A critical vulnerability in Zcash’s Orchard shielded pool could have allowed an attacker to create an unlimited amount of counterfeit ZEC without detection, according to a new disclosure from Zooko Wilcox, Jason McGee and security researcher Taylor Hornby. The flaw was discovered on May 29, remediated through an emergency ecosystem response completed by June 2, and has now triggered a broader debate over how Zcash can prove supply integrity in a privacy-preserving system.
Orchard Flaw Puts Zcash Supply Integrity Under Scrutiny
The vulnerability was found by Hornby, an experienced security engineer hired by Shielded Labs in April 2026 to conduct ongoing security research on the Zcash protocol. According to the disclosure, the mandate was straightforward: find protocol-level weaknesses before adversaries did. Hornby began reviewing Zcash with a combination of traditional security research and newer AI-assisted auditing methods.
The timing was unusually compressed. Shortly after Anthropic released its Opus 4.8 model on May 28, Hornby used it in a targeted review of the Orchard circuit. One day later, he found a critical counterfeiting flaw and disclosed it to Zcash Open Development Lab, or ZODL, whose engineers coordinated the emergency response with other ecosystem participants.
“The vulnerability could have been exploited to undetectably create an unlimited amount of counterfeit ZEC within Orchard,” the Shielded Labs post said. “Because of the privacy properties of Orchard, there is no way to cryptographically prove whether the vulnerability was exploited before it was remediated. However, a network upgrade can be deployed to protect users and prove the integrity of the Zcash supply.”
The disclosure states that the bug was “real and exploitable.” Hornby, with the help of Opus 4.8, wrote a complete exploit and tested it in a local regtest environment, where it generated unlimited counterfeit ZEC that could not be detected. The authors said that had the same tool been run on mainnet, it would have generated unlimited, undetectable counterfeit ZEC in Hornby’s mainnet wallet.
Technically, the issue involved an under-constrained element of the Orchard circuit. That made it possible to feed arbitrary false inputs into an elliptic curve multiplication while still passing the multiplication check. The vulnerability existed from Orchard’s activation in May 2022 until the emergency fix was deployed on June 1, 2026.
That timeline is central to the concern. In a transparent ledger, supply irregularities can generally be audited by inspecting public balances and transaction values. Orchard is different by design: it hides amounts and transaction history. That privacy model means the system depends heavily on the correctness of the circuit rules that define valid shielded transactions.
Josh Swihart, founder and CEO of Zcash Open Development Lab, the team behind the creation and launch of Zcash and builder of the Zodl wallet, framed the issue in those terms in a separate post. “A shielded Zcash transaction includes a proof that it followed the protocol’s rules, as defined in the rulebook (the circuit) that defines what constitutes a valid transaction. The Orchard vulnerability was in one of the rules, written loosely enough that it would accept false information and still pass. As a result, the engine could be convinced that a fake transaction was valid.”
Swihart added that the flaw was not in Zcash’s underlying cryptography or the proof engine itself, but in the handwritten rules. In his words, “This was a flaw in the handwritten rules, not in the underlying cryptography or the engine that creates proofs.”
Shielded Labs said prior exploitation appears unlikely, while emphasizing that users should not be asked to rely on that assessment alone. The authors pointed to several reasons for their view: the flaw had evaded years of scrutiny by leading cryptographers, Hornby was specifically hired to find such vulnerabilities, and the response window after discovery was sharply narrowed by the speed of ZODL and the broader Zcash ecosystem.
“The discovery was not accidental—it was the result of a deliberate effort to identify vulnerabilities of this kind before malicious actors could,” the post said. “Taylor is one of the most skilled people in the world at this. He used the most recent AI tools, available only to white-hat security researchers, along with a sophisticated custom-built AI harness and prompts, and worked hard to outrace the attackers. We think he probably succeeded.”
Still, the authors acknowledged the unresolved cryptographic uncertainty. Because of Orchard’s privacy properties and the nature of the bug, they said there is no definitive way to prove solely through cryptography whether the vulnerability was exploited before the fix.
Shielded Labs Eyes New Pool And Formal Verification
To address that, Shielded Labs is exploring a proposed network upgrade with other Zcash developers. The plan would deploy a new shielded pool and enforce turnstile accounting on coins moving from the existing Orchard pool, with the goal of allowing anyone to verify the integrity of the Zcash supply and prove the non-existence of counterfeit ZEC in Orchard. A follow-up post is expected next week with more details, including tradeoffs and implementation mechanics. Any major upgrade would still need community support and the standard governance process before activation.
Swihart said a second Orchard pool could, in principle, be targeted for NU7 at the end of July, though he did not take a fixed position on whether that path should be pursued. He argued that the larger issue is preventing this class of failure from recurring, with formal verification as the strongest answer.
“Formal verification fixes this,” Swihart wrote. “A mathematical proof can be constructed to reduce the parts humans must review to a concise, readable statement of the rules. A computer then checks the entire rulebook to ensure it matches. AI tools can now do the work of writing these proofs.”
Shielded Labs said it is already accelerating proactive security work with Hornby and Anthropic, initiating a project to formally verify the Orchard circuit, and opening searches for a Head of Security and a Cryptographer. The episode leaves Zcash with a difficult but clear path: repair the trust assumptions around Orchard, prove supply integrity where possible, and move future shielded design closer to machine-checked guarantees rather than human-reviewed complexity.
Over the past 24 hours, ZEC has fallen nearly 45% amid the uncertainty. At press time, it was trading at $337.
