TL;DR

On June 5, Zcash founder Zooko Wilcox published a rare security postmortem article.

The article revealed that on May 29, security researcher Taylor Hornby discovered a critical forgery vulnerability in Zcash’s latest privacy pool, Orchard. Attackers could craft transactions that should have been rejected by the network validation process, generating unlimited and undetectable counterfeit ZEC within Orchard.

This was not merely a theoretical risk. Taylor had already developed a fully functional exploit in a local test environment, successfully generating counterfeit ZEC. If deployed to mainnet, attackers could theoretically generate infinite quantities of forged assets in their own mainnet wallets.

Following the disclosure, ZEC dropped over 30%. According to CoinMarketCap data, ZEC fell as low as $408.39 within 24 hours, down roughly one-third from its peak of $610.47. Unfortunately, this was one of the few recent crypto assets with strong wealth-effect potential and compelling narratives favored by many industry leaders—now severely undermined by this vulnerability.

If viewed solely through outcomes, this appears to be yet another familiar crypto security incident: vulnerability discovered, developers rush to patch, market plunges into panic.

However, the true complexity of the Orchard incident lies in the fact that while the flaw has been fixed, the Zcash community cannot directly answer a far more sensitive question:

Has this vulnerability been exploited in the past four years?

Four Days of Emergency Patching: Orchard Temporarily Suspended

Orchard is Zcash’s next-generation privacy payment protocol, launched in 2022 and now one of the primary privacy pools used in Zcash. Users can conceal balances, transaction amounts, and fund flows, while using zero-knowledge proofs to cryptographically demonstrate compliance with protocol rules.

According to timelines disclosed by Zooko, Shielded Labs, and the Zcash community, Taylor conducted a targeted security review of the Orchard circuit on May 29 and immediately reported the anomaly privately to the Zcash Open Development Lab (ZODL). Shielded Labs is an independent Zcash ecosystem support organization based in Switzerland, funded entirely by donations, with long-standing involvement in Zcash protocol development, security audits, and network sustainability—unaffiliated with either the Zcash Foundation or ZODL.

ZODL engineers confirmed the issue’s existence within hours of receiving the report and began working on a fix. To prevent exposure of the underlying exploit mechanism, the team first chose to temporarily disable Orchard: new Orchard outputs were blocked, and spending of existing funds within Orchard was halted.

After coordination among developers, miners, node operators, exchanges, and infrastructure providers, an emergency soft fork took effect on June 2. Subsequently, Zcash implemented a hard fork upgrade to refresh Orchard’s verification key material, restoring Orchard functionality on June 3. Transparent addresses and the Sapling privacy pool remained operational during this period.

From vulnerability disclosure to full remediation, the entire process spanned just a few days. Measured by incident response speed, this represents a highly successful containment effort.

Yet the market did not calm down after the fix, because the patch addressed only future risks—not past ones.

Market Fear Is Not About Future Attacks—It’s About Past Exploitation

Typical security incidents usually involve a clearly quantifiable loss. Smart contract thefts leave traceable on-chain movements; bridge exploits allow tracking of funds and affected addresses.

The Orchard incident is different.

As explained by Shielded Labs, this vulnerability enabled the generation of unlimited, undetectable counterfeit ZEC within Orchard. Due to Orchard’s inherent privacy properties, it is impossible for external observers to definitively prove via cryptography whether the attack vector was ever exploited prior to the fix.

This means the market faces not a known loss figure, but an unquantifiable uncertainty:

If someone actually discovered and exploited the vulnerability in the past, could counterfeit ZEC already exist within Orchard? If so, what is the scale? Are these assets still confined within the privacy pool? Have they gradually flowed out via normal transactions?

Even more critically, this risk window did not begin on May 29. Shielded Labs stated the vulnerability existed since Orchard’s launch in May 2022 and persisted until the emergency fix completed in June 2026—meaning the flaw had been dormant for nearly four years.

The market’s real concern is not what happened between May 29 and June 2, but whether unobservable anomalies occurred over the past four years.

This is the core reason behind ZEC’s drop exceeding 30%.

Investors are not selling off a single vulnerability—they are repricing the credibility of supply.

How a Single Mathematical Constraint Oversight Evolved into “Unlimited Inflation” Risk

Upon seeing the phrase “unlimited inflation vulnerability,” our first instinct is that hackers gained admin privileges or accessed a backdoor in the protocol.

The reality is far more fundamental.

Orchard’s security relies on a set of zero-knowledge proof circuits (Orchard circuit). Users can hide transaction details, but must cryptographically prove their transactions comply with protocol rules. The most critical rule is asset conservation: no transaction may create value ex nihilo.

In simple terms, users need not disclose how much ZEC they hold or to whom they sent it—but the network must verify:

That spent assets indeed originated from valid inputs.

Taylor’s discovery pertained to a specific elliptic curve multiplication check within the Orchard circuit.

Shielded Labs described it as an “under-constrained element”—a circuit component lacking complete mathematical constraints. Because the relevant mathematical relationship was incompletely bounded, attackers could input arbitrary invalid data into the elliptic curve multiplication process, yet the verification step might still pass.

In other words, attackers need neither crack cryptographic algorithms nor control network nodes.

They simply need to construct a dataset that should not satisfy the rules, tricking the system into believing asset conservation still holds.

Once such a flawed proof is accepted by the network, the non-existent ZEC becomes recognized as legitimate and remains valid within Orchard.

This is why Shielded Labs used exceptionally severe language:

unlimited, undetectable counterfeit ZEC

The true danger lies not just in “unlimited,” but in “undetectable.”

An Important Distinction Between Two Statements

After the upgrade, the Zcash Foundation issued a statement asserting there is currently no evidence that the vulnerability was ever exploited, no unauthorized value creation detected, and user funds or privacy unaffected. It emphasized that Zcash’s original Turnstile Accounting mechanism can track value flows across different pools and safeguard the 21 million ZEC total supply cap.

Meanwhile, Shielded Labs explicitly stated that cryptographic proof alone cannot confirm that counterfeit ZEC never appeared in Orchard’s history.

These two statements appear contradictory but address fundamentally different concerns.

Zcash’s Turnstile Accounting can be understood as a “gate” between distinct fund pools. The system can tally how much legitimate value entered Orchard and limit the amount that can exit.

Suppose Orchard originally contained only 1 million legitimate ZEC. Even if attackers forged additional assets internally, the system would prevent more than that amount from exiting altogether—thus preventing the network’s total supply cap from being easily breached.

However, this mechanism cannot directly prove that counterfeit assets never existed inside Orchard.

If forged assets remain trapped within Orchard, or if they gradually replace real assets within the allowed exit threshold, the original accounting system may fail to deliver a definitive historical conclusion.

For what is arguably the oldest privacy-focused cryptocurrency project, we can only conclude: no evidence of abnormal inflation has been found, but the community cannot directly prove that counterfeit assets have never existed within Orchard.

This is precisely the most challenging risk type for markets to handle.

The issue isn’t how many counterfeits have been discovered—it’s that no one can definitively confirm they’ve never existed.

How Can Zcash Re-verify That There Are No Counterfeit Assets in Orchard?

Fixing the vulnerability is only the first step.

Shielded Labs has indicated it is collaborating with other Zcash developers on a new network upgrade proposal. The plan includes deploying a new privacy pool and enforcing Turnstile Accounting for all assets migrating out of Orchard.

This effectively establishes a new migration gate for Orchard.

Assets stored in the old Orchard must undergo a verifiable migration process to enter the new privacy pool. The system can then re-tally the legitimate outflow volume and detect any excess ZEC that cannot be accounted for under normal migration rules.

If successfully implemented, anyone will be able to verify Zcash’s supply integrity and further prove that no counterfeit assets exist within Orchard.

The significance of this proposal goes beyond code repair—it aims to rebuild market trust in Orchard.

Because in privacy systems, trust should not stem from “we believe no attack occurred,” but from “anyone can verify that no attack occurred.”

Shielded Labs acknowledges that the likelihood of malicious exploitation was low. The vulnerability remained hidden for years, with extremely high discovery difficulty; Taylor actively sought such issues within a dedicated security research initiative; and the ecosystem swiftly closed the attack window within days of disclosure.

Yet Shielded Labs also stressed that users should not rely solely on the subjective judgment of developers.

What the market needs is proof.

Why Was This Four-Year-Old Vulnerability Discovered Now?

One often-overlooked detail of the Orchard incident is worth highlighting.

On May 28, Anthropic released Claude Opus 4.8.

One day later, Taylor discovered the Orchard vulnerability.

According to Zooko and Shielded Labs’ postmortem, Taylor shortly after the release of Opus 4.8 used it for a highly targeted review of the Orchard circuit, identifying the flaw on May 29. He then leveraged Opus 4.8 to develop a complete exploit, generating unlimited, undetectable counterfeit ZEC in a local environment.

This detail merits attention—not because AI can now independently perform cryptographic audits.

Public information does not support such hyperbolic claims.

Taylor is an experienced security researcher. Shielded Labs noted he combined traditional security methodologies, custom AI tooling frameworks, and specially crafted prompts. Opus 4.8 served as a crucial instrument in the review process, but was not the sole factor.

What truly stands out is that Taylor did not use Anthropic’s specialized, restricted-access model Claude Mythos Preview—designed for cybersecurity scenarios—but instead employed the newly public general-purpose model Opus 4.8.

Anthropic positions Mythos Preview as a cutting-edge model with notable vulnerability detection and exploitation capabilities. Due to potential abuse risks, Anthropic did not open it to the public but granted access exclusively through Project Glasswing to vetted partners.

In contrast, Opus 4.8 is accessible to ordinary developers. Anthropic emphasized in its release notes that it shows improved performance in code analysis, complex task execution, and defect identification.

This makes the Orchard incident signal a more pressing trend:

The ability to discover high-value vulnerabilities is diffusing from a small set of specialized security models toward general-purpose models.

A general-purpose model released just one day prior, guided by a skilled researcher, was already capable of assisting in reviewing complex zero-knowledge proof circuits and uncovering a critical flaw hidden for nearly four years.

This does not imply cryptographers are obsolete.

On the contrary, Taylor’s expertise, precision in selecting audit targets, and ability to validate model outputs remain central to the entire process.

But the combination of expert knowledge and AI is dramatically lowering the cost of discovering complex vulnerabilities.

The Exploit Window Is Closed, But the Market Waits for Answers

For Zcash, the most urgent attack window has now closed.

Orchard functionality has been restored, verification circuits updated, and no evidence suggests the vulnerability was ever maliciously exploited.

Yet ZEC’s drop exceeding 30% indicates the market cares less about whether the code is patched and more about obtaining a deeper answer:

Did counterfeit ZEC ever emerge within Orchard over the past nearly four years?

If the new privacy pool and Turnstile Accounting upgrade are successfully deployed, the community may eventually prove supply integrity and restore market confidence.

Until that proof is complete, the Orchard incident retains an unresolved suspense:

Those ZEC theoretically capable of infinite creation—have they never existed at all, or have they silently resided in places invisible to direct observation?

Original: LawDong BlockBeats