulnerability been exploited before the fix, we would expect evidence to have surfaced by now. Historically, cryptocurrency exploits tend to be "smash-and-grab" operations rather than "4D chess" strategies hidden for months or years.

Can legitimate Orchard funds be recovered?

We believe so, because we believe the vulnerability was never exploited. If this assessment is correct, all legitimate Orchard funds remain fully recoverable.

Conversely, if forging did occur within Orchard, the existing turnstile mechanism limits the total migrated amount to the number of ZEC that legitimately entered the pool. Therefore, if forged funds are migrated before legitimate funds, users may be unable to recover some or all of their legitimate Orchard funds.

We consider this scenario unlikely. However, for more cautious users, moving their ZEC out of Orchard is still advised. Before doing so, they should understand the following:

  • Moving funds to a transparent pool (i.e., to a t-address) exposes both the transaction amount and the time of the transaction, and the funds become publicly linked to that t-address.
  • Moving funds from the Orchard pool to the Sapling pool exposes the transaction amount and time, but unlike moving to a t-address, it does not link these funds to a specific address or transaction history.
  • The Sapling pool relies on a trusted setup ceremony conducted in 2018. Relying on the security of this trusted setup is an additional risk users should be aware of.
  • To our knowledge, YWallet and Zkool are currently the only widely used, self-custodial Zcash wallets that support the Sapling pool.
  • Moving funds to a new wallet or custodial service introduces additional risks, including user error, software bugs, custodian risk, or other unforeseen issues.

Overall, we consider these risks moderate. If your funds are currently in a shielded, self-custodial wallet, leaving them there is a reasonable choice, given our assessment that prior forging is unlikely. If you have a secure way to move them, that may also be reasonable. Users may arrive at different conclusions based on their own circumstances.

Can users verify that the Zcash supply has not been inflated?

Not currently. The prior existence of the vulnerability prevents users from independently verifying that the ZEC circulating in the current shielded pools does not exceed the correct amount.

However, as we indicated in our previous post, the Ironwood upgrade restores this ability. The diagram below illustrates why.

The proposed network upgrade addresses this by adding a guarantee that "no further unknown forging vulnerabilities exist" and by sealing the Orchard pool. New funds cannot enter, and funds within the pool cannot circulate. The only remaining path is exiting via the existing turnstile mechanism, which ensures that no more ZEC leaves the Orchard pool than legitimately entered it.

This change restores the ability to verify the soundness of Zcash's supply.

Currently, if forged funds exist within the Orchard pool, they can continue to circulate within it. After the upgrade, this is no longer possible. Regardless of whether forging occurred, anyone running a node can verify that no more ZEC is circulating than the correct amount.

Users don't need to wait for funds to migrate out of Orchard or speculate on potential actions by attackers or other users. The protocol itself provides a verifiable guarantee: excess ZEC cannot continue circulating within Orchard to inflate the supply.

This is crucial because Zcash's long-term credibility depends on users' ability to independently verify the soundness of its supply. Ironwood restores users' ability to independently verify that the protocol's supply limit is enforced.

How do we know there aren't other forging vulnerabilities?

We can't be completely certain yet, but we have reason to believe none exist. Shielded Labs and multiple other teams have been meticulously auditing the Zcash protocol for other forging vulnerabilities. This includes using a not-yet-released Mythos AI model, with assistance from Anthropic, to search for additional vulnerabilities shortly before Mythos was paused. We plan to share more details about this audit and its findings in a future blog post.

So far, no other forging vulnerabilities have been found. The high level of expertise, effort, and advanced AI-assisted analysis involved in this search gives us increased confidence that no similar vulnerabilities remain undiscovered.

Furthermore, we are collaborating with projects like the Tachyon Project to provide additional assurance that no more forging vulnerabilities exist in Zcash. We will elaborate on this in future posts as well.

Conclusion

The Orchard vulnerability presents four key questions: Was it exploited? Can legitimate Orchard funds be recovered? Can users verify Zcash's supply hasn't been inflated? And are there other undiscovered forging vulnerabilities?

We believe prior exploitation is unlikely, therefore legitimate Orchard funds are recoverable, and the current Zcash supply is safe. Based on ongoing audits by multiple independent researchers and teams, we are also increasingly confident that no other undiscovered forging vulnerabilities exist. However, users cannot currently verify the security of Zcash's supply, and they shouldn't have to rely on our assessment—or anyone else's.

The proposed network upgrade solves this. By sealing the Orchard pool, it restores users' ability to independently verify the security of Zcash's supply. Users no longer need to judge whether forging occurred to verify that the protocol's supply limit is being obeyed.

Related Questions

QAccording to the article, what are the four main questions raised by the Orchard vulnerability?

AThe four main questions are: 1) Has the Orchard vulnerability been exploited before? 2) Can legitimate Orchard funds be recovered? 3) Can users verify that the Zcash supply has not been inflated? 4) How do we know there are no other counterfeiting vulnerabilities?

QWhat reasons does Zooko Wilcox give for believing the Orchard vulnerability likely was not exploited?

AThree reasons are given: 1) The vulnerability was only discovered using advanced AI-assisted research and custom tools, making it hard to find. 2) Developers quickly coordinated with mining pools to temporarily freeze the Orchard pool and deploy a fix, limiting the attack window. 3) Cryptocurrency exploits are typically 'smash-and-grab' operations; if exploited, evidence would likely have surfaced by now.

QWhat solution does the proposed Ironwood upgrade provide regarding the Zcash supply?

AThe Ironwood upgrade seals the Orchard pool, preventing new funds from entering and existing funds from circulating. The only remaining path is to exit via the turnstile mechanism, which ensures no more ZEC leaves the pool than legitimately entered. This restores users' ability to independently verify the soundness of the Zcash supply.

QWhat are the risks mentioned for users who choose to move their funds out of the Orchard pool?

ARisks include: exposing transaction amount and time when moving to a transparent (t-address); exposing amount and time when moving to Sapling (though not linking to a specific address/history); relying on Sapling's 2018 trusted setup ceremony; limited wallet support (YWallet, Zkool); and introducing risks from user error, software bugs, custodial risk, or other unforeseen issues with new wallets or services.

QWhat work has been done to check for other counterfeiting vulnerabilities, and what is the current assessment?

AShielded Labs and other teams have been conducting careful reviews, including using an unreleased Mythos AI model from Anthropic to search for additional vulnerabilities. So far, no other counterfeiting vulnerabilities have been found. The high level of expertise, effort, and advanced AI analysis involved provides increased confidence that no similar vulnerabilities remain undetected, though it is not yet considered completely certain.

Related Reads

Xpeng and NIO Compete on Computing Power, Li Auto Shifts Architecture

On June 15, 2026, Li Auto unveiled details of its self-developed chip, Mahe M100, for its new L9 Livis model. CTO Xie Yan stated the goal was not just a faster chip, but a fundamentally different one, targeting the chip architecture itself. While competitors like NIO, Xpeng, and Huawei highlight TOPS (computing power) figures for their self-developed chips, Li Auto’s Mahe M100 focuses on redesigning the underlying architecture. It employs a "dynamic data flow architecture" to address memory bandwidth bottlenecks in large model inference, claiming up to 3x the effective computing power of Nvidia's Thor U for its specific workloads and a 40% reduction in latency. The chip's design was peer-reviewed and accepted at ISCA 2026. However, this performance is highly optimized for Li Auto's own VLA2.1 algorithm, meaning it may not generalize as well to other tasks. Li Auto aims to achieve full-stack in-house development with Mahe M100, covering chip, compiler, OS, AI algorithms, and domain controller—a level of vertical integration few competitors match. Beyond the chip, CEO Li Xiang introduced a new strategic narrative: the "embodied intelligent vehicle," defined as an integration of an EV, a professional driver, an AI computer, and a life assistant. This shifts competition from features like large screens to systemic AI capabilities. A key commitment was that Li Auto's Mahe VLA autonomous driving model will match Tesla's FSD V14 by Q4 2026, with specific OTA milestones set for July, September, and December. Financially, Li Auto faces pressure with declining revenue and vehicle gross margins since Q4 2025, while maintaining high R&D investment (approx. ¥12B in 2026, 50% AI-related). Its 2026 sales target is 550,000 vehicles, up from 406,000 in 2025. The new L9 Livis garnered over 10,000 pre-orders in two weeks. The effectiveness of these strategic moves—new products, OTAs, and the novel chip architecture—will begin to show in Q3 2026 financial results, with the year-end FSD V14 benchmark being the ultimate test.

marsbit36m ago

Xpeng and NIO Compete on Computing Power, Li Auto Shifts Architecture

marsbit36m ago

The Year of AI Applications: Saying 'Yes' While Ignoring Risks? A Comprehensive Open Source Log of Software Development's Journey

The Year of AI Applications: Blindly Saying "Yes" While Ignoring Risks? A Software Development Log Goes Fully Open Source. AI-generated code harbors risks hidden within seemingly correct programs, potentially leading to data leaks or asset loss. The open-source project "Narwhal AI Code Risks," from Peking University's Narwhal-Lab, compiles real-world cases, early warning signs, and typical risk pathways. Its goal is to help developers identify potential hazards early and avoid repeating past mistakes. In 2026, code is generated faster than ever but deployed with less scrutiny. The danger often lies not in glaring errors, but in code that appears normal—syntactically correct, passing all checks—yet introduces subtle but critical flaws like non-existent dependencies, excessive permissions, or exposed databases. A stark example is the Moonwell cbETH oracle incident. A configuration file error, where a cryptocurrency price was set to ~$1.12 instead of ~$2,200, slipped through 28 checks and a pull request signed by both AI (Claude, Copilot) and human developers. This "semantic deviation" resulted in a loss of $1.78 million. The risk is that AI can produce functionally valid code that is semantically wrong for the business context. As AI moves beyond simple code completion to modifying configurations, installing dependencies, and operating via autonomous agents, it traverses longer, less traceable paths within software engineering, blurring traditional boundaries and oversight points. The Narwhal AI Code Risks project structures information into three layers: `/cases` for documented real-world incidents, `/inferred` for early warning signals, and `/scenarios` for clear, generalized risk patterns not yet tied to specific events. This aims to create a lasting, public record to prevent collective amnesia about past AI-coding pitfalls. Risks are categorized into seven areas: Software Supply Chain (e.g., recommending fake packages), Code-Level Vulnerabilities (e.g., reintroducing path traversal bugs), Cloud & Infrastructure Misconfiguration (e.g., overly permissive settings), Agent Risks (from autonomous tool execution), Vertical Domain Risks (e.g., in finance, healthcare), Intellectual Property & Compliance issues, and Human Factors (like over-reliance on AI output). The project's core value is transforming isolated incidents into reusable knowledge—a foundational resource for developers to spot similar issues, for security researchers to build upon, for toolmakers to create detection rules, and for the community to contribute new findings. As AI integration accelerates, this open-source "logbook" serves as a crucial navigational aid, charting past errors to help future projects steer clear of the same traps.

marsbit36m ago

The Year of AI Applications: Saying 'Yes' While Ignoring Risks? A Comprehensive Open Source Log of Software Development's Journey

marsbit36m ago

The Foundation of SpaceX's Trillion-Dollar Valuation: Who is Dividing Up Musk's Annual Tens of Billions in Capital Expenditure?

SpaceX's trillion-dollar valuation is built on its three core businesses: Starlink (profitable, 60% of revenue), rockets (driving down launch costs), and AI (a major investment area). This creates a financial cycle: Starlink funds rocket development, which enables low-cost launches for AI hardware, generating future revenue. This cycle fuels annual capital expenditures of tens of billions, flowing to a vast supply chain. Suppliers are categorized by their replaceability. The first group includes irreplaceable players like NVIDIA (GPU/CUDA ecosystem), Eutelsat (critical radio spectrum), Filtronic (specialized amplifiers), Materion (strategic beryllium), and STMicroelectronics (antenna chips). The second group consists of hard-to-replace suppliers due to high switching costs, such as Honeywell (flight control), Carpenter Technology (specialty alloys), Hexcel (carbon fiber), Broadcom (data exchange), and Linde (industrial gases). The third group comprises high-volume, cost-critical suppliers for mass-produced items like Starlink terminals. Key names include Wistron NeWeb (primary manufacturer) and several A-share companies like Shenzhen Sunway (connectors), Pies New Materials (forgings), Western Superconducting (alloys), and Yingliu (castings). Other niche players include Trimble (timing), Astronics (power distribution), and CTS (thermal management). The article argues that investing in these suppliers, rather than SpaceX stock directly, offers an alternative opportunity. The rationale is threefold: procurement is just beginning to scale, SpaceX's IPO brings new transparency to its supply chain, and the situation mirrors early stages of past "super terminal" ecosystems like Apple or Tesla. While risks exist (commodity cycles, geopolitical factors, technology shifts), the core thesis is that SpaceX's massive, ongoing procurement will translate into reliable revenue for its key suppliers, regardless of its own stock price volatility.

marsbit1h ago

The Foundation of SpaceX's Trillion-Dollar Valuation: Who is Dividing Up Musk's Annual Tens of Billions in Capital Expenditure?

marsbit1h ago

SpaceX's Trillion-Dollar Valuation Base: Who's Sharing in Musk's Annual Tens of Billions in Capital Expenditure?

**Title: The Foundation of SpaceX's Trillion-Dollar Valuation: Who Benefits from Musk's Annual $100 Billion Capital Expenditure?** This article argues that investors seeking to benefit from SpaceX's growth might find greater opportunities in its supply chain rather than directly investing in the company itself, drawing parallels to historical successes with Apple, Tesla, and NVIDIA suppliers. **SpaceX's Business Model & Cash Flow:** SpaceX generates revenue from three main areas: 1. **Starlink:** Its profitable core, earning $11.3B in 2023 (60% of revenue), funding other ventures. 2. **Rockets (Falcon/Starship):** Requires $3B+ in annual R&D but achieves the world's lowest launch costs. 3. **AI:** Currently unprofitable (-$6B+ in 2023), investing heavily in ground-based supercomputers (220,000 GPUs) and future orbital data centers. The cycle is: Starlink profits → fund cheaper rockets → low-cost launches deploy AI hardware → AI compute rentals generate future revenue. This cycle drives annual procurement spending of tens of billions of dollars. **The Supply Chain Beneficiaries:** Suppliers are categorized by their replaceability: **1. Nearly Irreplaceable (High Barriers to Entry):** * **NVIDIA:** Powers the Colossus supercomputer; its CUDA ecosystem creates immense switching costs. * **Eutelsat (SATS):** Controls critical radio spectrum for satellite communications; holds a ~3% stake in SpaceX. * **Filtronic (FTC):** Supplies millimeter-wave signal amplifiers for Starlink satellites; SpaceX constitutes 83% of its revenue. * **Materion (MTRN):** Global leader in beryllium production, a strategic material used in Starship structures. * **STMicroelectronics (STM):** Supplies phased-array antenna chips for Starlink satellites. **2. Replaceable, but Switching Cost is Prohibitively High:** * **Honeywell (HON):** Provides flight control and inertial navigation systems with decades of certification. * **Carpenter Technology (CRS):** Manufactures ultra-pure specialty steel alloys for Raptor engines. * **Hexcel (HXL):** Supplies custom carbon fiber composites developed over a decade with SpaceX. * **Broadcom (AVGO):** Manages high-speed data switching. * **Linde Group:** Supplies industrial gases (liquid oxygen/nitrogen) from facilities built near SpaceX launch sites. **3. High-Volume, Cost-Critical Manufacturing:** Focuses on mass-producing components like Starlink user terminals (target: 30 million units). * **Key Players:** Wistron NeWeb (6285, primary terminal manufacturer), several Chinese A-share companies (e.g., Sunway Communication, PAX New Materials, Western Metal Materials, Yingliu Co.), and smaller US firms like Trimble (TRMB, timing systems). **Why Now?** Three factors make the supply chain opportunity timely: 1. **Volume Ramp-Up:** SpaceX plans 100 launches in 2026, aims for 30 million Starlink terminals, and will deploy AI data centers, meaning procurement will accelerate. 2. **Increased Transparency:** The IPO provides public financial data, allowing investors to track supplier order growth. 3. **Historical Precedent:** The current phase is likened to Tesla's early mass-production stage (circa 2018), suggesting a long growth runway for suppliers. **Conclusion:** The article posits that while investing in SpaceX stock is betting on Elon Musk's ambitious vision at a high valuation, investing in its established suppliers is a bet on the tangible, recurring revenue from its massive procurement budget, which is largely decoupled from day-to-day stock price volatility.

链捕手1h ago

SpaceX's Trillion-Dollar Valuation Base: Who's Sharing in Musk's Annual Tens of Billions in Capital Expenditure?

链捕手1h ago

World Cup Upset! Polymarket User Loses Nearly $1 Million

A prediction market trader lost nearly $1 million after underdog Cape Verde held soccer powerhouse Spain to a 0-0 draw in their World Cup group stage match. On Polymarket, a user named "betoor619" had built a roughly $1.1 million position when Spain's implied win probability was around 92%, a low-risk, low-return strategy that backfired spectacularly. The result defied models like Goldman Sachs', which gave Spain a 25% championship probability. Cape Verde's 40-year-old goalkeeper, Vozinha, was the hero with seven key saves. The event highlights the growing scale of crypto-based prediction markets like Polymarket, where total trading volume for this single match reached $64 million.

marsbit1h ago

World Cup Upset! Polymarket User Loses Nearly $1 Million

marsbit1h ago

Trading

Spot
Futures
活动图片