Zcash (ZEC) Plunge

A critical vulnerability in Zcash's Orchard shielded pool, discovered by researcher Taylor Hornby on May 29, 2026, could have allowed an attacker to create an unlimited amount of undetectable counterfeit ZEC. The flaw, involving an under-constrained element in the Orchard circuit, existed from the pool's 2022 activation until an emergency fix was deployed by June 2, 2026. Hornby identified the bug using AI-assisted auditing tools and confirmed its exploitability in a test environment. Due to Orchard's privacy features, which hide transaction amounts and history, there is no cryptographic way to prove whether the vulnerability was exploited before the fix. While Shielded Labs assesses prior exploitation as unlikely, this uncertainty has sparked a debate on proving supply integrity in privacy-preserving systems. In response, Shielded Labs and other developers are exploring a network upgrade, potentially involving a new shielded pool and formal verification of the circuit rules to prevent future vulnerabilities and allow verification of the ZEC supply's integrity. ZEC's price fell nearly 45% following the disclosure.

**When AI Audits the World: From Claude's Discovery of a ZEC Vulnerability, Viewing the Crypto Industry Entering a "Recursive Security Era"** This article examines a pivotal shift in the blockchain security landscape, triggered by the convergence of two events: Anthropic's research on AI's "Recursive Self-Improvement" and Claude Opus 4.8's discovery of a critical vulnerability in Zcash's code. Traditionally, crypto security has relied on human experts and automated tools for periodic audits. However, the article argues AI is transitioning from a mere tool to an active participant in understanding and analyzing complex systems. Claude's ability to identify a subtle flaw in Zcash's zero-knowledge proof system demonstrates AI's potential to dramatically lower the cost and time required for risk discovery. This goes beyond finding a single bug; it signals a change in the very mechanism of how vulnerabilities are found. The core thesis introduces the concept of "Recursive Security," drawing a parallel to Anthropic's "Recursive Self-Improvement." Just as AI can accelerate its own development through feedback loops, security systems are evolving towards a continuous cycle of analysis, risk identification, remediation, and re-analysis. Security is becoming a persistent, evolving capability integrated into a system's lifecycle, rather than a one-time pre-launch audit. This shift is particularly urgent for the crypto industry, where system complexity from Layer-2 networks, modular architectures, and ZK-proofs is growing faster than human analysis capacity. AI excels at the pattern recognition and contextual understanding needed to navigate this complexity. Importantly, the article cautions that AI augments both defenders and potential attackers, accelerating the entire threat landscape. The future competitive advantage may not lie in having zero vulnerabilities, but in having the fastest risk discovery, validation, and response capabilities. The Claude-Zcash incident is thus an early signal of an era where AI-driven, recursive security systems become essential for managing risk in an increasingly complex digital world.

Zcash founder Zooko Wilcox states that the proposed Ironwood upgrade will allow users to independently and immediately verify the correctness of ZEC's circulating supply from its first day of activation. This addresses community concerns following a remediated Orchard vulnerability, shifting focus from proving past counterfeiting to enabling trustless, real-time supply verification. Ironwood will deactivate the old, shielded Orchard pool for new transactions, requiring funds to pass through a turnstile accounting mechanism to enter the new pool. This design, according to Wilcox, will "snuff out" any potential excess ZEC above the legitimate 4.5 million ZEC in Orchard, ensuring the total supply aligns with the known 16 million ZEC (eventually 21 million). Users running a full node can thus verify supply soundness without relying on trust in developers or assumptions about past events. While Wilcox personally believes no counterfeiting occurred, Ironwood is designed to function regardless. If excess ZEC attempts to exit the old pool, the turnstile will block it, both protecting the supply and potentially revealing any past exploit. The upgrade aims to provide definitive, trustless assurance about the current supply state.

Following a severe price crash of over 50% triggered by the discovery of a critical counterfeiting vulnerability in its Orchard privacy pool, Zcash (ZEC) is taking steps to restore confidence. The bug, found by a security researcher using AI, could have allowed undetected creation of fake ZEC tokens. Developers from the Zcash Open Development Lab (ZODL) and others quickly patched the flaw, helping the price rebound over 70%. However, Orchard's privacy features make it impossible to verify if any counterfeit tokens were actually created before the fix. To address this, key ecosystem groups including Shielded Labs and The Zcash Foundation have proposed a new system called Ironwood. Its primary goal is to restore users' ability to independently verify Zcash's total circulating supply. Once activated, node operators could confirm the supply hasn't been tampered with. The Ironwood proposal would also block any new coin minting in the Orchard pool and restrict fund movement through a controlled mechanism. This system could provide evidence on whether the vulnerability was ever exploited. If no excess ZEC attempts to leave the pool, it suggests no counterfeiting occurred. Any attempted exit of fake coins would be blocked and destroyed, publicly revealing any attack while protecting the legitimate supply.

ZEC Co-Founder Addresses Orchard Vulnerability: No Signs of Theft, Plans to Sunset Orchard Pool A security vulnerability was recently discovered in Zcash's Orchard shielded pool, raising key concerns. The primary questions are whether the flaw was exploited, if user funds are safe, whether users can verify the total ZEC supply, and if other similar vulnerabilities exist. Analysis suggests the vulnerability was likely not exploited prior to its discovery. It was found proactively by a researcher using specialized tools, not due to an active breach. The development team and mining pools acted quickly to contain the issue. Typical financially-motivated attacks would likely have left visible on-chain evidence, which has not been observed. User funds in Orchard are considered safe and should be recoverable, assuming no prior exploitation. If the flaw was never used, all legitimate funds can be withdrawn. The article outlines risks associated with moving funds to transparent addresses or other pools, but concludes that leaving assets in place is a reasonable option. Currently, users cannot independently verify that the total ZEC supply hasn't been inflated due to this bug. However, the planned Ironwood network upgrade is designed to resolve this. It will permanently close the Orchard pool to new deposits and internal transfers, allowing only withdrawals. This mechanism will cap total withdrawals at the amount of legitimately deposited funds, enabling anyone to cryptographically verify the supply post-upgrade. Multiple teams, including Shielded Labs, have conducted extensive audits focused on counterfeiting vulnerabilities, assisted by advanced AI tools. No additional flaws of this type have been found so far, increasing confidence that no other similar undisclosed vulnerabilities exist. In summary, evidence indicates the Orchard bug was probably not used, user funds are secure, and no other counterfeiting flaws are currently known. The upcoming Ironwood upgrade will restore users' ability to independently verify the total ZEC supply, closing this chapter.