ME News reports that on June 5 (UTC+8), Zcash founder Zooko Wilcox disclosed that a severe forgery vulnerability previously existed in the Zcash Orchard pool, allowing attackers to generate unlimited, undetectable forged ZEC within the Orchard pool. The vulnerability was discovered on May 29 by security researcher Taylor Hornby during a targeted audit using the Anthropic Opus 4.8 model, and was subsequently reported to the Zcash Open Development Lab (ZODL). ZODL then coordinated an emergency response across the Zcash ecosystem, and the necessary fix was completed on June 2.
Taylor Hornby developed a complete exploit program using Opus 4.8 in a local regtest environment, capable of generating unlimited, undetectable forged ZEC during testing. If this tool were executed on the Zcash mainnet, it could generate unlimited, undetectable forged ZEC in mainnet Zcash wallets. The vulnerability stems from an under-constrained element in the Orchard circuit, allowing attackers to input arbitrary falsified values into elliptic curve multiplication while still passing the multiplication verification. This flaw has existed since Orchard was activated in May 2022 until an emergency fix was deployed on June 1, 2026.
Due to Orchard's privacy properties and the nature of the vulnerability, it is currently not possible to determine solely through cryptographic methods whether the vulnerability was exploited prior to its patch. However, Shielded Labs believes the likelihood of prior exploitation was low and is exploring a network upgrade to deploy a new privacy pool, account for all tokens in the Orchard pool, and enable anyone to verify the integrity of the Zcash supply and prove that no forged ZEC exists in the Orchard pool.
Due to the Orchard Pool vulnerability, ZEC dropped over 31% in 24 hours, currently trading at $410.5.(Source: X platform)