On June 5th, Zcash founder Zooko Wilcox published a rare, detailed security retrospective.
The article disclosed that security researcher Taylor Hornby discovered a severe forging vulnerability in Orchard, Zcash's latest generation privacy pool, on May 29th. An attacker could construct a transaction that should not have passed validation, generating unlimited and undetectable counterfeit ZEC within Orchard.
This was not merely a theoretical risk. Taylor had already written a complete exploit program in a local test environment, successfully generating counterfeit ZEC. If the same program were deployed on the mainnet, an attacker could theoretically generate an unlimited quantity of counterfeit assets in their own mainnet wallet.
After the news became public, ZEC plunged by over 30%. Data from CoinMarketCap shows ZEC hit a 24-hour low of $408.39, down about one-third from its recent high of $610.47. Unfortunately, this was one of the few assets in the crypto space with excellent wealth effects recently, boasting a promising narrative favored by numerous industry leaders, now shattered by this vulnerability.
If one only looks at the outcome, this seems like another familiar crypto security incident: a vulnerability is discovered, developers rush to patch it, and the market panics.
However, the truly thorny aspect of the Orchard incident is that, while the vulnerability has been patched, the Zcash community cannot directly answer another, more sensitive question:
Has anyone exploited this vulnerability in the past four years?
Four-Day Emergency Patch, Orchard Briefly Suspended
Orchard is Zcash's next-generation privacy payment protocol launched in 2022 and one of the primary privacy pools currently used by Zcash. Users can hide balances, transaction amounts, and fund flows, while proving to the network via zero-knowledge proofs that transactions comply with the rules.
According to the timeline disclosed by Zooko, Shielded Labs, and the Zcash community, Taylor discovered anomalies during a targeted security audit of the Orchard circuit on May 29th and immediately privately disclosed the vulnerability to the Zcash Open Development Lab (ZODL). Shielded Labs is an independent, donation-funded Zcash ecosystem support organization based in Switzerland, long involved in Zcash's protocol development, security, and network sustainability efforts, and is not affiliated with the Zcash Foundation or ZODL.
ZODL engineers confirmed the issue was genuine within hours of receiving the report and began seeking a fix. To avoid exposing the vulnerability's details by directly releasing a code patch, the team first chose to temporarily shut down Orchard: prohibiting the creation of new Orchard outputs and the spending of funds already within Orchard.
After coordinating upgrades among developers, miners, node operators, exchanges, and infrastructure providers, an emergency soft fork took effect on June 2nd. Subsequently, Zcash performed a hard fork upgrade to update the verification key for the Orchard circuit and restored Orchard functionality on June 3rd. Transparent addresses and the Sapling privacy pool continued to operate during this period.
The entire process, from disclosure to remediation, took only a few days. In terms of emergency response speed, this was a remarkably successful handling.
But the market did not calm down because the vulnerability was fixed, as the fix addresses the future, not the past.
The Market Fears Not a Future Attack, But That an Attack May Have Already Happened
Ordinary security incidents usually have a relatively clear scale of loss. For a hacked smart contract, on-chain tracking can reveal how much the attacker moved; a cross-chain bridge vulnerability allows for tracking fund flows and affected addresses.
The Orchard incident is different.
According to Shielded Labs' explanation, this vulnerability could be used to generate unlimited and undetectable counterfeit ZEC within Orchard. Due to Orchard's inherent privacy properties, it is impossible for outsiders to cryptographically prove definitively whether this attack vector was exploited before the fix.
This means the market is not facing a determined loss figure but a kind of unquantifiable uncertainty:
If someone indeed found and exploited the vulnerability in the past, does counterfeit ZEC already exist within Orchard? If it exists, what is the scale? Do these assets remain in the privacy pool? Have they gradually leaked out through normal transactions?
More importantly, this risk window did not just open on May 29th. Shielded Labs stated that the vulnerability had existed since Orchard's launch in May 2022, until the emergency fix was completed in June 2026. In other words, the problem lay dormant for nearly four years.
What the market truly fears is not what happened between May 29th and June 2nd, but whether undetectable anomalies occurred during those past four years.
This is also the core reason behind ZEC's plunge of over 30%.
The market is selling off not just a vulnerability, but a repricing of the credibility of the supply.
How a Missing Mathematical Constraint Evolved into an 'Unlimited Minting' Risk
Seeing the words 'unlimited minting vulnerability,' our first thought might be that hackers gained admin privileges or some kind of protocol backdoor.
The reality is more fundamental.
Orchard's security relies on a zero-knowledge proof circuit (Orchard circuit). Users can hide specific transaction details but must prove to the network that their transaction satisfies protocol rules. One of the most important rules is asset conservation: a transaction cannot create new value out of thin air.
Simply put, users don't have to reveal how much ZEC they have or how much they send to whom, but the network must be able to confirm that:
The assets spent indeed come from legitimate inputs.
The problem Taylor discovered lies in an elliptic curve multiplication check within the Orchard circuit.
Shielded Labs describes it as an 'under-constrained element,' meaning a circuit element with incomplete constraints. Because the relevant mathematical relationship was not fully constrained, an attacker could input arbitrary erroneous data into the elliptic curve multiplication process, yet the verification process might still return a pass.
In other words, the attacker doesn't need to crack cryptographic algorithms or control network nodes.
They only need to construct a set of data that should not hold, tricking the system into erroneously believing the transaction still satisfies asset conservation.
Once this false proof is accepted by the network, the non-existent ZEC can be treated as legitimate assets, remaining within Orchard.
This is why Shielded Labs used extremely severe wording:
unlimited, undetectable counterfeit ZEC
The truly dangerous part is not just 'unlimited,' but 'undetectable.'
An Important Distinction Lies Between Two Statements
In its post-upgrade announcement, the Zcash Foundation stated that there is currently no evidence the vulnerability was exploited, no detection of unauthorized value creation, and user funds and privacy remain unaffected. The announcement also emphasized that Zcash's existing Turnstile Accounting mechanism can track value flows between different pools and protect the 21 million ZEC total supply cap.
Meanwhile, Shielded Labs clearly stated that it is impossible to cryptographically prove that counterfeit ZEC never appeared in Orchard's history.
These two statements may seem contradictory but actually address two different levels of the problem.
Zcash's original Turnstile Accounting can be understood as a 'gate' between different asset pools. The system can count how much legitimate asset entered Orchard and limit the scale of assets that can flow out of Orchard.
Suppose Orchard originally contained only 1 million legitimate ZEC; even if an attacker counterfeited more assets inside, the system would not allow assets exceeding the legitimate scale to flow out entirely. This helps prevent the total Zcash network supply cap from being easily breached.
But this mechanism cannot directly prove that counterfeit coins never appeared inside Orchard.
If counterfeit assets remain within Orchard, or gradually replace real assets within the legal outflow quota, the original statistical mechanism may not provide a definitive historical conclusion.
Regarding this arguably one of the oldest crypto privacy projects, all we know is that there is currently no evidence of abnormal minting, but the community still cannot directly prove that counterfeit assets never existed within Orchard.
This is precisely the type of risk the market finds hardest to handle.
The problem is not how many counterfeit coins have been discovered, but that no one can definitively confirm they never existed.
How Can Zcash Prove There Are No Counterfeit Coins in Orchard?
Patching the vulnerability is only the first step.
Shielded Labs has stated it is working with other Zcash developers on a new network upgrade proposal. The plan includes deploying a new privacy pool and enforcing Turnstile Accounting for all assets migrating out of Orchard.
This is akin to setting up a new migration gate for Orchard.
Assets in the old Orchard wishing to enter the new privacy pool would need to complete migration according to verifiable rules. The system could re-count the scale of legitimate assets flowing out and determine if there are any extra ZEC that cannot be migrated normally.
If the upgrade proceeds smoothly, anyone could verify Zcash's supply integrity and further prove no counterfeit assets exist in Orchard.
The significance of this plan is not just fixing code, but rebuilding market trust in Orchard.
Because in a privacy system, trust should not come from 'we think an attack didn't happen,' but from 'anyone can verify an attack didn't happen.'
Shielded Labs itself acknowledges the probability of prior malicious exploitation is low. The vulnerability was hidden for years and extremely difficult to discover; Taylor was actively searching for such issues in a dedicated security research project; after disclosure, the ecosystem quickly shut the attack window within days.
But Shielded Labs also emphasizes that users should not rely solely on the development team's subjective judgment.
The market needs proof.
Why Was a Four-Year-Old Vulnerability Discovered Now?
The Orchard incident has another detail easily overlooked by the market.
On May 28th, Anthropic released Claude Opus 4.8.
One day later, Taylor discovered the Orchard vulnerability.
According to the retrospective by Zooko and Shielded Labs, shortly after Opus 4.8's release, Taylor used it for a highly targeted audit of the Orchard circuit and discovered the issue on May 29th. Subsequently, with the assistance of Opus 4.8, he wrote a complete exploit program, generating unlimited, undetectable counterfeit ZEC in a local environment.
This detail is noteworthy not because AI can independently conduct cryptographic audits.
Public information does not support such an exaggerated conclusion.
Taylor himself is an experienced security researcher. Shielded Labs also mentioned he used a combination of traditional security research methods, a customized AI tool framework, and specifically designed prompts. Opus 4.8 was a crucial tool in the audit process, but not the only factor.
What is truly notable is that Taylor used not Anthropic's restricted-access, cybersecurity-focused model Claude Mythos Preview, but the newly publicly released general-purpose model Opus 4.8.
Anthropic positions Mythos Preview as an advanced model with significant vulnerability discovery and exploitation capabilities. Due to potential misuse risks, Anthropic did not release this model directly to the public but provides access to vetted partners via Project Glasswing.
In contrast, Opus 4.8 is a general-purpose model accessible to ordinary developers. Anthropic emphasized in its release notes its improvements in code analysis, complex task execution, and identifying code defects.
This makes the Orchard incident send an even more significant signal:
The capability to discover high-value vulnerabilities is diffusing from a few specialized security models to general-purpose models.
A general-purpose model released publicly for just one day, guided by a professional researcher, was able to participate in auditing a complex zero-knowledge proof circuit and help discover a critical vulnerability hidden for nearly four years.
This does not mean cryptography experts are no longer important.
On the contrary, Taylor's experience, choice of audit target, and ability to validate the model's output remain the core of the entire process.
But the combination of experts and AI is significantly lowering the cost of discovering complex vulnerabilities.
The Vulnerability is Closed, But the Market Still Awaits Answers
For Zcash, the most urgent attack window is closed.
Orchard functionality is restored, the verification circuit is updated, and there is currently no evidence the vulnerability was maliciously exploited.
But ZEC's plunge of over 30% indicates the market cares about more than just whether the code is fixed.
The market is still waiting for a more definitive answer:
In the past nearly four years, did counterfeit ZEC ever appear inside Orchard?
If the new privacy pool and Turnstile Accounting upgrade can be successfully implemented, the community will finally have a chance to prove supply integrity and rebuild market trust.
But until that proof is completed, the Orchard incident retains an unavoidable suspense:
Did those theoretically unlimited counterfeit ZEC never exist, or were they once hidden where no one could directly see?
