The Zcash development team disclosed that a critical vulnerability existed in the network's Orchard shielded pool, which theoretically allowed attackers to forge an unlimited number of ZEC without detection. The issue was urgently patched earlier this week, but the team stated that, using cryptographic methods alone, it is impossible to confirm whether the vulnerability was exploited on the mainnet prior to the fix.
The vulnerability has persisted since 2022.
Shielded Labs, responsible for disclosure, stated on June 5 that the issue had existed since Orchard was activated in May 2022 and was not remediated until June 2. The coordinated network upgrade previously observed by the public was directly related to this vulnerability fix.
Security researcher Taylor Hornby discovered the issue on May 29 during a trusted security review and successfully constructed a working exploit in a local test environment. The disclosure states that the vulnerability stems from insufficient constraints in the Orchard circuit, allowing malformed inputs to pass elliptic curve multiplication verification and thereby generating forged ZEC.
Privacy mechanisms increase the difficulty of verification.
Developers stated that there is currently no evidence the vulnerability was exploited before it was patched. However, Orchard transactions use privacy-preserving mechanisms, making it impossible for external parties to verify transactions individually as they would on a public ledger, so there is no definitive way to prove that forged tokens never entered circulation.
This means that although the issue has been patched, uncertainty remains regarding Zcash’s supply integrity. Shielded Labs stated that the team assessed the historical exploitability as low, partly because the vulnerability went undetected by seasoned cryptographic researchers for an extended period; after internal confirmation of the issue, the exploit window rapidly narrowed.
The team is evaluating subsequent network upgrades.
This disclosure also mentions that researchers used Anthropic’s Opus 4.8 model and customized AI-assisted auditing methods during their review. Shielded Labs stated that the vulnerability was discovered shortly after the new model’s release.
The team is currently evaluating whether to initiate a subsequent network upgrade to further verify the completeness of Zcash’s supply and address external concerns regarding forged ZEC. The preliminary proposal includes enabling a new shielded pool and implementing "turnstile accounting" verification for tokens exiting Orchard. Further details are expected to be announced next week.
- Discovery date: May 29, 2026
- Emergency fix completed: June 2, 2026
- Disclosure Date: June 5, 2026