Four Questions on the Zcash Orchard Vulnerability: Was It Exploited? Can Funds Be Recovered? Is the Supply Verifiable? And Are There Others?

marsbitPublicado a 2026-06-15Actualizado a 2026-06-15

Resumen

Zcash Orchard Bug: Four Key Questions Answered A critical forgery vulnerability was discovered in Zcash's Orchard privacy pool, raising four major concerns for users. 1. **Was the Orchard bug exploited?** The likelihood is considered low. The bug was found proactively using advanced AI-assisted tools and was promptly patched, limiting any potential attack window. If exploitation had occurred, evidence would likely have surfaced by now. 2. **Can legitimate Orchard funds be recovered?** It is believed so, based on the assessment that the bug was not exploited. If forgery did happen, existing "turnstile" mechanisms could prevent full recovery of legitimate funds if forged coins were moved out first, though this scenario is deemed unlikely. Users can choose to move funds, but this carries risks like loss of privacy or new wallet/software issues. 3. **Can users verify Zcash's total supply?** Currently, no. The vulnerability's prior existence prevented independent verification of the shielded supply. The proposed "Ironwood" network upgrade will restore this ability by sealing the Orchard pool, allowing anyone running a node to verify that the circulating ZEC does not exceed the correct amount. 4. **Are there other forgery bugs?** Ongoing intensive audits by multiple teams, including AI-assisted analysis, have not found additional forgery vulnerabilities, increasing confidence that none remain. Further work and collaborations are planned to provide additional guarantees. In co...

Original Authors: Jason McGee, CEO of Shielded Labs; Zooko Wilcox, Founder of Zcash

Compiled | Odaily Planet Daily Qin Xiaofeng (@QinXiaofeng 888 )

Editor's Note: On June 5th, Beijing time, the privacy project Zcash was reported to have had a critical forging vulnerability in its new-generation privacy pool, Orchard. The price of Zcash's native token, ZEC, plummeted by nearly half, hitting a low of around $250. After about ten days of developments, market panic has somewhat subsided, and the price of ZEC has rebounded, returning to $500 today.

This morning, Zcash founder Zooko Wilcox published another lengthy article responding to key market concerns. He stated that it is highly likely the Orchard vulnerability was not previously exploited, and legitimate Orchard funds can be recovered. Currently, users cannot independently verify whether the Zcash supply exceeds its limit, but the upcoming Ironwood upgrade will seal the Orchard pool, restoring this verification capability. Ongoing audits have not uncovered other forging vulnerabilities, but absolute certainty requires more work.

Below is the full text by Zooko Wilcox, compiled by Odaily Planet Daily, enjoy~

————————————

The recent Orchard vulnerability has raised critical questions about Zcash's supply and user fund safety. The discussion has conflated several distinct issues, making it difficult to understand the practical impact of the vulnerability on users. This article attempts to separate these questions and explain what each means for users.

The Orchard vulnerability raises four major questions:

Was the Orchard vulnerability ever exploited?
Can legitimate Orchard funds be recovered?
Can users verify that the Zcash supply has not been inflated?
How do we know there aren't other forging vulnerabilities?

Was the Orchard vulnerability ever exploited?

Unknown. We consider it unlikely that it was exploited previously, though we cannot rule it out entirely. We believe the vulnerability likely went unused for three reasons:

Despite years of continuous scrutiny by top cryptographers and security researchers worldwide, the vulnerability was not previously discovered. Its discovery was not accidental; it was found by Taylor Hornby of Shielded Labs with the express purpose of proactively identifying such security flaws before malicious actors could. Taylor used advanced AI-assisted security research techniques and custom-built tools specifically designed to find subtle flaws others might miss, a task that would be more difficult for those not deeply familiar with the Zcash codebase.

Upon discovery, Zcash developers (led by the Zcash Open Development Labs team) quickly coordinated with mining pools to temporarily freeze the Orchard pool and deployed a fix, limiting any potential attack window.

Cryptocurrency exploits are common, and attackers typically cash out as quickly as possible, especially after a vulnerability is made public. For an attacker to profit from this vulnerability, they would need to exchange forged ZEC for valuable assets, which usually involves moving ZEC out of the Orchard pool via the turnstile mechanism. Had the vulnerability been exploited before the fix, we would expect evidence to have surfaced by now. Historically, cryptocurrency exploits tend to be "smash-and-grab" operations rather than "4D chess" strategies hidden for months or years.

Can legitimate Orchard funds be recovered?

We believe so, because we believe the vulnerability was never exploited. If this assessment is correct, all legitimate Orchard funds remain fully recoverable.

Conversely, if forging did occur within Orchard, the existing turnstile mechanism limits the total migrated amount to the number of ZEC that legitimately entered the pool. Therefore, if forged funds are migrated before legitimate funds, users may be unable to recover some or all of their legitimate Orchard funds.

We consider this scenario unlikely. However, for more cautious users, moving their ZEC out of Orchard is still advised. Before doing so, they should understand the following:

Moving funds to a transparent pool (i.e., to a t-address) exposes both the transaction amount and the time of the transaction, and the funds become publicly linked to that t-address.
Moving funds from the Orchard pool to the Sapling pool exposes the transaction amount and time, but unlike moving to a t-address, it does not link these funds to a specific address or transaction history.
The Sapling pool relies on a trusted setup ceremony conducted in 2018. Relying on the security of this trusted setup is an additional risk users should be aware of.
To our knowledge, YWallet and Zkool are currently the only widely used, self-custodial Zcash wallets that support the Sapling pool.
Moving funds to a new wallet or custodial service introduces additional risks, including user error, software bugs, custodian risk, or other unforeseen issues.

Overall, we consider these risks moderate. If your funds are currently in a shielded, self-custodial wallet, leaving them there is a reasonable choice, given our assessment that prior forging is unlikely. If you have a secure way to move them, that may also be reasonable. Users may arrive at different conclusions based on their own circumstances.

Can users verify that the Zcash supply has not been inflated?

Not currently. The prior existence of the vulnerability prevents users from independently verifying that the ZEC circulating in the current shielded pools does not exceed the correct amount.

However, as we indicated in our previous post, the Ironwood upgrade restores this ability. The diagram below illustrates why.

The proposed network upgrade addresses this by adding a guarantee that "no further unknown forging vulnerabilities exist" and by sealing the Orchard pool. New funds cannot enter, and funds within the pool cannot circulate. The only remaining path is exiting via the existing turnstile mechanism, which ensures that no more ZEC leaves the Orchard pool than legitimately entered it.

This change restores the ability to verify the soundness of Zcash's supply.

Currently, if forged funds exist within the Orchard pool, they can continue to circulate within it. After the upgrade, this is no longer possible. Regardless of whether forging occurred, anyone running a node can verify that no more ZEC is circulating than the correct amount.

Users don't need to wait for funds to migrate out of Orchard or speculate on potential actions by attackers or other users. The protocol itself provides a verifiable guarantee: excess ZEC cannot continue circulating within Orchard to inflate the supply.

This is crucial because Zcash's long-term credibility depends on users' ability to independently verify the soundness of its supply. Ironwood restores users' ability to independently verify that the protocol's supply limit is enforced.

How do we know there aren't other forging vulnerabilities?

We can't be completely certain yet, but we have reason to believe none exist. Shielded Labs and multiple other teams have been meticulously auditing the Zcash protocol for other forging vulnerabilities. This includes using a not-yet-released Mythos AI model, with assistance from Anthropic, to search for additional vulnerabilities shortly before Mythos was paused. We plan to share more details about this audit and its findings in a future blog post.

So far, no other forging vulnerabilities have been found. The high level of expertise, effort, and advanced AI-assisted analysis involved in this search gives us increased confidence that no similar vulnerabilities remain undiscovered.

Furthermore, we are collaborating with projects like the Tachyon Project to provide additional assurance that no more forging vulnerabilities exist in Zcash. We will elaborate on this in future posts as well.

Conclusion

The Orchard vulnerability presents four key questions: Was it exploited? Can legitimate Orchard funds be recovered? Can users verify Zcash's supply hasn't been inflated? And are there other undiscovered forging vulnerabilities?

We believe prior exploitation is unlikely, therefore legitimate Orchard funds are recoverable, and the current Zcash supply is safe. Based on ongoing audits by multiple independent researchers and teams, we are also increasingly confident that no other undiscovered forging vulnerabilities exist. However, users cannot currently verify the security of Zcash's supply, and they shouldn't have to rely on our assessment—or anyone else's.

The proposed network upgrade solves this. By sealing the Orchard pool, it restores users' ability to independently verify the security of Zcash's supply. Users no longer need to judge whether forging occurred to verify that the protocol's supply limit is being obeyed.

Preguntas relacionadas

QAccording to the article, what are the four main questions raised by the Orchard vulnerability?

AThe four main questions are: 1) Has the Orchard vulnerability been exploited before? 2) Can legitimate Orchard funds be recovered? 3) Can users verify that the Zcash supply has not been inflated? 4) How do we know there are no other counterfeiting vulnerabilities?

QWhat reasons does Zooko Wilcox give for believing the Orchard vulnerability likely was not exploited?

AThree reasons are given: 1) The vulnerability was only discovered using advanced AI-assisted research and custom tools, making it hard to find. 2) Developers quickly coordinated with mining pools to temporarily freeze the Orchard pool and deploy a fix, limiting the attack window. 3) Cryptocurrency exploits are typically 'smash-and-grab' operations; if exploited, evidence would likely have surfaced by now.

QWhat solution does the proposed Ironwood upgrade provide regarding the Zcash supply?

AThe Ironwood upgrade seals the Orchard pool, preventing new funds from entering and existing funds from circulating. The only remaining path is to exit via the turnstile mechanism, which ensures no more ZEC leaves the pool than legitimately entered. This restores users' ability to independently verify the soundness of the Zcash supply.

QWhat are the risks mentioned for users who choose to move their funds out of the Orchard pool?

ARisks include: exposing transaction amount and time when moving to a transparent (t-address); exposing amount and time when moving to Sapling (though not linking to a specific address/history); relying on Sapling's 2018 trusted setup ceremony; limited wallet support (YWallet, Zkool); and introducing risks from user error, software bugs, custodial risk, or other unforeseen issues with new wallets or services.

QWhat work has been done to check for other counterfeiting vulnerabilities, and what is the current assessment?

AShielded Labs and other teams have been conducting careful reviews, including using an unreleased Mythos AI model from Anthropic to search for additional vulnerabilities. So far, no other counterfeiting vulnerabilities have been found. The high level of expertise, effort, and advanced AI analysis involved provides increased confidence that no similar vulnerabilities remain undetected, though it is not yet considered completely certain.

Lecturas Relacionadas

Apple Also Has to Pay Rent Now

Apple Pays Rent Too: The Two-Way Flow of "Traffic Tax" and "AI Capability Rent" Between Tech Giants For over two decades, Google has paid Apple an estimated $20 billion annually to remain the default search engine on Safari, a "traffic tax" for a critical user entry point. However, in 2026, the direction of this cash flow partially reversed. Apple agreed to pay Google roughly $1 billion per year to license its Gemini AI models, as Apple's own models reportedly struggled with complex tasks. This creates a unique dynamic: Apple acts as the "landlord" in the established search ecosystem, collecting rent from Google for access. Simultaneously, in the emerging AI arena, Apple becomes the "tenant," paying Google for access to cutting-edge AI capabilities it cannot currently match internally. While Apple claims its new models are "distilled" from Gemini outputs and contain "not a drop" of Google's original code, core dependencies remain. Its knowledge base is refined using Gemini's outputs, and its most powerful cloud model runs on Google's infrastructure. Apple has structured the deal as non-exclusive, allowing it to theoretically switch AI suppliers—a hedge against over-reliance. The future hinges on whether advanced AI models become a commodity (cheap and abundant) or remain a concentrated, scarce resource (expensive and controlled by few). Apple is betting on the former, leveraging its massive device ecosystem to be a powerful, choosy customer. If the latter proves true, its bargaining power could erode. This power dynamic is extending to developers. Apple, Google, and WeChat are all pushing for apps to expose their core functions as standardized "actions" or "intents" that their respective AI assistants (Siri, Gemini, WeChat AI) can directly call. The new scarce resource is no longer just app store visibility, but "being selected by the AI." The currency of "rent" has changed from a 30% revenue share to ceding control over how users interact with an app's functions.

marsbitHace 9 min(s)

marsbitHace 9 min(s)

Missed the SpaceX IPO? WEEX's "First Trade Protection" Lets You Experience US Stock Trading Risk-Free.

With the excitement around SpaceX's recent public listing reigniting interest in the US stock market, Chinese investors face significant challenges accessing compliant and convenient trading channels following regulatory actions against major online brokers. This article explores the available options, highlighting their risks and limitations. Traditional paths for US stock investments remain problematic. Qualified Domestic Institutional Investor (QDII) and Listed Open-Ended Fund (LOF) products, while compliant, suffer from high fees, significant purchase premiums, and a very limited selection of assets. Small, unregulated offshore brokers pose substantial risks, including potential insolvency. While secure, VIP accounts at banks in Hong Kong or Singapore require high minimum deposits (often 1-2 million RMB) and in-person visits, placing them out of reach for most retail investors. The article positions cryptocurrency exchanges, specifically their TradFi (traditional finance on-chain) offerings, as a compelling alternative. Platforms like WEEX are noted for providing access to a wide range of US stocks and ETFs, including SpaceX (SPCXON), through tokenized assets. This method offers advantages such as a single account for both crypto and traditional assets, USDT-based settlement avoiding fiat complexities, flexible leverage, and robust risk management. To attract users, WEEX is promoting a "First Trade Guarantee" campaign. Running from June 15 to July 8 (UTC+8), it features a $30,000 prize pool. Users who trade $500 worth of US stock contracts can qualify for a guarantee on their first eligible trade: 100% loss coverage up to $30 or a 20% bonus on profits up to $30. The campaign is presented as a low-risk opportunity for both crypto natives and traditional investors to experience US stock trading.

marsbitHace 10 min(s)

Missed the SpaceX IPO? WEEX's "First Trade Protection" Lets You Experience US Stock Trading Risk-Free.

marsbitHace 10 min(s)

How Difficult is Chip Making? A Division Error Costs 475 Million Dollars

How Hard Is It to Make a Chip? A Division Error Cost $475 Million Chip expert Shi Kan, a researcher at the Chinese Academy of Sciences and a popular tech creator, explains the immense challenges of chip development. Chips are foundational to modern technology, but their creation is extraordinarily difficult. The journey from sand to a functional chip involves complex design and manufacturing, but a critical bottleneck is verification—ensuring the design works flawlessly before costly production. A single, undetected bug can have catastrophic consequences, as illustrated by the infamous 1994 Intel Pentium FDIV bug. A flaw in the floating-point division unit forced a recall costing $475 million. Unlike software, chips cannot be easily patched after manufacture, making "first-time success" paramount. However, industry surveys show only 24% of chip projects achieve this; over three-quarters require at least one costly re-spin due to design flaws. Verification has thus become the dominant phase, consuming up to 70% of the design cycle. The core challenge is a "verification impossible triangle" between high performance, good debuggability, and low cost. Exhaustively verifying a modern CPU core could take 15,000 years with software simulation, or 30 years with advanced hardware emulation—timeframes utterly impractical for development. Despite being essential, verification is often seen as unglamorous "dirty work," receiving less academic attention than fields like AI. Shi and his team are tackling this by developing an agile verification research framework called ENCORE, based on FPGA technology, to improve verification efficiency and debug capability. Beyond research, Shi engages in public science communication through long-form video content, aiming to demystify chip technology, AI, and computer science. He argues for the value of pursuing "hard and long-term" endeavors, whether in the meticulous world of chip verification or in creating substantive educational content, believing such sustained effort is likely the right path forward.

marsbitHace 20 min(s)

How Difficult is Chip Making? A Division Error Costs 475 Million Dollars

marsbitHace 20 min(s)

Claude to Mandate "Face-Scan ID Verification", No ID No Service Starting July?

Anthropic, the creator of Claude AI, has sent privacy policy update emails to users, signaling a significant shift. The key change, effective July 8, is the potential requirement for consumer-level users (Free, Pro, Max plans) to verify their age or identity. This verification would be conducted through the third-party service Persona, involving uploading a government-issued photo ID and taking a live selfie for comparison. Anthropic states this data is for security purposes only, will not be used for model training, and is processed by Persona, not stored on its own servers. The update also clarifies data handling for Claude's new capabilities: when performing multi-step tasks or connecting to third-party apps, user data may flow between Anthropic and those external services. Additionally, more information may be collected from users who participate in Anthropic research. This move is seen as a major step towards establishing accountability as AI agents become more powerful and autonomous, capable of executing complex, real-world tasks. It follows previous enforcement actions, like the banning of the "Fable 5" account, and indicates a broader industry trend toward stricter user identification and safety measures. The verification is expected to apply in specific scenarios, particularly as users engage Claude in more complex agentic workflows.

链捕手Hace 32 min(s)

Claude to Mandate "Face-Scan ID Verification", No ID No Service Starting July?

链捕手Hace 32 min(s)

Blockchain Has Finally Started to Sail into the Mainstream After 18 Years

Blockchain Finds Its True Path After 18 Years: Becoming the Financial Backbone for AI Agents and Autonomy This analysis explores a pivotal shift in the blockchain and crypto investment landscape, driven by the dominance of AI. Major venture capital firms, including Variant, Paradigm, Haun Ventures, and YZi Labs, are moving beyond pure "crypto" investment theses. They are expanding their focus to AI, robotics, and frontier tech, signaling that blockchain is no longer seen as a standalone sector but as an underlying infrastructure layer. The core argument is that blockchain's killer application may not be user-facing apps, but rather providing the economic rails for the coming wave of AI agents, autonomous robots, and automated systems. Key capabilities like self-custody wallets, programmable stablecoins for micropayments, on-chain identity, and verifiable smart contracts are positioned as essential for a future where machines conduct economic activity. The recent $1.4 billion investment by Tether (via its venture arm) in German robotics company NEURA Robotics exemplifies this, aiming to embed Tether's wallet tools directly into robots for autonomous transactions. While many "AI + Crypto" projects remain superficial, the article concludes that true value lies where crypto is a necessary component—enabling machine-to-machine payments, agent autonomy, verifiable data provenance, and open financial settlement for the AI era. For crypto venture capital, this convergence with AI represents both an adaptation to shifting capital flows and a potential path to unlocking the large-scale, non-speculative utility the industry has long sought.

marsbitHace 40 min(s)

Blockchain Has Finally Started to Sail into the Mainstream After 18 Years

marsbitHace 40 min(s)

Trading

Spot

Futuros