Zcash (the token is known as ZEC) is facing a massive wave of skepticism after the development community published details about a critical vulnerability in Orchard, the network’s latest shielded pool. ZEC plunged over 50% at one point following this information, before recovering to $367.35 on June 6.
The vulnerability was discovered on May 29 by security researcher Taylor Hornby and was fixed through an emergency upgrade a few days later. Zcash Open Development Lab (ZODL) stated that there is no evidence that the bug was ever exploited or that unauthorized ZEC was created. However, this bug could allow counterfeit ZEC to be created within Orchard, while the private design of this pool makes it difficult to definitively prove that it was never exploited.
What Happened
The vulnerability was discovered on May 29 in Orchard, where transactions are verified using zero-knowledge proofs to maintain user privacy. According to the Zcash Open Development Lab, security researcher Taylor Hornby discovered the bug during an audit commissioned by Shielded Labs and reported it to the ZODL engineering team shortly thereafter.
The issue lies within Orchard’s transaction verification mechanism. If exploited, this vulnerability could cause the system to accept invalid transactions within Orchard. ZODL confirmed the report within hours and began preparing a mitigation plan with network operators.
Due to the bug involving consensus rules, Zcash had to handle it via a network upgrade rather than a standard wallet or node update. ZODL first paused Orchard-related activities through a soft fork to limit risks, then deployed a hard fork to update the fixed circuit and restore Orchard.
Main Timeline:
- May 29: Taylor Hornby discovers and reports the Orchard vulnerability to ZODL.
- May 30-31: ZODL confirms the bug, prepares the patch, and begins private coordination with miners, exchanges, and infrastructure operators.
- June 1-2: Zcash activates the soft fork, pausing the creation of new outputs and the spending of existing balances within Orchard.
- June 3: The hard fork is completed, and Orchard is reactivated with the fixed circuit.
Why the Bug Mattered
The critical point of the Orchard bug lies in soundness—the ability to guarantee that the system only accepts valid proofs and states. When this guarantee is broken, a proof can be accepted even if the state behind it does not comply with the protocol’s rules.
According to an article by Zooko Wilcox, Jason McGee, and Taylor Hornby, Hornby successfully created a full exploit in a local test environment. In that environment, the exploit could create counterfeit ZEC within Orchard without being detected.
https://t.co/v7BiOdzU9E
— zooko🛡🦓🦓🦓 ⓩ (@zooko) June 4, 2026
If a similar bug were exploited on the mainnet, the consequence would not just be a single incorrect transaction being accepted. It could distort the accounting of the shielded pool and directly raise questions about the integrity of the ZEC supply.
What Remains Unclear
ZODL stated that there is no evidence that the vulnerability was ever exploited, no unauthorized creation of ZEC has been detected, and no impact on the privacy of assets in Zcash’s pools has been recorded. The group also said the total supply of ZEC remained safe following checks during the incident response.
What remains unclear is whether the vulnerability had been exploited before being patched. Shielded Labs stated that due to the private nature of this pool, it is impossible to rely solely on existing cryptographic evidence to absolutely confirm that the vulnerability was never exploited before being patched. Even so, the group assesses the likelihood of prior exploitation as low, given that the bug is difficult to detect and the ecosystem’s response was rapid after receiving the report.
Market Reaction
ZEC at one point fell over 50% from the $600 range to below $260 after information about the Orchard vulnerability spread. According to CoinGecko data, the token is currently trading around $367.35, down 10.8% in 24 hours, with trading volume over the same period reaching $3.35 billion.
ZEC price chart (1D). Source: TradingView
In the context of Zcash having a maximum supply of 21 million ZEC, information about a bug that could create counterfeit ZEC in a shielded pool quickly shifted the narrative from a technical issue to a question of trust in the supply.
How Zcash Responded
ZODL stated that the remediation process required network-level coordination because the bug was consensus-related. Miners, exchanges, node operators, wallets, infrastructure, and other independent parties had to collectively deploy updated software for the upgrade to activate successfully.
The response was deployed with a risk-mitigation-first approach, followed by a complete resolution: Orchard was temporarily paused while the network prepared for the upgrade, then restored when the fixed circuit was activated. ZODL stated that relevant node software and wallet SDKs were also updated following the upgrade.
According to ZODL, this is the second security-driven protocol upgrade in Zcash’s history since the network launched in 2016. ZODL stated that relevant node software and wallet SDKs were updated following the upgrade.
What Comes Next
Shielded Labs stated they are working on a new network upgrade proposal so that users can verify the integrity of the Zcash supply more directly. The idea being discussed is to deploy a new shielded pool and apply turnstile accounting to assets leaving Orchard, thereby checking whether the old pool contains invalid values.
This proposal still needs to go through Zcash’s standard governance process before it can be activated. Shielded Labs also stated they are preparing to publish more details about this option and begin a formal verification project for the Orchard circuit. For now, the vulnerability has been patched, and Orchard is back online. The next focus is whether Zcash can present a convincing enough mechanism to address the uncertainty regarding the supply in the period before the patch was deployed.
Credit: Source link