Four Questions on the Zcash Orchard Vulnerability: Was it Exploited? Can Funds Be Recovered? Is the Supply Verifiable? Are There Others?

Odaily星球日报Published on 2026-06-15Last updated on 2026-06-15

Abstract

**Summary: Zcash Orchard Vulnerability Analysis** A critical forgery vulnerability was recently discovered in Zcash's Orchard shielded pool, raising concerns about the coin's supply and user funds. The developers, led by Zcash Open Development Labs, acted swiftly to temporarily freeze the pool and deploy a fix. The article addresses four key questions: 1. **Was the vulnerability exploited?** While unknown, the developers believe it is unlikely for several reasons: the bug was difficult to find, using advanced AI tools; the fix was deployed quickly; and typical crypto exploits are fast, with no evidence of abnormal outflows. 2. **Can legitimate Orchard funds be recovered?** If the bug was not exploited, all funds are safe. If exploited, a mechanism limits total withdrawals from the pool to the amount legitimately entered, potentially blocking some legitimate funds. The developers deem this unlikely but advise cautious users to consider moving funds, noting the privacy and risk trade-offs of moving to transparent or Sapling pools. 3. **Can users verify Zcash's total supply?** Not currently. The vulnerability temporarily broke the ability for users to independently verify that no extra ZEC was created. 4. **Are there other forgery bugs?** Ongoing audits by multiple teams, including using advanced AI analysis, have so far found no others, increasing confidence. The proposed "Ironwood" network upgrade is the core solution. It will **seal** the Orchard pool, preventing ne...

Original Authors: Jason McGee, CEO of Shielded Labs, and Zooko Wilcox, Founder of Zcash

Compiled by|Odaily Planet Daily Qin Xiaofeng (@QinXiaofeng 888 )

Editor's Note: On June 5th, Beijing time, privacy project Zcash was revealed to have had a critical counterfeiting vulnerability in its new-generation privacy pool, Orchard. The Zcash token, ZEC, briefly plummeted by half, hitting a low near $250. After about ten days of developments, market panic has somewhat subsided, ZEC's price has recovered somewhat, and it returned to $500 today.

This morning, Zcash founder Zooko Wilcox once again published a lengthy post responding to market concerns. He stated that the Orchard vulnerability was likely not previously exploited, and legitimate Orchard funds can be recovered; currently, users cannot independently verify whether the Zcash supply has been inflated, but the Ironwood upgrade will seal the Orchard pool, restoring this verification capability; ongoing audits have not discovered other counterfeiting vulnerabilities, but more work is needed to be completely certain.

The following is the original text by Zooko Wilcox, compiled by Odaily Planet Daily, enjoy~

————————————

The recent Orchard vulnerability has raised important questions about Zcash's supply and the safety of user funds. The discussion has mingled several distinct issues, making it difficult to understand the actual impact of the vulnerability on users. This article attempts to separate these questions and explain what they each mean for users.

The Orchard vulnerability raises four important questions:

  1. Was the Orchard vulnerability ever exploited?
  2. Can legitimate Orchard funds be recovered?
  3. Can users verify that Zcash's supply has not been inflated?
  4. How do we know there are no other counterfeiting vulnerabilities?

Was the Orchard vulnerability ever exploited?

Unknown. We believe it's unlikely to have been exploited before, though we cannot rule it out entirely. We think the vulnerability was likely *not* exploited for three reasons:

Despite years of ongoing review by many of the world's top cryptographers and security researchers, the vulnerability was not previously discovered. Its eventual discovery was not accidental; it was found by Taylor Hornby of Shielded Labs with the explicit purpose of proactively identifying such security vulnerabilities before a malicious attacker could. Taylor used advanced AI-assisted security research techniques and custom-built tools specifically designed to find subtle flaws that others might miss. Doing this would be even more difficult for someone not deeply familiar with the Zcash codebase.

Once the vulnerability was discovered, Zcash developers (led by the Zcash Open Development Labs team) quickly coordinated with mining pools to temporarily freeze the Orchard pool and deployed a fix, thereby limiting the opportunity window for any attack.

Cryptocurrency exploits are common, and attackers typically seek to cash out as quickly as possible, especially after a vulnerability becomes public. For an attacker to profit from this vulnerability, they would need to exchange counterfeit ZEC for valuable assets, which would typically involve ZEC leaving the Orchard pool via the turnstile mechanism. If the vulnerability had been exploited before the fix, we would expect to have seen evidence by now. Historically, cryptocurrency exploits are usually "smash-and-grab" operations, not "4D chess" strategies hidden for months or years.

Can legitimate Orchard funds be recovered?

We believe so, because we believe the vulnerability was never exploited. If this assessment is correct, all legitimate Orchard funds remain fully recoverable.

On the other hand, if counterfeiting *did* occur in Orchard, the existing turnstile mechanism would limit the total amount migrated to the amount of ZEC that legitimately entered the pool. Therefore, if counterfeit funds were migrated ahead of legitimate funds, users would be unable to recover some or all of their legitimate Orchard funds.

We consider this scenario unlikely. However, for more cautious users, moving their ZEC out of Orchard is still advised. But before doing so, they should understand the following:

  • Moving funds to a transparent pool (i.e., to a t-address) reveals both the amount and the timing of the transfer, and these funds become publicly linked to that t-address.
  • Moving funds from the Orchard pool to the Sapling pool reveals the amount and timing of the transfer, but unlike moving to a t-address, it does not link these funds to a specific address or transaction history.
  • The Sapling pool relies on a trusted setup ceremony performed in 2018. Relying on the security of that trusted setup is an additional risk users should note.
  • To our knowledge, YWallet and Zkool are currently the only widely used, self-custody Zcash wallets that support the Sapling pool.
  • Moving funds to a new wallet or a custodial service introduces additional risks, including user error, software bugs, custodian risk, or other unforeseen problems.

Overall, we consider the above risks moderate. If your funds are currently in a shielded, self-custody wallet, leaving them there is a reasonable choice given our assessment that prior counterfeiting was unlikely. If you have a secure way to move them elsewhere, that could also be reasonable. Users may reasonably reach different conclusions based on their circumstances.

Can users verify that Zcash's supply has not been inflated?

Not yet. The prior existence of this vulnerability meant users could not independently verify that the ZEC circulating in the current shielded pools did not exceed the correct amount.

However, as we noted in a previous post, the Ironwood upgrade restores this capability. The diagram below illustrates why.

The proposed network upgrade addresses this by adding the guarantee that "no more unknown counterfeiting vulnerabilities exist" and by sealing the Orchard pool. New funds can no longer enter, and funds within the pool can no longer circulate. The only remaining path is to leave via the existing turnstile mechanism, which ensures that no more ZEC can leave the Orchard pool than legitimately entered it.

This change restores the ability to verify the soundness of the Zcash supply.

Currently, if counterfeit funds exist in the Orchard pool, they can continue to circulate within the pool. After the upgrade, this is no longer possible. Regardless of whether counterfeiting ever happened, anyone running a node will be able to verify that no more ZEC is in circulation than the correct amount.

Users won't need to wait for funds to migrate out of Orchard, or infer what attackers or other users might have done. The protocol itself provides a verifiable guarantee that excess ZEC cannot continue circulating within Orchard and inflating the supply.

This is important because Zcash's long-term credibility depends on users being able to independently verify the soundness of its supply. Ironwood restores users' ability to independently verify that the protocol's supply limit is being enforced.

How do we know there are no other counterfeiting vulnerabilities?

We are not yet completely certain, but we have reasons to believe there are none. Shielded Labs and multiple other teams have been carefully reviewing the Zcash protocol for additional counterfeiting vulnerabilities. This includes using a yet-to-be-released Mythos AI model to search for additional vulnerabilities, with help from Anthropic, shortly before Mythos was paused. We plan to share more details about this review and its findings in a follow-up blog post.

So far, no other counterfeiting vulnerabilities have been found. The high level of expertise, effort, and advanced AI-assisted analysis involved in this search gives us greater confidence that no similar vulnerabilities remain undiscovered.

Furthermore, we are working with projects like the Tachyon Project to provide additional assurance that there are no more counterfeiting vulnerabilities in Zcash. We will elaborate on this in future blog posts as well.

Conclusion

The Orchard vulnerability presents four important questions: Was the vulnerability exploited, can legitimate Orchard funds be recovered, can users verify that Zcash's supply has not been inflated, and are there other undiscovered counterfeiting vulnerabilities.

We believe it was likely not exploited previously, and therefore legitimate Orchard funds are recoverable and the current Zcash supply is safe. We are also increasingly confident, based on ongoing reviews by multiple independent researchers and teams, that there are no other undiscovered counterfeiting vulnerabilities. However, users currently cannot verify the safety of the Zcash supply, and they should not have to rely on our assessment—or anyone else's.

The proposed network upgrade solves this. By sealing the Orchard pool, it restores users' ability to independently verify the safety of the Zcash supply. Users no longer need to judge whether counterfeiting occurred in order to verify that the protocol's supply limits are being upheld.


Related Questions

QAccording to the article, why is it unlikely that the Orchard forgery vulnerability was exploited before its discovery?

AThe article cites three main reasons. First, the bug evaded detection by top cryptographers for years and was only found using advanced AI-assisted tools by a dedicated researcher. Second, developers reacted swiftly to freeze the pool and deploy a fix, limiting any potential attack window. Third, crypto exploits are typically 'smash-and-grab' operations for immediate profit, and no evidence of such activity (like ZEC exiting the pool) has been observed.

QWhat action does the proposed Ironwood network upgrade take regarding the Orchard pool?

AThe Ironwood upgrade will seal the Orchard pool. This means no new funds can enter it, and funds already inside cannot circulate. The only remaining action is for funds to exit through the existing turnstile mechanism.

QHow does sealing the Orchard pool restore users' ability to verify Zcash's supply integrity?

ASealing the pool prevents any potential forged ZEC from continuing to circulate and inflate the supply. After the upgrade, anyone running a node can verify that the total ZEC in circulation does not exceed the correct amount, as no extra ZEC can remain active within Orchard.

QWhat are the potential privacy implications for a user moving funds out of the Orchard pool to a transparent (t-address) or Sapling pool?

AMoving to a transparent (t) address exposes both the transaction amount and timing, and publicly links those funds to that address. Moving to the Sapling pool exposes the transaction amount and timing, but does not link the funds to a specific address or transaction history. However, Sapling relies on a 2018 trusted setup ceremony, which is an additional security consideration.

QWhat is the current state of knowledge regarding other undiscovered forgery vulnerabilities in Zcash, as stated in the article?

AThe article states that ongoing, intensive reviews by multiple teams using high-level expertise and advanced AI analysis have not found any other forgery bugs so far. This provides increased confidence, but they cannot be completely certain until more work is done. Collaborations are underway to provide further guarantees.

Related Reads

Hormuz Strait Reopening: Will the Fed Turn "Dovish" and the Market Reprice "Rate Cuts"?

The article outlines two key factors that may lead the U.S. Federal Reserve, under Chair Wash, to adopt a more dovish stance at the upcoming FOMC meeting. First, the anticipated reopening of the Strait of Hormuz is expected to ease oil and energy prices, thereby reducing upward inflationary pressures. This shift could lead the Fed to view energy prices as a neutral or even deflationary factor. Second, recent core CPI data showed significant cooling, with a monthly increase of only 0.21%, contrasting with the still-strong core PCE. This divergence supports a dovish interpretation. Market implications are significant. While the FOMC is expected to remove "easing bias" language and project unchanged rates for the year—moves already priced in—Chair Wash's potential for more dovish commentary presents an upside risk. Consequently, there is room for the market to further price out remaining hike expectations and increase expectations for rate cuts. The report notes that the 2-year Treasury yield, though down recently, remains well above February levels, indicating further potential downside as inflation risks fade.

marsbit3m ago

Hormuz Strait Reopening: Will the Fed Turn "Dovish" and the Market Reprice "Rate Cuts"?

marsbit3m ago

pump.fun's New Feature Brings 'Black Mirror' Into Reality

The article begins by recounting a dark fictional story from *Black Mirror* (Season 7, Episode 1 "Common People"), where a man is forced to perform humiliating tasks online to pay for his wife's life-sustaining medical subscription. It then draws a parallel to a new real-world feature on the crypto platform pump.fun called "Pump.fun Go," which allows users to post and complete paid bounty tasks. This feature gained mainstream attention, often negatively, through extreme examples. A prominent case involved a bounty of 40 SOL (~$2,600) offered to permanently tattoo "$bountywork" on one's forehead. An Indian man completed the task, stating the money "changed his life," and later earned significantly more from a related meme coin. Another bounty paid 200 SOL (~$14,000) for a "bounty.fun" forehead tattoo, with the participant simply stating, "We need the money." The article highlights how this system can amplify darkness, citing the dev behind $Bountywork who spent thousands on bounties for attention-grabbing stunts like eating bugs or drinking hot sauce for small sums. It compares this to past tragic live-streaming incidents where people harmed themselves for money, noting regulation cannot stop those in desperate need. However, it also points to positive, altruistic bounties that have emerged, such as organizing anti-work rallies in New York, performing random acts of kindness for strangers, organizing community food drives, or even helping an elderly person cross the street. The piece concludes by acknowledging the platform reflects both the dark and light sides of human nature when actions are given a price, hoping for more of the latter.

marsbit4m ago

pump.fun's New Feature Brings 'Black Mirror' Into Reality

marsbit4m ago

As the US and Japan Hike Interest Rates, Which Asset Class is Most at Risk?

This week, global markets face two major events: the Bank of Japan's likely interest rate hike and the US Federal Reserve's FOMC meeting. For risk assets, it is a pivotal and volatile week. In the US, expectations for rate cuts have faded dramatically. May's higher-than-expected CPI and resilient jobs data have shifted the Fed's focus from potential cuts to the possibility of future hikes. New Fed Chair Wash is unlikely to raise rates at this meeting, but any hawkish shift in communication, the dot plot, or the policy statement could lead markets to price in tighter policy, pushing up short-term Treasury yields and strengthening the dollar. High-valuation growth stocks, AI-related assets, and small-cap stocks reliant on cheap funding are most vulnerable to rising rates. In Japan, a 25 basis point hike is almost fully priced in (98.3% probability), which would bring the policy rate to 1%, its highest since 1995. The concern is not the hike itself, but its potential to unwind the massive "carry trade," where investors borrowed low-yielding yen to invest globally. Historically, Japan's rate hikes have coincided with global market stress (2000, 2007, 2024). While this well-telegraphed hike may be digested smoothly, two key factors increase uncertainty: 1) Governor Ueda's absence due to illness, putting communication in the hands of less-familiar deputies, and 2) the Fed meeting occurring just days later, creating potential for a compounded market reaction if both central banks sound hawkish. Asset implications: * **Bonds:** US short-term yields sensitive to Fed signals. Japan's rate hike could pressure its massive US Treasury holdings. * **Currencies:** Dollar likely supported by Fed; Yen's reaction hinges on BoJ's forward guidance. * **Equities:** US growth stocks, small-caps most at risk. Japanese stocks face pressure from a stronger yen. * **Crypto:** Assets like Bitcoin face headwinds from higher rates and tighter liquidity; high-beta altcoins are even more vulnerable. The convergence of these two central bank meetings amplifies market volatility risks, with potential spillovers across asset classes globally.

marsbit9m ago

As the US and Japan Hike Interest Rates, Which Asset Class is Most at Risk?

marsbit9m ago

Data Decrypts the BTC Cycle: Three Major Bottom Signals Illuminate Simultaneously, Q4 Could Be a Crucial Turning Point Window?

"Decoding the Bitcoin Cycle: Three Bottom Signals Flash Simultaneously, Is Q4 the Key Turning Point?" The article analyzes Bitcoin's current market position, comparing it to historical cycles. BTC has corrected over 52% from its October 2025 peak of $126,198 to around $59,100 in June 2026. While significant, this drawdown is milder than the 77-86% declines seen in past bear markets. The analysis is framed within Bitcoin's four-year halving cycle. Past cycles show a pattern: prices peak 12-18 months post-halving, bottom 12-14 months after the peak, with lows typically occurring roughly 17 months before the next halving. Following the April 2024 halving and the October 2025 peak, this pattern suggests a potential bottoming window around Q4 2026, ahead of the expected 2028 halving. Three key on-chain metrics are signaling undervaluation: The MVRV Z-Score has dropped near 0.27, approaching historic bottom zones. The market price is only about 9% above the network's average realized price of ~$53,600, a rare low premium. Bitcoin's price recently touched its 200-week moving average (~$62,200), a level that aligned with bottoms in 2015, 2018, and 2020. While US spot Bitcoin ETFs saw record outflows in May/June 2026, indicating retail panic, whale addresses (holding 100+ BTC) reached a yearly high. Entities like MicroStrategy resumed buying, and long-term holders control a near-record 78% of the supply, suggesting accumulation. A major macro overhang was partially removed with a US-Iran ceasefire agreement in mid-June 2026, which eased oil prices and triggered a sharp BTC rally. However, persistent inflation means high-interest rates remain a constraint. The conclusion notes that genuine investment opportunities often arise when confidence is lowest, amidst narratives that "this time is different." While not guaranteeing an immediate bottom, the confluence of cycle timing, undervaluation signals, and shifting macro risks suggests late 2026 may be a critical period for reassessing risk/reward and patient accumulation for long-term believers.

marsbit9m ago

Data Decrypts the BTC Cycle: Three Major Bottom Signals Illuminate Simultaneously, Q4 Could Be a Crucial Turning Point Window?

marsbit9m ago

NVIDIA's $20 Billion Bond Issuance Adds Fuel to the Story of Bitcoin Miners Transitioning to AI

Nvidia is reportedly joining the AI bond issuance wave, planning to raise at least $20 billion through a multi-tranche bond offering. This financing move underscores sustained high market demand for AI infrastructure and data centers. It also highlights a growing trend among Bitcoin miners, who are pivoting to repurpose their high-power facilities and existing energy agreements into high-performance computing and AI hosting sites. Companies like HIVE Digital, TeraWulf, Hut 8, and CleanSpark are shifting their business models from solely relying on Bitcoin mining revenue to becoming providers of data center computing power. The primary driver for this transition is the increasingly challenging economics of Bitcoin mining, especially following the April 2024 halving event. The combination of the halving, persistently high mining difficulty, and operational costs has severely squeezed profit margins, leading miners to sell BTC reserves and seek alternative revenue streams. Analysts note that major mining firms are expected to increasingly transform into AI infrastructure suppliers, capitalizing on the ongoing AI construction boom to secure new growth opportunities.

marsbit39m ago

NVIDIA's $20 Billion Bond Issuance Adds Fuel to the Story of Bitcoin Miners Transitioning to AI

marsbit39m ago

Trading

Spot
Futures
活动图片

Hot Categoriesright-arrow

Hot Tagsright-arrow