TLDR
- Zooko Wilcox said the Orchard flaw could have enabled undetectable counterfeit ZEC creation before repair.
- Shielded Labs said Taylor Hornby found the bug on May 29 using Anthropic’s Opus model.
- The emergency fix closed the vulnerability by June 1 after coordinated work by Zcash developers.
- Shielded Labs said cryptography alone cannot confirm whether counterfeit ZEC entered Orchard before remediation began.
- A proposed network upgrade would add accounting measures aimed at verifying Zcash Orchard supply integrity.
Zcash founder Zooko Wilcox said a vulnerability in Zcash’s Orchard privacy pool could have allowed undetectable counterfeit ZEC to be created. Shielded Labs, a nonprofit developer in the Zcash ecosystem, disclosed that the flaw affected the Orchard shielded pool. The disclosure placed the issue at the center of debate over Zcash supply integrity.
According to Shielded Labs, security engineer Taylor Hornby discovered the bug on May 29 while using Anthropic’s Opus 4.8 AI model. The group said Hornby wrote a complete exploit that worked in a local testing environment. That test reportedly generated unlimited counterfeit ZEC without producing evidence visible through normal cryptographic checks.
Shielded Labs said the same tool, if run on Zcash mainnet before the fix, could have created unlimited counterfeit tokens in a mainnet wallet. The organization said the flaw had existed since Orchard was activated in May 2022. Wilcox said the vulnerability was reported to the Zcash Open Development Lab after discovery.
Emergency patch followed private disclosure
The Zcash Open Development Lab coordinated an emergency response after Hornby reported the vulnerability. Shielded Labs said the bug was patched by June 1, while Wilcox said the response process was completed on June 2. The timeline showed a rapid repair after the issue became known to Zcash developers.
The vulnerability drew attention because Orchard is designed to protect user privacy while supporting shielded ZEC transfers. Shielded Labs said those same privacy properties make it impossible to prove only through cryptography whether the flaw was exploited earlier. The group said it believes earlier abuse was unlikely, while acknowledging that certainty is not available.
The disclosure came as ZEC traded under pressure during a wider market decline. The token fell roughly 30 percent to around $400 after the statement circulated, according to the figures provided in the report. At the cited time, ZEC was trading near $443.05, down 29 percent over 24 hours.
Supply review plan targets accounting clarity
Shielded Labs said it is exploring a network upgrade intended to verify Zcash supply integrity after the Orchard bug. The proposed upgrade would add new accounting measures for the Orchard pool. The organization said the effort is meant to help prove whether counterfeit ZEC exists in the shielded pool.
The proposed accounting work would aim to restore confidence in the known supply of ZEC. Shielded Labs also said expanded security efforts are being considered after the disclosure. The group framed the response as part of a broader effort to address uncertainty created by the vulnerability.
The disclosure stated that the bug was real, exploitable, and capable of creating counterfeit ZEC in testing. Zcash developers closed the flaw after private reporting, but the privacy design limits what can be verified about the past. The case has placed Orchard security, ZEC supply checks, and future network changes under renewed attention.
Get 3 Free Stock Ebooks
Discover top-performing stocks in AI, Crypto, and Technology with expert analysis.
- Top 10 AI Stocks - Leading AI companies
- Top 10 Crypto Stocks - Blockchain leaders
- Top 10 Tech Stocks - Tech giants
