The Zcash development team disclosed a critical vulnerability in the Orchard shielding pool on the network, which theoretically allowed attackers to forge an unlimited number of ZECs without being detected. The issue was patched earlier this week, but the team stated that cryptographic methods alone cannot confirm whether the vulnerability had been exploited on the mainnet before the fix.

The vulnerability has persisted since 2022.

Shielded Labs, responsible for the disclosure, stated on June 5th that the issue had existed since Orchard was launched in May 2022, and an emergency response was not completed until June 2nd. The coordinated network upgrades previously observed were actually directly related to this vulnerability fix.

Security researcher Taylor Hornby discovered the vulnerability during a commissioned security review on May 29 and successfully constructed a working exploit in a local test environment. The disclosure states that the vulnerability stems from insufficient constraints in Orchard circuitry, allowing erroneous inputs to pass elliptic curve multiplication checks and generate counterfeit ZECs.

Privacy mechanisms increase the difficulty of verification

The developers stated that there is currently no evidence that the vulnerability was actually exploited before it was patched. However, Orchard transactions employ privacy protection mechanisms, making it impossible for external parties to verify each transaction like a public ledger, and therefore there is no clear way to prove that counterfeit tokens never entered circulation.

This means that while the issue has been patched, uncertainty remains regarding the integrity of Zcash's supply. Shielded Labs stated that the team judged the historical likelihood of this vulnerability to be exploited to be low, partly because the vulnerability had not been discovered by senior cryptography researchers for a long time; after internal confirmation of the issue, the exploit window also quickly narrowed.

Team assesses subsequent network upgrades

The disclosure also mentioned that researchers used Anthropic's Opus 4.8 model and a custom AI-assisted auditing method during the review process. Shielded Labs stated that the vulnerability was discovered shortly after the new model was released.

The team is currently evaluating whether to initiate a follow-up network upgrade to further verify the integrity of the Zcash supply and dispel concerns about counterfeit ZEC. The initial plan includes enabling a new shielded pool and implementing "turnstile accounting" verification for tokens flowing out of Orchard. More details are expected to be released next week.

• Date of discovery: May 29, 2026
• Emergency repairs completed: June 2, 2026
• Public disclosure date: June 5, 2026