Author: Curry, Shenchao TechFlow
Zcash ($ZEC), as one of the oldest privacy-focused cryptocurrencies, has long centered its narrative on "verifiable privacy + a fixed supply cap of 21 million."
But recently, this foundation of trust was instantly shattered by a critical vulnerability discovered with the assistance of the yet-unreleased strongest model, Claude Opus 4.8:
The Orchard privacy pool in Zcash's design has the potential for counterfeit ZEC and inflation.
Specifically, security researcher Taylor Hornby, while conducting an audit of the encryption protocol on behalf of Shielded Labs, used Anthropic’s newly released Claude Opus 4.8 model to generate an unlimited quantity of completely undetectable fake ZEC in a local environment.
The vulnerability stems from a rule in the Orchard circuit (the transaction rulebook) being too permissive, causing the proof engine to accept fraudulent transactions as valid.
This issue was urgently patched on June 1–2 and fully disclosed on June 5 by Zcash founder Zooko and Shielded Labs. Within 24 hours of the disclosure, the price of ZEC plummeted by 26%–36%, causing an immediate collapse in bullish confidence.
More notably, prominent trader Arthur Hayes—who previously ranked ZEC as the second-largest holding in his “Holy Trinity” family fund—publicly confirmed that he has fully exited his position, citing concerns over strong privacy requirements:
Although the probability is extremely low, the narrative of privacy resisting AI, governments, or big tech requires perfection, not just “probably safe.”
Amid widespread market skepticism, Josh Swihart, founder and CEO of the Zcash Open Development Lab (ZODL) and de facto leader of the Zcash core development team, posted a response, with a title that reads more like a public confession and plea for forgiveness:
Never again.
Here is the complete Chinese translation of Josh Swihart's post:
Today, Shielded Labs recommends that the community explore establishing a second Zcash Orchard pool to address a recently patched forgery vulnerability in the current Orchard implementation. In principle, a second Orchard pool could be implemented in the NU7 network upgrade at the end of July.
I won’t take a fixed position on whether a second Orchard pool should be created. A more important question to discuss is: how can we ensure that such vulnerabilities never happen again?
The best answer, as Sean previously mentioned, is formal verification. To explain this simply to non-experts: a shielded (privacy-protected) Zcash transaction includes a “proof” that demonstrates it strictly follows the protocol rules—rules written in a “rulebook” (called a circuit) that defines what constitutes a valid transaction.
The vulnerability in Orchard arose because one of its rules was written too loosely, allowing it to accept false information while still passing verification. As a result, the system could be tricked into treating fake transactions as genuine—meaning someone could theoretically forge ZEC within the Orchard pool.
This is a flaw in the ruleset itself, not an issue with the underlying cryptography or the proof-generation engine. As Sean said, shielded pools hide amounts and history—that’s what privacy means.
But precisely because of this, you cannot directly verify the values as you would with a public ledger. The only way to ensure no one has forged anything is through mathematical proof: every transaction strictly follows the rules. Since the issue lies in the rulebook, the proof engine itself is actually irrelevant—what matters is how the rules are written.
The Orchard rulebook is extremely complex, as it includes numerous special-case optimizations for speed. Although powerful, it is highly cumbersome and difficult to thoroughly review. A rule that is too permissive is hard to detect—even after multiple rounds of expert security audits and reviews, this one was still missed.
Formal verification can solve this problem.
It can use mathematical proofs to compress the parts requiring human review into concise, readable rule statements, allowing computers to fully verify whether the entire rulebook matches. AI tools are now capable of assisting in writing these proofs.
It makes the review process much simpler: just examine a small, clear specification and run an incorruptible checker. We no longer rely on visual inspection to spot issues—we use proofs to ensure that no issues exist.
Trust is reduced to fundamental cryptographic assumptions and a minimal specification—this is now the industry standard. Tachyon is being built with formal verification, employing a simpler, more unified set of rules with far fewer edge cases and complexities than Orchard, enabling the entire rule set to be mathematically proven correct.
But as Sean mentioned, multiple teams are currently conducting formal verification on the existing Orchard circuit. If successful, the shortest-term path might be to launch a formally verified second Orchard pool before Tachyon.
Tachyon is cleaner, but a formally verified Orchard can serve as an excellent transitional solution and help ensure such vulnerabilities do not recur. Thank you to Sean Bowe for reviewing and providing feedback.
Josh's response did not downplay the severity of the vulnerability but shifted the focus to long-term solutions: formal verification and the more streamlined next-generation circuit, Tachyon.
From a public relations perspective, honestly acknowledging the issue and presenting a remediation plan is a strong choice both technically and emotionally.
In the recent market environment characterized by a sustained downturn in the broader crypto market, Zcash’s own issues are accelerating holders’ surrender—selling lacks a clear rationale, but here’s a ready-made one.
After all, speculators may not care about technical fixes, and black swan events are catalysts for declines.
Rapid patch response and transparent disclosure are positives, but the inability to fully prove innocence combined with large holders exiting will continue to pressure short-term narratives and prices. In the long term, if formal verification can be successfully implemented, Zcash may potentially reclaim its position as “the most private coin”—but everything will take time.