Four Questions on the Zcash Orchard Vulnerability: Was It Exploited? Can Funds Be Recovered? Is the Supply Verifiable? And Are There Others?

marsbitPublished on 2026-06-15Last updated on 2026-06-15

Abstract

Zcash Orchard Bug: Four Key Questions Answered A critical forgery vulnerability was discovered in Zcash's Orchard privacy pool, raising four major concerns for users. 1. **Was the Orchard bug exploited?** The likelihood is considered low. The bug was found proactively using advanced AI-assisted tools and was promptly patched, limiting any potential attack window. If exploitation had occurred, evidence would likely have surfaced by now. 2. **Can legitimate Orchard funds be recovered?** It is believed so, based on the assessment that the bug was not exploited. If forgery did happen, existing "turnstile" mechanisms could prevent full recovery of legitimate funds if forged coins were moved out first, though this scenario is deemed unlikely. Users can choose to move funds, but this carries risks like loss of privacy or new wallet/software issues. 3. **Can users verify Zcash's total supply?** Currently, no. The vulnerability's prior existence prevented independent verification of the shielded supply. The proposed "Ironwood" network upgrade will restore this ability by sealing the Orchard pool, allowing anyone running a node to verify that the circulating ZEC does not exceed the correct amount. 4. **Are there other forgery bugs?** Ongoing intensive audits by multiple teams, including AI-assisted analysis, have not found additional forgery vulnerabilities, increasing confidence that none remain. Further work and collaborations are planned to provide additional guarantees. In co...

Original Authors: Jason McGee, CEO of Shielded Labs; Zooko Wilcox, Founder of Zcash

Compiled | Odaily Planet Daily Qin Xiaofeng (@QinXiaofeng 888 )

Editor's Note: On June 5th, Beijing time, the privacy project Zcash was reported to have had a critical forging vulnerability in its new-generation privacy pool, Orchard. The price of Zcash's native token, ZEC, plummeted by nearly half, hitting a low of around $250. After about ten days of developments, market panic has somewhat subsided, and the price of ZEC has rebounded, returning to $500 today.

This morning, Zcash founder Zooko Wilcox published another lengthy article responding to key market concerns. He stated that it is highly likely the Orchard vulnerability was not previously exploited, and legitimate Orchard funds can be recovered. Currently, users cannot independently verify whether the Zcash supply exceeds its limit, but the upcoming Ironwood upgrade will seal the Orchard pool, restoring this verification capability. Ongoing audits have not uncovered other forging vulnerabilities, but absolute certainty requires more work.

Below is the full text by Zooko Wilcox, compiled by Odaily Planet Daily, enjoy~

————————————

The recent Orchard vulnerability has raised critical questions about Zcash's supply and user fund safety. The discussion has conflated several distinct issues, making it difficult to understand the practical impact of the vulnerability on users. This article attempts to separate these questions and explain what each means for users.

The Orchard vulnerability raises four major questions:

Was the Orchard vulnerability ever exploited?
Can legitimate Orchard funds be recovered?
Can users verify that the Zcash supply has not been inflated?
How do we know there aren't other forging vulnerabilities?

Was the Orchard vulnerability ever exploited?

Unknown. We consider it unlikely that it was exploited previously, though we cannot rule it out entirely. We believe the vulnerability likely went unused for three reasons:

Despite years of continuous scrutiny by top cryptographers and security researchers worldwide, the vulnerability was not previously discovered. Its discovery was not accidental; it was found by Taylor Hornby of Shielded Labs with the express purpose of proactively identifying such security flaws before malicious actors could. Taylor used advanced AI-assisted security research techniques and custom-built tools specifically designed to find subtle flaws others might miss, a task that would be more difficult for those not deeply familiar with the Zcash codebase.

Upon discovery, Zcash developers (led by the Zcash Open Development Labs team) quickly coordinated with mining pools to temporarily freeze the Orchard pool and deployed a fix, limiting any potential attack window.

Cryptocurrency exploits are common, and attackers typically cash out as quickly as possible, especially after a vulnerability is made public. For an attacker to profit from this vulnerability, they would need to exchange forged ZEC for valuable assets, which usually involves moving ZEC out of the Orchard pool via the turnstile mechanism. Had the vulnerability been exploited before the fix, we would expect evidence to have surfaced by now. Historically, cryptocurrency exploits tend to be "smash-and-grab" operations rather than "4D chess" strategies hidden for months or years.

Can legitimate Orchard funds be recovered?

We believe so, because we believe the vulnerability was never exploited. If this assessment is correct, all legitimate Orchard funds remain fully recoverable.

Conversely, if forging did occur within Orchard, the existing turnstile mechanism limits the total migrated amount to the number of ZEC that legitimately entered the pool. Therefore, if forged funds are migrated before legitimate funds, users may be unable to recover some or all of their legitimate Orchard funds.

We consider this scenario unlikely. However, for more cautious users, moving their ZEC out of Orchard is still advised. Before doing so, they should understand the following:

Moving funds to a transparent pool (i.e., to a t-address) exposes both the transaction amount and the time of the transaction, and the funds become publicly linked to that t-address.
Moving funds from the Orchard pool to the Sapling pool exposes the transaction amount and time, but unlike moving to a t-address, it does not link these funds to a specific address or transaction history.
The Sapling pool relies on a trusted setup ceremony conducted in 2018. Relying on the security of this trusted setup is an additional risk users should be aware of.
To our knowledge, YWallet and Zkool are currently the only widely used, self-custodial Zcash wallets that support the Sapling pool.
Moving funds to a new wallet or custodial service introduces additional risks, including user error, software bugs, custodian risk, or other unforeseen issues.

Overall, we consider these risks moderate. If your funds are currently in a shielded, self-custodial wallet, leaving them there is a reasonable choice, given our assessment that prior forging is unlikely. If you have a secure way to move them, that may also be reasonable. Users may arrive at different conclusions based on their own circumstances.

Can users verify that the Zcash supply has not been inflated?

Not currently. The prior existence of the vulnerability prevents users from independently verifying that the ZEC circulating in the current shielded pools does not exceed the correct amount.

However, as we indicated in our previous post, the Ironwood upgrade restores this ability. The diagram below illustrates why.

The proposed network upgrade addresses this by adding a guarantee that "no further unknown forging vulnerabilities exist" and by sealing the Orchard pool. New funds cannot enter, and funds within the pool cannot circulate. The only remaining path is exiting via the existing turnstile mechanism, which ensures that no more ZEC leaves the Orchard pool than legitimately entered it.

This change restores the ability to verify the soundness of Zcash's supply.

Currently, if forged funds exist within the Orchard pool, they can continue to circulate within it. After the upgrade, this is no longer possible. Regardless of whether forging occurred, anyone running a node can verify that no more ZEC is circulating than the correct amount.

Users don't need to wait for funds to migrate out of Orchard or speculate on potential actions by attackers or other users. The protocol itself provides a verifiable guarantee: excess ZEC cannot continue circulating within Orchard to inflate the supply.

This is crucial because Zcash's long-term credibility depends on users' ability to independently verify the soundness of its supply. Ironwood restores users' ability to independently verify that the protocol's supply limit is enforced.

How do we know there aren't other forging vulnerabilities?

We can't be completely certain yet, but we have reason to believe none exist. Shielded Labs and multiple other teams have been meticulously auditing the Zcash protocol for other forging vulnerabilities. This includes using a not-yet-released Mythos AI model, with assistance from Anthropic, to search for additional vulnerabilities shortly before Mythos was paused. We plan to share more details about this audit and its findings in a future blog post.

So far, no other forging vulnerabilities have been found. The high level of expertise, effort, and advanced AI-assisted analysis involved in this search gives us increased confidence that no similar vulnerabilities remain undiscovered.

Furthermore, we are collaborating with projects like the Tachyon Project to provide additional assurance that no more forging vulnerabilities exist in Zcash. We will elaborate on this in future posts as well.

Conclusion

The Orchard vulnerability presents four key questions: Was it exploited? Can legitimate Orchard funds be recovered? Can users verify Zcash's supply hasn't been inflated? And are there other undiscovered forging vulnerabilities?

We believe prior exploitation is unlikely, therefore legitimate Orchard funds are recoverable, and the current Zcash supply is safe. Based on ongoing audits by multiple independent researchers and teams, we are also increasingly confident that no other undiscovered forging vulnerabilities exist. However, users cannot currently verify the security of Zcash's supply, and they shouldn't have to rely on our assessment—or anyone else's.

The proposed network upgrade solves this. By sealing the Orchard pool, it restores users' ability to independently verify the security of Zcash's supply. Users no longer need to judge whether forging occurred to verify that the protocol's supply limit is being obeyed.

As the US and Japan Hike Interest Rates, Which Asset Class is Most at Risk?

This week, global markets face two major events: the Bank of Japan's likely interest rate hike and the US Federal Reserve's FOMC meeting. For risk assets, it is a pivotal and volatile week. In the US, expectations for rate cuts have faded dramatically. May's higher-than-expected CPI and resilient jobs data have shifted the Fed's focus from potential cuts to the possibility of future hikes. New Fed Chair Wash is unlikely to raise rates at this meeting, but any hawkish shift in communication, the dot plot, or the policy statement could lead markets to price in tighter policy, pushing up short-term Treasury yields and strengthening the dollar. High-valuation growth stocks, AI-related assets, and small-cap stocks reliant on cheap funding are most vulnerable to rising rates. In Japan, a 25 basis point hike is almost fully priced in (98.3% probability), which would bring the policy rate to 1%, its highest since 1995. The concern is not the hike itself, but its potential to unwind the massive "carry trade," where investors borrowed low-yielding yen to invest globally. Historically, Japan's rate hikes have coincided with global market stress (2000, 2007, 2024). While this well-telegraphed hike may be digested smoothly, two key factors increase uncertainty: 1) Governor Ueda's absence due to illness, putting communication in the hands of less-familiar deputies, and 2) the Fed meeting occurring just days later, creating potential for a compounded market reaction if both central banks sound hawkish. Asset implications: * **Bonds:** US short-term yields sensitive to Fed signals. Japan's rate hike could pressure its massive US Treasury holdings. * **Currencies:** Dollar likely supported by Fed; Yen's reaction hinges on BoJ's forward guidance. * **Equities:** US growth stocks, small-caps most at risk. Japanese stocks face pressure from a stronger yen. * **Crypto:** Assets like Bitcoin face headwinds from higher rates and tighter liquidity; high-beta altcoins are even more vulnerable. The convergence of these two central bank meetings amplifies market volatility risks, with potential spillovers across asset classes globally.

marsbit9m ago

As the US and Japan Hike Interest Rates, Which Asset Class is Most at Risk?

marsbit9m ago

Data Decrypts the BTC Cycle: Three Major Bottom Signals Illuminate Simultaneously, Q4 Could Be a Crucial Turning Point Window?

"Decoding the Bitcoin Cycle: Three Bottom Signals Flash Simultaneously, Is Q4 the Key Turning Point?" The article analyzes Bitcoin's current market position, comparing it to historical cycles. BTC has corrected over 52% from its October 2025 peak of $126,198 to around $59,100 in June 2026. While significant, this drawdown is milder than the 77-86% declines seen in past bear markets. The analysis is framed within Bitcoin's four-year halving cycle. Past cycles show a pattern: prices peak 12-18 months post-halving, bottom 12-14 months after the peak, with lows typically occurring roughly 17 months before the next halving. Following the April 2024 halving and the October 2025 peak, this pattern suggests a potential bottoming window around Q4 2026, ahead of the expected 2028 halving. Three key on-chain metrics are signaling undervaluation: The MVRV Z-Score has dropped near 0.27, approaching historic bottom zones. The market price is only about 9% above the network's average realized price of ~$53,600, a rare low premium. Bitcoin's price recently touched its 200-week moving average (~$62,200), a level that aligned with bottoms in 2015, 2018, and 2020. While US spot Bitcoin ETFs saw record outflows in May/June 2026, indicating retail panic, whale addresses (holding 100+ BTC) reached a yearly high. Entities like MicroStrategy resumed buying, and long-term holders control a near-record 78% of the supply, suggesting accumulation. A major macro overhang was partially removed with a US-Iran ceasefire agreement in mid-June 2026, which eased oil prices and triggered a sharp BTC rally. However, persistent inflation means high-interest rates remain a constraint. The conclusion notes that genuine investment opportunities often arise when confidence is lowest, amidst narratives that "this time is different." While not guaranteeing an immediate bottom, the confluence of cycle timing, undervaluation signals, and shifting macro risks suggests late 2026 may be a critical period for reassessing risk/reward and patient accumulation for long-term believers.

marsbit9m ago

Data Decrypts the BTC Cycle: Three Major Bottom Signals Illuminate Simultaneously, Q4 Could Be a Crucial Turning Point Window?

marsbit9m ago

NVIDIA's $20 Billion Bond Issuance Adds Fuel to the Story of Bitcoin Miners Transitioning to AI

Nvidia is reportedly joining the AI bond issuance wave, planning to raise at least $20 billion through a multi-tranche bond offering. This financing move underscores sustained high market demand for AI infrastructure and data centers. It also highlights a growing trend among Bitcoin miners, who are pivoting to repurpose their high-power facilities and existing energy agreements into high-performance computing and AI hosting sites. Companies like HIVE Digital, TeraWulf, Hut 8, and CleanSpark are shifting their business models from solely relying on Bitcoin mining revenue to becoming providers of data center computing power. The primary driver for this transition is the increasingly challenging economics of Bitcoin mining, especially following the April 2024 halving event. The combination of the halving, persistently high mining difficulty, and operational costs has severely squeezed profit margins, leading miners to sell BTC reserves and seek alternative revenue streams. Analysts note that major mining firms are expected to increasingly transform into AI infrastructure suppliers, capitalizing on the ongoing AI construction boom to secure new growth opportunities.

marsbit39m ago

NVIDIA's $20 Billion Bond Issuance Adds Fuel to the Story of Bitcoin Miners Transitioning to AI

marsbit39m ago

The Shutdown of Claude Mythos Revealed the True Cost of Renting AI to Me

The sudden shutdown of Claude Mythos this week starkly highlights a critical, often overlooked risk for founders: when your core capability relies entirely on someone else's platform, your fate is not in your own hands. The key question becomes: who truly owns the intelligence your product depends on? For years, the debate around open-source models focused on cost. Now, the evidence is clear: fine-tuned open-source models can achieve frontier-level quality for specific, mission-critical tasks at a fraction of the cost. However, the deeper issue is control. Relying on a third-party API is like renting; it works until the landlord changes the rules, raises the rent, or asks you to leave—as Mythos experienced. The lesson is not to stop using frontier models—they are incredible infrastructure. The goal is ownership. Ownership means starting with a powerful open-source model and shaping it around what makes your company unique: your data, workflows, domain expertise, and definition of "good." Over time, the model becomes less generic and more reflective of your business, creating durable value. The optimistic conclusion is that AI's future doesn't hinge on one superior model. There is no single frontier. The frontier includes proprietary models, models fine-tuned on company-specific knowledge, specialized models for narrow problems, and intelligent routers orchestrating model ensembles. The most interesting development is not models getting smarter, but intelligence becoming increasingly customizable. The winning companies will be those that transform intelligence into a unique, owned asset. Looking ahead, the vision is not one model dominating all, but many teams owning the part of the frontier that matters most to them.

marsbit57m ago

The Shutdown of Claude Mythos Revealed the True Cost of Renting AI to Me

marsbit57m ago

Tiger Research: U.S. Strategic Bitcoin Reserve - Should the Market Be Happy or Disappointed?

Tiger Research analyzes the evolution of U.S. legislative efforts regarding a strategic Bitcoin reserve, concluding the market impact is limited in the short term but potentially positive long-term. The core event was a March 2025 executive order by former President Trump, which designated confiscated Bitcoin as a strategic reserve and promised not to sell existing holdings (approx. 190k BTC). As it contained no mandate to purchase new Bitcoin, the market reacted negatively, with prices dropping 5.7%. Legislative history shows a significant retreat from initial ambitions. The 2024 "BITCOIN Act" proposed mandatory purchases of 1 million BTC over five years. Reintroduced in 2025, it stalled due to high fiscal costs, concerns over dollar hegemony, and opposition from the Treasury Secretary. The current frontrunner, the 2026 "American Retirement and Monetary Advancement (ARMA) Act," is a compromise. It lacks any purchase requirement, instead focusing on consolidating existing government-held Bitcoin and legally prohibiting its sale for at least 20 years. While ARMA has higher passage odds due to bipartisan support and no purchase mandate, its immediate market effect is neutral. It eliminates potential government selling pressure but creates no new demand. The long-term significance is that formally establishing Bitcoin as a national reserve asset in law could later reignite debates on mandatory purchases. Therefore, the path to a government buyer is longer than initially priced by the market, but the directional narrative remains intact.

marsbit59m ago