Zcash Bug Could Have Minted Unlimited ZEC Undetected

bitcoinistPublié le 2026-06-05Dernière mise à jour le 2026-06-05

Résumé

A critical vulnerability in Zcash's Orchard shielded pool, discovered by researcher Taylor Hornby on May 29, 2026, could have allowed an attacker to create an unlimited amount of undetectable counterfeit ZEC. The flaw, involving an under-constrained element in the Orchard circuit, existed from the pool's 2022 activation until an emergency fix was deployed by June 2, 2026. Hornby identified the bug using AI-assisted auditing tools and confirmed its exploitability in a test environment. Due to Orchard's privacy features, which hide transaction amounts and history, there is no cryptographic way to prove whether the vulnerability was exploited before the fix. While Shielded Labs assesses prior exploitation as unlikely, this uncertainty has sparked a debate on proving supply integrity in privacy-preserving systems. In response, Shielded Labs and other developers are exploring a network upgrade, potentially involving a new shielded pool and formal verification of the circuit rules to prevent future vulnerabilities and allow verification of the ZEC supply's integrity. ZEC's price fell nearly 45% following the disclosure.

A critical vulnerability in Zcash’s Orchard shielded pool could have allowed an attacker to create an unlimited amount of counterfeit ZEC without detection, according to a new disclosure from Zooko Wilcox, Jason McGee and security researcher Taylor Hornby. The flaw was discovered on May 29, remediated through an emergency ecosystem response completed by June 2, and has now triggered a broader debate over how Zcash can prove supply integrity in a privacy-preserving system.

Orchard Flaw Puts Zcash Supply Integrity Under Scrutiny

The vulnerability was found by Hornby, an experienced security engineer hired by Shielded Labs in April 2026 to conduct ongoing security research on the Zcash protocol. According to the disclosure, the mandate was straightforward: find protocol-level weaknesses before adversaries did. Hornby began reviewing Zcash with a combination of traditional security research and newer AI-assisted auditing methods.

The timing was unusually compressed. Shortly after Anthropic released its Opus 4.8 model on May 28, Hornby used it in a targeted review of the Orchard circuit. One day later, he found a critical counterfeiting flaw and disclosed it to Zcash Open Development Lab, or ZODL, whose engineers coordinated the emergency response with other ecosystem participants.

“The vulnerability could have been exploited to undetectably create an unlimited amount of counterfeit ZEC within Orchard,” the Shielded Labs post said. “Because of the privacy properties of Orchard, there is no way to cryptographically prove whether the vulnerability was exploited before it was remediated. However, a network upgrade can be deployed to protect users and prove the integrity of the Zcash supply.”

The disclosure states that the bug was “real and exploitable.” Hornby, with the help of Opus 4.8, wrote a complete exploit and tested it in a local regtest environment, where it generated unlimited counterfeit ZEC that could not be detected. The authors said that had the same tool been run on mainnet, it would have generated unlimited, undetectable counterfeit ZEC in Hornby’s mainnet wallet.

Technically, the issue involved an under-constrained element of the Orchard circuit. That made it possible to feed arbitrary false inputs into an elliptic curve multiplication while still passing the multiplication check. The vulnerability existed from Orchard’s activation in May 2022 until the emergency fix was deployed on June 1, 2026.

That timeline is central to the concern. In a transparent ledger, supply irregularities can generally be audited by inspecting public balances and transaction values. Orchard is different by design: it hides amounts and transaction history. That privacy model means the system depends heavily on the correctness of the circuit rules that define valid shielded transactions.

Josh Swihart, founder and CEO of Zcash Open Development Lab, the team behind the creation and launch of Zcash and builder of the Zodl wallet, framed the issue in those terms in a separate post. “A shielded Zcash transaction includes a proof that it followed the protocol’s rules, as defined in the rulebook (the circuit) that defines what constitutes a valid transaction. The Orchard vulnerability was in one of the rules, written loosely enough that it would accept false information and still pass. As a result, the engine could be convinced that a fake transaction was valid.”

Swihart added that the flaw was not in Zcash’s underlying cryptography or the proof engine itself, but in the handwritten rules. In his words, “This was a flaw in the handwritten rules, not in the underlying cryptography or the engine that creates proofs.”

Shielded Labs said prior exploitation appears unlikely, while emphasizing that users should not be asked to rely on that assessment alone. The authors pointed to several reasons for their view: the flaw had evaded years of scrutiny by leading cryptographers, Hornby was specifically hired to find such vulnerabilities, and the response window after discovery was sharply narrowed by the speed of ZODL and the broader Zcash ecosystem.

“The discovery was not accidental—it was the result of a deliberate effort to identify vulnerabilities of this kind before malicious actors could,” the post said. “Taylor is one of the most skilled people in the world at this. He used the most recent AI tools, available only to white-hat security researchers, along with a sophisticated custom-built AI harness and prompts, and worked hard to outrace the attackers. We think he probably succeeded.”

Still, the authors acknowledged the unresolved cryptographic uncertainty. Because of Orchard’s privacy properties and the nature of the bug, they said there is no definitive way to prove solely through cryptography whether the vulnerability was exploited before the fix.

Shielded Labs Eyes New Pool And Formal Verification

To address that, Shielded Labs is exploring a proposed network upgrade with other Zcash developers. The plan would deploy a new shielded pool and enforce turnstile accounting on coins moving from the existing Orchard pool, with the goal of allowing anyone to verify the integrity of the Zcash supply and prove the non-existence of counterfeit ZEC in Orchard. A follow-up post is expected next week with more details, including tradeoffs and implementation mechanics. Any major upgrade would still need community support and the standard governance process before activation.

Swihart said a second Orchard pool could, in principle, be targeted for NU7 at the end of July, though he did not take a fixed position on whether that path should be pursued. He argued that the larger issue is preventing this class of failure from recurring, with formal verification as the strongest answer.

“Formal verification fixes this,” Swihart wrote. “A mathematical proof can be constructed to reduce the parts humans must review to a concise, readable statement of the rules. A computer then checks the entire rulebook to ensure it matches. AI tools can now do the work of writing these proofs.”

Shielded Labs said it is already accelerating proactive security work with Hornby and Anthropic, initiating a project to formally verify the Orchard circuit, and opening searches for a Head of Security and a Cryptographer. The episode leaves Zcash with a difficult but clear path: repair the trust assumptions around Orchard, prove supply integrity where possible, and move future shielded design closer to machine-checked guarantees rather than human-reviewed complexity.

Over the past 24 hours, ZEC has fallen nearly 45% amid the uncertainty. At press time, it was trading at $337.

ZEC trades below the 1.618 Fib again, 1-week chart | Source: ZECUSDT on TradingView.com

Cryptos en tendance

Questions liées

QWhat was the nature of the critical vulnerability discovered in Zcash's Orchard shielded pool?

AThe vulnerability was a critical counterfeiting flaw. An under-constrained element in the Orchard circuit allowed an attacker to feed arbitrary false inputs into an elliptic curve multiplication while still passing the multiplication check, potentially enabling the creation of an unlimited amount of counterfeit ZEC that could not be detected.

QWho discovered the vulnerability, and what tools aided in its discovery?

AThe vulnerability was discovered by security researcher Taylor Hornby, who was hired by Shielded Labs. He used a combination of traditional security research and newer AI-assisted auditing methods, specifically employing Anthropic's Opus 4.8 model released on May 28 in a targeted review of the Orchard circuit, which led to the discovery the next day.

QWhy is it impossible to cryptographically prove whether the Orchard vulnerability was exploited before it was fixed?

ADue to the privacy properties of the Orchard shielded pool, which hides transaction amounts and history by design. This means supply irregularities cannot be audited by inspecting public data, unlike transparent ledgers. The system relies on the correctness of the circuit rules, and the bug's nature leaves no definitive cryptographic trace of prior exploitation.

QWhat proposed solution is Shielded Labs exploring to address the supply integrity concerns raised by the Orchard bug?

AShielded Labs is exploring a proposed network upgrade to deploy a new shielded pool. This plan would enforce turnstile accounting on coins moving from the existing Orchard pool, with the goal of allowing anyone to verify the integrity of the Zcash supply and prove the non-existence of counterfeit ZEC in Orchard.

QAccording to Josh Swihart, what is the strongest long-term solution to prevent this class of failure from recurring?

AJosh Swihart identified formal verification as the strongest answer. This involves constructing a mathematical proof to reduce the human-reviewed parts to a concise statement of the rules, and then using a computer to check that the entire rulebook matches those rules, with AI tools now capable of writing these proofs.

Lectures associées

Bitcoin – 'Une rupture au-dessus de 80 000 $ est improbable' – CoinShares identifie le déclencheur manquant

Après une hausse de 1,56% le jour précédent, le Bitcoin se négociait à 63 921,09 $, montrant des signes de reprise. Cependant, un rapport de CoinShares indique que cette reprise est davantage motivée par des facteurs macroéconomiques que par des développements propres aux cryptomonnaies. Au premier semestre 2026, des inquiétudes concernant l'inflation, des taux d'intérêt élevés, des tensions géopolitiques et un ralentissement de la croissance économique avaient entraîné des sorties de fonds record de 8 milliards de dollars sur huit semaines. Cette tendance s'est inversée récemment, avec des entrées de capitaux pendant deux semaines consécutives. Le changement de sentiment est attribué à des données d'inflation américaines inférieures aux attentes (IPC à -0,4%, PPI à -0,3%), laissant anticiper un assouplissement potentiel de la politique monétaire de la Fed et stimulant l'appétit pour le risque, dont le Bitcoin a bénéficié. Le rapport suggère que le Bitcoin a probablement atteint un plancher à court terme. Cependant, sans un changement significatif dans les attentes de politique monétaire, une forte hausse est jugée improbable. Les analystes prévoient plutôt une phase de trading dans une fourchette, estimant qu'une rupture au-dessus de 80 000 $ est peu probable sans un tel changement. D'autres analyses évoquent même une poursuite de la baisse vers 55 560 $ ou 51 934 $. L'indice Crypto Fear and Greed se situe dans la zone de "peur extrême", reflétant la prudence persistante des investisseurs, qui semblent actuellement plus intéressés par les actions liées à la blockchain que par le Bitcoin lui-même.

ambcryptoIl y a 4 h

Bitcoin – 'Une rupture au-dessus de 80 000 $ est improbable' – CoinShares identifie le déclencheur manquant

ambcryptoIl y a 4 h

Malgré un taux de soutien inférieur à 1 %, le BIP-110 persiste-t-il à vouloir pousser le Bitcoin vers un soft fork de manière « tyrannique » ?

Alors que la période de fenêtre d'activation forcée du BIP-110 approche en août, ce projet de soft fork visant à limiter les données non monétaires (comme les inscriptions Ordinals) dans les transactions Bitcoin continue de susciter de vives controverses. Malgré un seuil d'activation fixé à 55%, le BIP-110 ne bénéficie actuellement que d'un soutien minime : moins de 1% des mineurs et environ 14.6% des nœuds. Son mécanisme "autoritaire" prévoit que, si le seuil n'est pas atteint, les nœuds le supportant entreront en période de fenêtre forcée, rejetant les blocs non conformes pour tenter d'imposer la règle à 100% du réseau, risquant ainsi de créer une scission de la chaîne. Les partisans, menés par le développeur Luke Dashjr, considèrent cette mesure comme une protection nécessaire contre les "transactions parasites" qui encombrent l'espace des blocs et nuisent à la fonction monétaire première de Bitcoin. Son pool minier Ocean est le principal soutien public. Les opposants, incluant des figures comme Adam Back et Jameson Lopp, critiquent fermement la proposition. Ils argumentent que le BIP-110 est inefficace pour résoudre le problème des spams, étouffe l'innovation future (en entravant des protocoles comme BitVM), introduit une censure contraire à l'esprit décentralisé de Bitcoin, et crée des risques inutiles de division du réseau et de double dépense. Pour eux, il s'agit d'une solution technique à un problème culturel, générant plus de dangers qu'elle n'en résout. Plusieurs scénarios sont envisagés après l'activation forcée prévue fin août/début septembre : l'extinction rapide de la chaîne minoritaire BIP-110 par manque de puissance de calcul, une concurrence prolongée entre les deux chaînes si un nombre significatif de mineurs la soutient, ou sa transformation en une fourche permanente isolée. La réussite finale dépendra de l'adhésion économique et des choix des mineurs, la plupart des observateurs anticipant un échec du BIP-110 à s'imposer comme la chaîne principale de Bitcoin.

marsbitIl y a 5 h

Malgré un taux de soutien inférieur à 1 %, le BIP-110 persiste-t-il à vouloir pousser le Bitcoin vers un soft fork de manière « tyrannique » ?

marsbitIl y a 5 h

Trading

Spot

Articles tendance

Comment acheter ZEC

Bienvenue sur HTX.com ! Nous vous permettons d'acheter Zcash (ZEC) de manière simple et pratique. Suivez notre guide étape par étape pour commencer votre parcours crypto.Étape 1 : Création de votre compte HTXUtilisez votre adresse e-mail ou votre numéro de téléphone pour ouvrir un compte sur HTX gratuitement. L'inscription se fait en toute simplicité et débloque toutes les fonctionnalités.Créer mon compteÉtape 2 : Choix du mode de paiement (rubrique Acheter des cryptosCarte de crédit/débit : utilisez votre carte Visa ou Mastercard pour acheter instantanément Zcash (ZEC).Solde :utilisez les fonds du solde de votre compte HTX pour trader en toute simplicité.Prestataire tiers :pour accroître la commodité d'utilisation, nous avons ajouté des modes de paiement populaires tels que Google Pay et Apple Pay.P2P :tradez directement avec d'autres utilisateurs sur HTX.OTC (de gré à gré) : nous offrons des services personnalisés et des taux de change compétitifs aux traders.Étape 3 : stockage de vos Zcash (ZEC)Après avoir acheté vos Zcash (ZEC), stockez-les sur votre compte HTX. Vous pouvez également les envoyer ailleurs via un transfert sur la blockchain ou les utiliser pour trader d'autres cryptos.Étape 4 : tradez des Zcash (ZEC)Tradez facilement Zcash (ZEC) sur le marché Spot de HTX. Il vous suffit d'accéder à votre compte, de sélectionner la paire de trading, d'exécuter vos trades et de les suivre en temps réel. Nous offrons une expérience conviviale aux débutants comme aux traders chevronnés.

443 vues totalesPublié le 2024.12.12Mis à jour le 2026.06.02

Comment acheter ZEC

Discussions

Bienvenue dans la Communauté HTX. Ici, vous pouvez vous tenir informé(e) des derniers développements de la plateforme et accéder à des analyses de marché professionnelles. Les opinions des utilisateurs sur le prix de ZEC (ZEC) sont présentées ci-dessous.

活动图片