ZEC Co-Founder Responds to Orchard Vulnerability: No Signs of Theft, Orchard Pool to Be Sealed

Foresight NewsPubblicato 2026-06-15Pubblicato ultima volta 2026-06-15

Introduzione

ZEC Co-Founder Addresses Orchard Vulnerability: No Signs of Theft, Plans to Sunset Orchard Pool A security vulnerability was recently discovered in Zcash's Orchard shielded pool, raising key concerns. The primary questions are whether the flaw was exploited, if user funds are safe, whether users can verify the total ZEC supply, and if other similar vulnerabilities exist. Analysis suggests the vulnerability was likely not exploited prior to its discovery. It was found proactively by a researcher using specialized tools, not due to an active breach. The development team and mining pools acted quickly to contain the issue. Typical financially-motivated attacks would likely have left visible on-chain evidence, which has not been observed. User funds in Orchard are considered safe and should be recoverable, assuming no prior exploitation. If the flaw was never used, all legitimate funds can be withdrawn. The article outlines risks associated with moving funds to transparent addresses or other pools, but concludes that leaving assets in place is a reasonable option. Currently, users cannot independently verify that the total ZEC supply hasn't been inflated due to this bug. However, the planned Ironwood network upgrade is designed to resolve this. It will permanently close the Orchard pool to new deposits and internal transfers, allowing only withdrawals. This mechanism will cap total withdrawals at the amount of legitimately deposited funds, enabling anyone to cryptographically...

Authors: Zooko Wilcox, Jason McGee

Compiled by: Luffy, Foresight News

Recently, a security vulnerability was exposed in Zcash's Orchard module, raising two major concerns for the community: Is the total supply of ZEC tokens abnormal? Are user assets safe?

Current discussions intertwine several different topics, making it difficult for many to understand the actual impact of this vulnerability on ordinary users. This article will address these issues, explaining the underlying meanings one by one.

This Orchard vulnerability primarily raises four key questions:

Has the vulnerability been exploited by hackers?
Can users' legitimate assets stored in Orchard be withdrawn normally?
Can users independently verify that the total supply of Zcash has not been artificially inflated?
How can we confirm that the project does not contain other similar token forgery vulnerabilities?

Has the Vulnerability Been Exploited?

Currently, there is no definitive conclusion. Overall, the likelihood of the vulnerability being maliciously exploited previously is low, but we cannot rule it out with 100% certainty. There are three main reasons:

For many years, numerous top global cryptographers and security researchers have been reviewing the Zcash code, and this vulnerability remained undiscovered. This vulnerability was proactively found by Shielded Labs' Taylor Hornby during targeted investigations, not accidentally exposed. He leveraged AI-powered security detection technology and custom tools specifically designed to uncover this type of hidden flaw. Such vulnerabilities have a high technical barrier; it would be difficult for individuals not specialized in the Zcash codebase to find and exploit them.
Upon the vulnerability's exposure, the Zcash development team immediately collaborated with major mining pools to temporarily freeze the Orchard pool and push a fix, significantly narrowing the window of opportunity for attackers.
Most attacks in the cryptocurrency space aim for quick profits. Once a vulnerability is public, hackers typically cash out immediately. To profit from this vulnerability, a hacker would need to transfer the forged ZEC out of the Orchard pool and exchange it for other assets. Such operations generally leave traces. If the vulnerability had been exploited long ago, evidence should have emerged by now. Throughout industry history, hackers' modus operandi is typically "strike and disappear quickly," not deliberately hiding for months or even years.

Can Legitimate Assets in Orchard Be Withdrawn?

We believe they can be withdrawn normally, provided the vulnerability has never been exploited. If this assessment holds true, all legitimate assets users have deposited into Orchard can be successfully transferred out.

Conversely, if hackers have already used the vulnerability to create counterfeit tokens and transferred them into the pool, the existing withdrawal channels would cap the total withdrawal amount. The withdrawal limit would equal the total amount of legitimate tokens initially deposited. In this scenario, if counterfeit tokens are withdrawn first, some users' legitimate assets might not be fully recovered.

We consider the likelihood of this extreme scenario to be low. If users still have concerns, they can move their assets out of the Orchard pool. However, before doing so, it's important to understand the potential risks of different withdrawal methods:

Transferring to a transparent address (t-address): The transfer amount and time will be fully public, and the assets will become publicly associated with that address, completely losing privacy.
Transferring to the Sapling shielded pool: The transfer amount and time will still be recorded, but it won't link the assets to a specific address or transaction history, offering better privacy than transparent addresses. Note that Sapling relies on a trusted setup ceremony completed in 2018, which itself carries additional security considerations.
Wallets: Among mainstream self-custody wallets, currently only YWallet and Zkool support the Sapling pool.
Other wallets or custodial platforms: There may also be risks of operational errors, software faults, platform risk controls, and other unexpected issues.

Overall, these risks are manageable. Combined with the assessment that "the vulnerability was most likely not exploited," keeping assets in the original shielded wallet is a prudent choice. If users can ensure operational safety, withdrawing assets is also a viable option. Users should decide based on their individual circumstances.

Can Users Independently Verify That Zcash's Total Supply Has Not Been Inflated?

Currently, this is not possible. Due to the existence of this vulnerability, ordinary users cannot independently verify whether the total token supply within the shielded pools has been inflated.

However, the planned Ironwood network upgrade will address this issue. The logic is as follows:

This upgrade will permanently close the Orchard pool, disallowing new asset deposits. Tokens within the pool will no longer be able to move internally; all assets can only be withdrawn through the original channels. The total withdrawal amount from these channels strictly equals the amount of legitimate tokens originally deposited, fundamentally preventing any excess outflow of tokens.

After the upgrade is complete, anyone running a node will be able to verify that the total token supply is compliant. Even if counterfeit tokens were created in the past, they will no longer be able to circulate within the Orchard pool, artificially inflating the total supply. Users won't need to speculate about the actions of hackers or other users; the protocol itself will guarantee that token over-issuance cannot occur.

This point is crucial. Zcash's long-term credibility is built on users' ability to independently verify the total token supply. The Ironwood upgrade will restore this capability to users.

How to Confirm the Project Has No Other Token Forgery Vulnerabilities?

At this stage, we cannot give an absolute answer, but we have reason to believe no similar vulnerabilities currently exist.

Shielded Labs, in collaboration with several teams, conducted a comprehensive review of the Zcash protocol, specifically searching for token forgery vulnerabilities. During this process, the team also utilized Anthropic's not-yet-publicly-released Mythos AI model for auxiliary detection. We will publish a follow-up article detailing the process and results of this review.

To date, the team has not discovered any new forgery vulnerabilities. This review assembled experienced technical personnel, professional security teams, and advanced AI analysis tools, which further strengthens our confidence that there are currently no undisclosed high-risk vulnerabilities of the same type.

Simultaneously, we are collaborating with partners like the Tachyon project to conduct additional inspections, further strengthening our security defenses. Related progress will also be announced later.

Summary

This Orchard vulnerability raises four core questions: whether the vulnerability was exploited, whether legitimate assets can be withdrawn, whether the total token supply can be verified, and whether other forgery vulnerabilities exist.

Based on the current investigation results, we assess that the likelihood of the vulnerability being exploited previously is low. Therefore, user assets are safe, and the total token supply currently remains normal. After repeated inspections by multiple independent teams, we are increasingly confident that the project currently has no other undiscovered forgery vulnerabilities.

However, one point is unavoidable: currently, users cannot independently verify the total token supply. The upcoming network upgrade will completely solve this problem. After the upgrade, the Orchard pool will be permanently closed, allowing users to independently verify the total token supply without needing to judge whether token forgery has ever occurred.

Domande pertinenti

QWhat are the four key questions raised by the Orchard security vulnerability?

AThe four key questions are: 1) Has the vulnerability been exploited? 2) Can legitimate user assets stored in Orchard be withdrawn normally? 3) Can users independently verify that the total Zcash supply has not been artificially increased? 4) How can we confirm there are no other similar token counterfeiting vulnerabilities in the project?

QWhat is the primary reason why the authors believe the Orchard vulnerability likely hasn't been exploited?

AThe authors believe exploitation is unlikely primarily because the vulnerability was discovered through proactive investigation by Shielded Labs using specialized AI detection tools, not due to a public exposure. They argue that exploiting it requires deep expertise and that typical cryptocurrency attackers would likely have cashed out already, leaving detectable traces, which haven't been observed.

QHow does the planned Ironwood network upgrade aim to restore users' ability to verify the Zcash supply?

AThe Ironwood upgrade will permanently close the Orchard pool, preventing new deposits and internal transfers. All assets can only be withdrawn via the original channels, whose total withdrawal amount is strictly capped at the amount of legitimate tokens originally deposited. This prevents any excess tokens from leaving the pool, allowing anyone running a node to verify the total supply compliance.

QWhat risks do users face if they choose to transfer their assets out of the Orchard pool?

ATransferring to a transparent address (t-address) reveals the amount, timing, and links the assets to that address, losing all privacy. Transferring to the Sapling pool offers better privacy but relies on a 2018 trusted setup ceremony, which introduces its own security considerations. Additionally, users may face risks from operational errors, software bugs, or platform restrictions when using wallets or custodial services.

QWhat measures have been taken to search for other potential token counterfeiting vulnerabilities in Zcash?

AShielded Labs, in collaboration with other teams, conducted a comprehensive audit of the Zcash protocol specifically for token counterfeiting vulnerabilities. They utilized advanced tools including an unreleased AI model from Anthropic called Mythos. So far, no new such vulnerabilities have been found, increasing confidence that no other high-risk, undisclosed vulnerabilities of this type exist.

Letture associate

The Foundation of SpaceX's Trillion-Dollar Valuation: Who is Dividing Up Musk's Annual Tens of Billions in Capital Expenditure?

SpaceX's trillion-dollar valuation is built on its three core businesses: Starlink (profitable, 60% of revenue), rockets (driving down launch costs), and AI (a major investment area). This creates a financial cycle: Starlink funds rocket development, which enables low-cost launches for AI hardware, generating future revenue. This cycle fuels annual capital expenditures of tens of billions, flowing to a vast supply chain. Suppliers are categorized by their replaceability. The first group includes irreplaceable players like NVIDIA (GPU/CUDA ecosystem), Eutelsat (critical radio spectrum), Filtronic (specialized amplifiers), Materion (strategic beryllium), and STMicroelectronics (antenna chips). The second group consists of hard-to-replace suppliers due to high switching costs, such as Honeywell (flight control), Carpenter Technology (specialty alloys), Hexcel (carbon fiber), Broadcom (data exchange), and Linde (industrial gases). The third group comprises high-volume, cost-critical suppliers for mass-produced items like Starlink terminals. Key names include Wistron NeWeb (primary manufacturer) and several A-share companies like Shenzhen Sunway (connectors), Pies New Materials (forgings), Western Superconducting (alloys), and Yingliu (castings). Other niche players include Trimble (timing), Astronics (power distribution), and CTS (thermal management). The article argues that investing in these suppliers, rather than SpaceX stock directly, offers an alternative opportunity. The rationale is threefold: procurement is just beginning to scale, SpaceX's IPO brings new transparency to its supply chain, and the situation mirrors early stages of past "super terminal" ecosystems like Apple or Tesla. While risks exist (commodity cycles, geopolitical factors, technology shifts), the core thesis is that SpaceX's massive, ongoing procurement will translate into reliable revenue for its key suppliers, regardless of its own stock price volatility.

marsbit8 min fa

The Foundation of SpaceX's Trillion-Dollar Valuation: Who is Dividing Up Musk's Annual Tens of Billions in Capital Expenditure?

marsbit8 min fa

SpaceX's Trillion-Dollar Valuation Base: Who's Sharing in Musk's Annual Tens of Billions in Capital Expenditure?

**Title: The Foundation of SpaceX's Trillion-Dollar Valuation: Who Benefits from Musk's Annual $100 Billion Capital Expenditure?** This article argues that investors seeking to benefit from SpaceX's growth might find greater opportunities in its supply chain rather than directly investing in the company itself, drawing parallels to historical successes with Apple, Tesla, and NVIDIA suppliers. **SpaceX's Business Model & Cash Flow:** SpaceX generates revenue from three main areas: 1. **Starlink:** Its profitable core, earning $11.3B in 2023 (60% of revenue), funding other ventures. 2. **Rockets (Falcon/Starship):** Requires $3B+ in annual R&D but achieves the world's lowest launch costs. 3. **AI:** Currently unprofitable (-$6B+ in 2023), investing heavily in ground-based supercomputers (220,000 GPUs) and future orbital data centers. The cycle is: Starlink profits → fund cheaper rockets → low-cost launches deploy AI hardware → AI compute rentals generate future revenue. This cycle drives annual procurement spending of tens of billions of dollars. **The Supply Chain Beneficiaries:** Suppliers are categorized by their replaceability: **1. Nearly Irreplaceable (High Barriers to Entry):** * **NVIDIA:** Powers the Colossus supercomputer; its CUDA ecosystem creates immense switching costs. * **Eutelsat (SATS):** Controls critical radio spectrum for satellite communications; holds a ~3% stake in SpaceX. * **Filtronic (FTC):** Supplies millimeter-wave signal amplifiers for Starlink satellites; SpaceX constitutes 83% of its revenue. * **Materion (MTRN):** Global leader in beryllium production, a strategic material used in Starship structures. * **STMicroelectronics (STM):** Supplies phased-array antenna chips for Starlink satellites. **2. Replaceable, but Switching Cost is Prohibitively High:** * **Honeywell (HON):** Provides flight control and inertial navigation systems with decades of certification. * **Carpenter Technology (CRS):** Manufactures ultra-pure specialty steel alloys for Raptor engines. * **Hexcel (HXL):** Supplies custom carbon fiber composites developed over a decade with SpaceX. * **Broadcom (AVGO):** Manages high-speed data switching. * **Linde Group:** Supplies industrial gases (liquid oxygen/nitrogen) from facilities built near SpaceX launch sites. **3. High-Volume, Cost-Critical Manufacturing:** Focuses on mass-producing components like Starlink user terminals (target: 30 million units). * **Key Players:** Wistron NeWeb (6285, primary terminal manufacturer), several Chinese A-share companies (e.g., Sunway Communication, PAX New Materials, Western Metal Materials, Yingliu Co.), and smaller US firms like Trimble (TRMB, timing systems). **Why Now?** Three factors make the supply chain opportunity timely: 1. **Volume Ramp-Up:** SpaceX plans 100 launches in 2026, aims for 30 million Starlink terminals, and will deploy AI data centers, meaning procurement will accelerate. 2. **Increased Transparency:** The IPO provides public financial data, allowing investors to track supplier order growth. 3. **Historical Precedent:** The current phase is likened to Tesla's early mass-production stage (circa 2018), suggesting a long growth runway for suppliers. **Conclusion:** The article posits that while investing in SpaceX stock is betting on Elon Musk's ambitious vision at a high valuation, investing in its established suppliers is a bet on the tangible, recurring revenue from its massive procurement budget, which is largely decoupled from day-to-day stock price volatility.

链捕手11 min fa

SpaceX's Trillion-Dollar Valuation Base: Who's Sharing in Musk's Annual Tens of Billions in Capital Expenditure?

链捕手11 min fa

World Cup Upset! Polymarket User Loses Nearly $1 Million

A prediction market trader lost nearly $1 million after underdog Cape Verde held soccer powerhouse Spain to a 0-0 draw in their World Cup group stage match. On Polymarket, a user named "betoor619" had built a roughly $1.1 million position when Spain's implied win probability was around 92%, a low-risk, low-return strategy that backfired spectacularly. The result defied models like Goldman Sachs', which gave Spain a 25% championship probability. Cape Verde's 40-year-old goalkeeper, Vozinha, was the hero with seven key saves. The event highlights the growing scale of crypto-based prediction markets like Polymarket, where total trading volume for this single match reached $64 million.

marsbit12 min fa

World Cup Upset! Polymarket User Loses Nearly $1 Million

marsbit12 min fa

The U.S. Government Blocked the Anthropic Model. It Wasn't About 'Jailbreaking' at All.

Last Friday, the U.S. Commerce Department issued an enforcement letter that forced Anthropic to take its two most advanced AI models, Fable 5 and Mythos 5, offline. The stated reason was unspecified national security concerns, initially linked to potential "jailbreaks" of the models' safeguards. However, new details suggest the action stemmed more from a deteriorating relationship between the Trump administration and Anthropic, rather than a genuine technical threat. According to reports, the government cited a little-known export control regulation, compelling Anthropic to block access for all non-U.S. persons, including its own international employees. The company complied, shutting down the models without a court order or specific technical details from the government. Cybersecurity expert Katie Moussouris revealed she was privately shown a research paper detailing a potential safeguard bypass in Fable 5. She argued the described method was minor and did not warrant an export ban, stating that attempts to "fix" it would only weaken the model's defensive capabilities. Moussouris and other experts have since called for the order to be revoked, warning it dangerously removes advanced cybersecurity tools from U.S. defenders. Analysts like Justin Hendrix suggest the move appears retaliatory and sets a dangerous precedent, signaling that the U.S. government can unilaterally shut down a tech company's products. The incident has raised concerns about the reliability of American AI and the potential for political interference in the tech industry, serving as a warning to the broader sector.

marsbit15 min fa

The U.S. Government Blocked the Anthropic Model. It Wasn't About 'Jailbreaking' at All.

marsbit15 min fa

Ray Dalio: AI Bull Market Continues to Soar, Should Investors Go All In or Cash Out and Leave the Field?

In his latest notes, Ray Dalio addresses a critical question for investors amid the AI-driven stock market surge: how should one allocate assets during a transformative technological revolution? Dalio emphasizes that technological advancement does not automatically make related stocks attractive. Historical tech cycles—marked by excitement, crowding, volatility, and eventual shakeouts—show that even long-term winners like Microsoft and Apple experienced severe drawdowns. Today's AI sector faces similar uncertainties: overinvestment, intensifying competition, geopolitical tensions (e.g., Taiwan's chip supply), tax policy shifts, anti-AI sentiment, and potential disruption from future technologies like quantum computing. Dalio's core argument focuses on the highly concentrated market structure, where a few tech giants dominate major indices. He warns investors against unknowingly holding concentrated, correlated exposures. Instead of chasing a handful of AI leaders, he advocates for a robust, diversified portfolio of 15 or more high-quality, uncorrelated investments, risk-balanced to match an investor's volatility tolerance. Mathematically, such diversification significantly improves the risk-return ratio—for example, holding 15 uncorrelated assets can boost the ratio by over four times compared to a single concentrated bet. Dalio cautions that future equity returns appear low, with his bubble indicator suggesting real returns could be negative over the next 5-10 years. He stresses that knowing what you don't know is as important as knowing what you do. In an environment of high uncertainty and concentration, avoiding large, concentrated bets on AI stocks is prudent. The optimal strategy is disciplined diversification—the "holy grail" of investing—to navigate this technologically driven cycle with lower risk and comparable or better returns.

marsbit19 min fa

Ray Dalio: AI Bull Market Continues to Soar, Should Investors Go All In or Cash Out and Leave the Field?

marsbit19 min fa

Trading

Spot

Futures

Articoli Popolari

Come comprare ZEC

Benvenuto in HTX.com! Abbiamo reso l'acquisto di Zcash (ZEC) semplice e conveniente. Segui la nostra guida passo passo per intraprendere il tuo viaggio nel mondo delle criptovalute.Step 1: Crea il tuo Account HTXUsa la tua email o numero di telefono per registrarti il tuo account gratuito su HTX. Vivi un'esperienza facile e sblocca tutte le funzionalità,Crea il mio accountStep 2: Vai in Acquista crypto e seleziona il tuo metodo di pagamentoCarta di credito/debito: utilizza la tua Visa o Mastercard per acquistare immediatamente ZcashZEC.Bilancio: Usa i fondi dal bilancio del tuo account HTX per fare trading senza problemi.Terze parti: abbiamo aggiunto metodi di pagamento molto utilizzati come Google Pay e Apple Pay per maggiore comodità.P2P: Fai trading direttamente con altri utenti HTX.Over-the-Counter (OTC): Offriamo servizi su misura e tassi di cambio competitivi per i trader.Step 3: Conserva Zcash (ZEC)Dopo aver acquistato Zcash (ZEC), conserva nel tuo account HTX. In alternativa, puoi inviare tramite trasferimento blockchain o scambiare per altre criptovalute.Step 4: Scambia Zcash (ZEC)Scambia facilmente Zcash (ZEC) nel mercato spot di HTX. Accedi al tuo account, seleziona la tua coppia di trading, esegui le tue operazioni e monitora in tempo reale. Offriamo un'esperienza user-friendly sia per chi ha appena iniziato che per i trader più esperti.

262 Totale visualizzazioniPubblicato il 2024.12.12Aggiornato il 2026.06.02

Discussioni

Benvenuto nella Community HTX. Qui puoi rimanere informato sugli ultimi sviluppi della piattaforma e accedere ad approfondimenti esperti sul mercato. Le opinioni degli utenti sul prezzo di ZEC ZEC sono presentate come di seguito.