Four Questions on the Zcash Orchard Vulnerability: Was It Exploited? Can Funds Be Recovered? Is the Supply Verifiable? And Are There Others?

marsbitОпубликовано 2026-06-15Обновлено 2026-06-15

Введение

Zcash Orchard Bug: Four Key Questions Answered A critical forgery vulnerability was discovered in Zcash's Orchard privacy pool, raising four major concerns for users. 1. **Was the Orchard bug exploited?** The likelihood is considered low. The bug was found proactively using advanced AI-assisted tools and was promptly patched, limiting any potential attack window. If exploitation had occurred, evidence would likely have surfaced by now. 2. **Can legitimate Orchard funds be recovered?** It is believed so, based on the assessment that the bug was not exploited. If forgery did happen, existing "turnstile" mechanisms could prevent full recovery of legitimate funds if forged coins were moved out first, though this scenario is deemed unlikely. Users can choose to move funds, but this carries risks like loss of privacy or new wallet/software issues. 3. **Can users verify Zcash's total supply?** Currently, no. The vulnerability's prior existence prevented independent verification of the shielded supply. The proposed "Ironwood" network upgrade will restore this ability by sealing the Orchard pool, allowing anyone running a node to verify that the circulating ZEC does not exceed the correct amount. 4. **Are there other forgery bugs?** Ongoing intensive audits by multiple teams, including AI-assisted analysis, have not found additional forgery vulnerabilities, increasing confidence that none remain. Further work and collaborations are planned to provide additional guarantees. In co...

Original Authors: Jason McGee, CEO of Shielded Labs; Zooko Wilcox, Founder of Zcash

Compiled | Odaily Planet Daily Qin Xiaofeng (@QinXiaofeng 888 )

Editor's Note: On June 5th, Beijing time, the privacy project Zcash was reported to have had a critical forging vulnerability in its new-generation privacy pool, Orchard. The price of Zcash's native token, ZEC, plummeted by nearly half, hitting a low of around $250. After about ten days of developments, market panic has somewhat subsided, and the price of ZEC has rebounded, returning to $500 today.

This morning, Zcash founder Zooko Wilcox published another lengthy article responding to key market concerns. He stated that it is highly likely the Orchard vulnerability was not previously exploited, and legitimate Orchard funds can be recovered. Currently, users cannot independently verify whether the Zcash supply exceeds its limit, but the upcoming Ironwood upgrade will seal the Orchard pool, restoring this verification capability. Ongoing audits have not uncovered other forging vulnerabilities, but absolute certainty requires more work.

Below is the full text by Zooko Wilcox, compiled by Odaily Planet Daily, enjoy~

————————————

The recent Orchard vulnerability has raised critical questions about Zcash's supply and user fund safety. The discussion has conflated several distinct issues, making it difficult to understand the practical impact of the vulnerability on users. This article attempts to separate these questions and explain what each means for users.

The Orchard vulnerability raises four major questions:

  1. Was the Orchard vulnerability ever exploited?
  2. Can legitimate Orchard funds be recovered?
  3. Can users verify that the Zcash supply has not been inflated?
  4. How do we know there aren't other forging vulnerabilities?

Was the Orchard vulnerability ever exploited?

Unknown. We consider it unlikely that it was exploited previously, though we cannot rule it out entirely. We believe the vulnerability likely went unused for three reasons:

Despite years of continuous scrutiny by top cryptographers and security researchers worldwide, the vulnerability was not previously discovered. Its discovery was not accidental; it was found by Taylor Hornby of Shielded Labs with the express purpose of proactively identifying such security flaws before malicious actors could. Taylor used advanced AI-assisted security research techniques and custom-built tools specifically designed to find subtle flaws others might miss, a task that would be more difficult for those not deeply familiar with the Zcash codebase.

Upon discovery, Zcash developers (led by the Zcash Open Development Labs team) quickly coordinated with mining pools to temporarily freeze the Orchard pool and deployed a fix, limiting any potential attack window.

Cryptocurrency exploits are common, and attackers typically cash out as quickly as possible, especially after a vulnerability is made public. For an attacker to profit from this vulnerability, they would need to exchange forged ZEC for valuable assets, which usually involves moving ZEC out of the Orchard pool via the turnstile mechanism. Had the vulnerability been exploited before the fix, we would expect evidence to have surfaced by now. Historically, cryptocurrency exploits tend to be "smash-and-grab" operations rather than "4D chess" strategies hidden for months or years.

Can legitimate Orchard funds be recovered?

We believe so, because we believe the vulnerability was never exploited. If this assessment is correct, all legitimate Orchard funds remain fully recoverable.

Conversely, if forging did occur within Orchard, the existing turnstile mechanism limits the total migrated amount to the number of ZEC that legitimately entered the pool. Therefore, if forged funds are migrated before legitimate funds, users may be unable to recover some or all of their legitimate Orchard funds.

We consider this scenario unlikely. However, for more cautious users, moving their ZEC out of Orchard is still advised. Before doing so, they should understand the following:

  • Moving funds to a transparent pool (i.e., to a t-address) exposes both the transaction amount and the time of the transaction, and the funds become publicly linked to that t-address.
  • Moving funds from the Orchard pool to the Sapling pool exposes the transaction amount and time, but unlike moving to a t-address, it does not link these funds to a specific address or transaction history.
  • The Sapling pool relies on a trusted setup ceremony conducted in 2018. Relying on the security of this trusted setup is an additional risk users should be aware of.
  • To our knowledge, YWallet and Zkool are currently the only widely used, self-custodial Zcash wallets that support the Sapling pool.
  • Moving funds to a new wallet or custodial service introduces additional risks, including user error, software bugs, custodian risk, or other unforeseen issues.

Overall, we consider these risks moderate. If your funds are currently in a shielded, self-custodial wallet, leaving them there is a reasonable choice, given our assessment that prior forging is unlikely. If you have a secure way to move them, that may also be reasonable. Users may arrive at different conclusions based on their own circumstances.

Can users verify that the Zcash supply has not been inflated?

Not currently. The prior existence of the vulnerability prevents users from independently verifying that the ZEC circulating in the current shielded pools does not exceed the correct amount.

However, as we indicated in our previous post, the Ironwood upgrade restores this ability. The diagram below illustrates why.

The proposed network upgrade addresses this by adding a guarantee that "no further unknown forging vulnerabilities exist" and by sealing the Orchard pool. New funds cannot enter, and funds within the pool cannot circulate. The only remaining path is exiting via the existing turnstile mechanism, which ensures that no more ZEC leaves the Orchard pool than legitimately entered it.

This change restores the ability to verify the soundness of Zcash's supply.

Currently, if forged funds exist within the Orchard pool, they can continue to circulate within it. After the upgrade, this is no longer possible. Regardless of whether forging occurred, anyone running a node can verify that no more ZEC is circulating than the correct amount.

Users don't need to wait for funds to migrate out of Orchard or speculate on potential actions by attackers or other users. The protocol itself provides a verifiable guarantee: excess ZEC cannot continue circulating within Orchard to inflate the supply.

This is crucial because Zcash's long-term credibility depends on users' ability to independently verify the soundness of its supply. Ironwood restores users' ability to independently verify that the protocol's supply limit is enforced.

How do we know there aren't other forging vulnerabilities?

We can't be completely certain yet, but we have reason to believe none exist. Shielded Labs and multiple other teams have been meticulously auditing the Zcash protocol for other forging vulnerabilities. This includes using a not-yet-released Mythos AI model, with assistance from Anthropic, to search for additional vulnerabilities shortly before Mythos was paused. We plan to share more details about this audit and its findings in a future blog post.

So far, no other forging vulnerabilities have been found. The high level of expertise, effort, and advanced AI-assisted analysis involved in this search gives us increased confidence that no similar vulnerabilities remain undiscovered.

Furthermore, we are collaborating with projects like the Tachyon Project to provide additional assurance that no more forging vulnerabilities exist in Zcash. We will elaborate on this in future posts as well.

Conclusion

The Orchard vulnerability presents four key questions: Was it exploited? Can legitimate Orchard funds be recovered? Can users verify Zcash's supply hasn't been inflated? And are there other undiscovered forging vulnerabilities?

We believe prior exploitation is unlikely, therefore legitimate Orchard funds are recoverable, and the current Zcash supply is safe. Based on ongoing audits by multiple independent researchers and teams, we are also increasingly confident that no other undiscovered forging vulnerabilities exist. However, users cannot currently verify the security of Zcash's supply, and they shouldn't have to rely on our assessment—or anyone else's.

The proposed network upgrade solves this. By sealing the Orchard pool, it restores users' ability to independently verify the security of Zcash's supply. Users no longer need to judge whether forging occurred to verify that the protocol's supply limit is being obeyed.

Связанные с этим вопросы

QAccording to the article, what are the four main questions raised by the Orchard vulnerability?

AThe four main questions are: 1) Has the Orchard vulnerability been exploited before? 2) Can legitimate Orchard funds be recovered? 3) Can users verify that the Zcash supply has not been inflated? 4) How do we know there are no other counterfeiting vulnerabilities?

QWhat reasons does Zooko Wilcox give for believing the Orchard vulnerability likely was not exploited?

AThree reasons are given: 1) The vulnerability was only discovered using advanced AI-assisted research and custom tools, making it hard to find. 2) Developers quickly coordinated with mining pools to temporarily freeze the Orchard pool and deploy a fix, limiting the attack window. 3) Cryptocurrency exploits are typically 'smash-and-grab' operations; if exploited, evidence would likely have surfaced by now.

QWhat solution does the proposed Ironwood upgrade provide regarding the Zcash supply?

AThe Ironwood upgrade seals the Orchard pool, preventing new funds from entering and existing funds from circulating. The only remaining path is to exit via the turnstile mechanism, which ensures no more ZEC leaves the pool than legitimately entered. This restores users' ability to independently verify the soundness of the Zcash supply.

QWhat are the risks mentioned for users who choose to move their funds out of the Orchard pool?

ARisks include: exposing transaction amount and time when moving to a transparent (t-address); exposing amount and time when moving to Sapling (though not linking to a specific address/history); relying on Sapling's 2018 trusted setup ceremony; limited wallet support (YWallet, Zkool); and introducing risks from user error, software bugs, custodial risk, or other unforeseen issues with new wallets or services.

QWhat work has been done to check for other counterfeiting vulnerabilities, and what is the current assessment?

AShielded Labs and other teams have been conducting careful reviews, including using an unreleased Mythos AI model from Anthropic to search for additional vulnerabilities. So far, no other counterfeiting vulnerabilities have been found. The high level of expertise, effort, and advanced AI analysis involved provides increased confidence that no similar vulnerabilities remain undetected, though it is not yet considered completely certain.

Похожее

2029 Finale Prediction: When Cryptocurrency Completely "Vanishes", Who Can Remain in This Financial Upheaval?

By 2029, the crypto industry will have transformed into a largely invisible but foundational layer for traditional finance. This timeline outlines the key shifts from now until then. By mid-2026, the most sought-after assets on-chain will not be traditional tokens, but synthetic perpetual contracts for private, high-growth companies (like SpaceX, OpenAI). These become primary price discovery tools, highlighting the market's craving for real-world asset value. Most altcoins enter a sustained bear market as their fundamental lack of asset-backed value is exposed. In late 2026, the "AI + Crypto" narrative largely fades as AI giants prove they don't need crypto infrastructure, except for prediction markets betting on model performance. Simultaneously, a quiet but significant wave of tokenization for institutional assets (money market funds, private credit) begins. The industry splits into a noisy speculative economy and a silent institutional one. Throughout 2027, major public blockchain foundations pivot decisively to serve institutional clients, building compliance toolkits and sales teams. However, key sectors hit growth ceilings: private perpetual contracts are legally restricted from public promotion, stable币 growth is capped by looming political uncertainty, and tokenization projects remain cautious. In 2028, following a U.S. election assumed to maintain a regulatory (not prohibitive) stance, a pivotal change occurs. After a major liquidation crisis exposes the flaws of synthetic contracts lacking a real-asset anchor, new regulations allow the *public solicitation* of private security sales (secondary market shares) to accredited investors. This creates a legitimate, direct on-ramp for retail capital into previously illiquid private equity. By 2029, the resulting bull market is driven by trading in real, innovative company shares (biotech, robotics, AI labs), not speculative tokens. "Crypto" as a distinct asset class recedes; it becomes the mundane, unseen plumbing for this new global private markets infrastructure. Tokens that survive are those capturing real cash flows from this infrastructure. Speculation persists but is marginalized. The core questions posed at the start are answered: token value is tied to legally enforceable claims on real assets, frontier tech adoption happens via private market channels, and crypto's absorption into traditional finance is marked by its becoming boring and invisible. The key validation for this entire thesis is whether, by late 2028, a legal pathway exists for ordinary accredited investors to access private assets directly.

marsbit28 мин. назад

2029 Finale Prediction: When Cryptocurrency Completely "Vanishes", Who Can Remain in This Financial Upheaval?

marsbit28 мин. назад

After the U.S. Banned Fable 5, Zhipu's Stock Soared 47%

On June 15, Chinese AI company Zhipu's stock surged up to 47.6% in Hong Kong, closing with a 32.82% gain. This sharp rise followed two key industry events. On June 12, Anthropic was compelled by a U.S. government export control order to suspend global access to its latest flagship models, Claude Fable 5 and Claude Mythos 5, impacting developers and businesses reliant on them. The next day, Zhipu announced it was opening access to its new open-source flagship model, GLM-5.2, for all Coding Plan users, with API and model weights (under the MIT license) to follow. The Anthropic incident highlighted a critical shift in the AI industry: beyond raw capability, the stability, continuous accessibility, and control over AI models are becoming equally vital, especially as AI integrates deeper into business workflows. Zhipu's move, emphasizing that "frontier intelligence should not belong to a few nor be subject to arbitrary revocation," positioned its open, accessible model as an alternative. GLM-5.2 focuses on "Long Horizon Tasks" with a 1M context window, aiming for consistency in complex, extended projects. Market analysts suggest this event exposes the risk of dependency on closed-source models subject to single jurisdiction policies, potentially accelerating a shift toward domestic base models and localized deployments. The investment response indicates a new valuation metric is emerging—prioritizing which companies can provide AI capabilities that are not only advanced but also reliably and sustainably accessible.

marsbit29 мин. назад

After the U.S. Banned Fable 5, Zhipu's Stock Soared 47%

marsbit29 мин. назад

PANews Column Registration and Article Submission Guide

"PANews Column Registration and Submission Guide" provides instructions for users to register as columnists and publish articles on the PANews platform. Key application requirements are emphasized: content should focus on in-depth analysis within Crypto, Web3, blockchain, data, and viewpoints. Content primarily for brand/product introductions will not be approved, and heavily AI-generated content will be rejected. Promotional (PR/soft) content is directed to the business channel. **Registration Process:** * **Web:** Go to the official website footer, click "Apply for Column," and register with a phone number or email (login via verification code, no password). Fill in the column name, description, upload an avatar, and submit links to previously published work. * **Mobile:** Navigate to "My" -> "Contribute & Create" and complete the form. **Article Submission Tutorial:** 1. Log in to the PANews website. 2. Access the "Creator Center" from your personal homepage. 3. Use the editor to create and publish articles. **Video Upload:** The platform supports embedding videos from third-party sites (e.g., Bilibili). Copy the embed code from the source video, use the editor's "Insert/Edit media" button, paste the code under the "Embed" tab, and adjust the display size (recommended: width 100%, height 560px). **PANews Skills (AI Agent Tool):** PANews offers an official AI Agent skill set called PANews Skills, enabling AI tools to query platform content, track trends, and publish column articles directly. It includes three main skills: 1. `panews`: For tracking daily must-read lists, popular articles, and funding news. 2. `panews-creator`: For managing columns, publishing articles, and uploading images. 3. `panews-web-viewer`: For parsing PANews webpages into Markdown. These skills are compatible with various AI Agent tools (OpenClaw, Cursor, Claude Code, ChatGPT, Gemini, etc.). To use the `panews-creator` skill, users must obtain a specific authentication value from the PANews website after logging into their columnist account.

marsbit40 мин. назад

PANews Column Registration and Article Submission Guide

marsbit40 мин. назад

I Built Myself an Investment Workbench Using AI

For the past two weeks, I've been immersed in Vibe Coding—using AI to write code from natural language descriptions. This process has enabled me to quickly build functional tools that address long-standing personal ideas. Previously, I had many concepts but found execution too cumbersome. Key ideas included a unified dashboard for assets across US stocks, Crypto, HK stocks, and A-shares; a real-time alert system for price movements; an investment map visualizing sector relationships; and a tool to correlate prediction market bets with news and market data. Traditional development hurdles meant these often remained unrealized. Using AI (Codex, Claude Code, and DeepSeek API), I built four initial tools: 1. A **Cross-Market Asset Dashboard** showing total assets, daily P&L, and holdings by market, with added features for alerts and sector mapping. It's deployed locally for privacy. 2. A **Prediction Market (PM) Monitor** tracking bets on events (e.g., company valuations) and correlating probability shifts with news and market movements. I categorize bets by conviction to filter noise. 3. A **Simple Operations Backend** for managing my writing workflow (topics, progress, publishing). It's cloud-deployed for mobile access. 4. A **One-Click Formatting Tool** that automates converting drafts into various platform-specific formats, saving manual effort. While these tools are basic, they represent a significant shift: AI lowers the barrier to creating personalized systems. I believe individual investors can now feasibly build core systems for: * **Asset Observation** (tracking holdings and changes) * **Signal Monitoring** (watching for key market shifts) * **Sector Mapping** (understanding network relationships within a sector) * **Performance Review** (documenting rationale and outcomes) The power of Vibe Coding is its fast feedback loop. Ideas can be implemented, tested, and iterated on rapidly, turning "want-to-do" into "done." This marks the start of my new phase, where I'll share investment thoughts, tool tests, on-chain operations, and educational Web3 content.

marsbit56 мин. назад

I Built Myself an Investment Workbench Using AI

marsbit56 мин. назад

Robinhood, the First Stock in the Predictive Market Concept

The online brokerage Robinhood, which previously partnered with prediction market platform Kalshi to offer event contract trading to its users, is now becoming a direct competitor. This shift began after Robinhood, through a joint venture, acquired and rebranded a CFTC-regulated exchange (now Rothera Exchange). Robinhood's motivation stems from the rapid growth of prediction markets on its platform, which significantly boosted its "other transaction revenue." Recognizing that its vast retail user base is the most critical asset, Robinhood aims to capture more value by routing orders to its own exchange instead of sharing fees with Kalshi. It strategically launched its Rothera platform during the high-traffic 2026 FIFA World Cup, successfully processing tens of millions of contracts in its initial days. This move signals a pivotal power shift in the prediction market industry: control over user distribution and access is emerging as a more decisive advantage than the underlying market infrastructure itself. The future competition may increasingly revolve around which platforms control the major user gateways.

marsbit1 ч. назад

Robinhood, the First Stock in the Predictive Market Concept

marsbit1 ч. назад

Торговля

Спот
Фьючерсы
活动图片

Популярные категорииright-arrow

Популярные тегиright-arrow