OPN Intel
LIVE
BTC$76,620MAYER0.95×200W1.25×PI-CYCLE38%DRAWDOWN-39%PUELL0.81×W-RSI45BMSB0.97×
AS OF 2026-05-24
OpSec· Trust Inversion series· June 5, 2026· 5 min read

Four Years Undetected: Zcash Patches Orchard Counterfeit Bug

On June 5, Shielded Labs and Zcash Open Development Lab disclosed that a critical vulnerability in Zcash's Orchard shielded pool, present since May 2022, allowed unlimited undetectable ZEC counterfeiting for approximately four years before an emergency patch on June 2. Security engineer Taylor Hornby found the flaw using an AI-assisted audit powered by Anthropic's Opus 4.8: an under-constrained zero-knowledge circuit check that let forged proofs pass validation without triggering any on-chain signature. Because Orchard hides transaction amounts through zero-knowledge proofs, there is no cryptographic method to determine whether exploitation occurred before the fix, an uncertainty that sent ZEC down roughly 45% and prompted Arthur Hayes to exit his entire ZEC position.

Key takeaways

  1. On May 29, 2026, security engineer Taylor Hornby discovered a critical vulnerability in Zcash's Orchard shielded pool while conducting an ongoing protocol review for Shielded Labs. Hornby used a custom AI auditing framework powered by Anthropic's Opus 4.8 (released May 28) to identify an under-constrained element in the Orchard zero-knowledge circuit. He built a working exploit and confirmed it generated unlimited counterfeit ZEC without triggering any on-chain detection in a local test environment
  2. The flaw resided in the Orchard zero-knowledge circuit and stemmed from an under-constrained elliptic curve multiplication check that allowed arbitrary false inputs to pass validation. Because Orchard uses zero-knowledge proofs to hide transaction amounts from network observers, any counterfeit ZEC created through the exploit would have been mathematically indistinguishable from legitimate coins in the shielded pool
  3. The emergency response was fast: Zcash Open Development Lab (ZODL) coordinated validators to disable Orchard via a soft fork on June 2 and shipped the NU6.2 hard fork on June 3. The vulnerability existed from Orchard's NU5 activation in May 2022 until the June 2 patch, a window of approximately four years during which the bug survived multiple independent expert audits
  4. The Zcash Foundation reported no evidence of exploitation, but the pool's privacy properties make that assertion impossible to verify cryptographically. Arthur Hayes disclosed that he liquidated his entire ZEC position, stating: 'While I think it is extremely unlikely any minting occurred, it cannot be formally cryptographically proved impossible.' ZEC liquidations topped $81.91 million in the 24-hour period following disclosure. Shielded Labs has proposed a network upgrade adding a new shielded pool with turnstile accounting to allow supply verification going forward
  5. The structural lesson is the Trust Inversion pattern made explicit: the zero-knowledge proofs that protected Orchard users from transaction surveillance are the same mechanism that made an unlimited counterfeiting exploit undetectable for four years. Privacy and supply verifiability pull in opposite directions, and Zcash chose privacy. Bitcoin chose transparent supply. June 5, 2026 is the day that trade-off became operationally visible for ZEC holders

What Happened

On June 5, 2026, Shielded Labs and Zcash Open Development Lab (ZODL) publicly disclosed that security engineer Taylor Hornby discovered a critical vulnerability in Zcash's Orchard shielded pool on May 29. Hornby, hired by Shielded Labs in April for an ongoing protocol review, was using a custom AI auditing framework powered by Anthropic's Opus 4.8 when he identified an under-constrained element in the Orchard zero-knowledge circuit. Testing in a local environment, his exploit generated unlimited counterfeit ZEC without triggering any on-chain detection. Hornby disclosed immediately to ZODL, which coordinated a three-day emergency response: Orchard was disabled via a soft fork on June 2, and the NU6.2 hard fork shipped June 3.

The vulnerability was present from Orchard's NU5 activation in May 2022 until the June 2 fix, a window of approximately four years during which the bug survived multiple independent expert audits. Public disclosure on June 5 sent ZEC down roughly 45%. ZEC liquidations topped $81.91 million in the 24-hour period following the announcement. Arthur Hayes posted on social media that he liquidated his entire ZEC position: 'Sadly due to the Orchard Pool exploit, I had to dump our entire $ZEC bag.' Hayes added that while he considers exploitation unlikely, 'it cannot be formally cryptographically proved impossible.'

What the Orchard Circuit Got Wrong

The Orchard shielded pool is built on a zero-knowledge proof system called a zk-SNARK. Each Orchard transaction includes a cryptographic proof demonstrating the transaction is valid and balances add up correctly, without revealing the amounts involved. The proof logic is encoded in an arithmetic circuit: a mathematical structure that defines all constraints a valid transaction must satisfy. The vulnerability was an under-constrained elliptic curve multiplication check. In a correctly written circuit, that check ensures balances can only be valid if they satisfy specific mathematical relationships. In the pre-patch Orchard circuit, arbitrary false inputs could pass the check without satisfying those relationships.

An attacker who knew the flaw could construct Orchard proofs that the network accepted as valid while encoding counterfeit ZEC amounts. No control over mining infrastructure, no theft of private keys, and no observable network behavior was required. The attack surface was knowledge of the circuit internals, and the barrier to that knowledge was deep familiarity with the Orchard specification. Hornby's AI-assisted framework brought that kind of systematic, exhaustive circuit analysis to bear in a way prior manual audits had not.

The Irrefutability Problem

The patch closed the vulnerability. It does not resolve the past. Orchard's zero-knowledge design means the supply of ZEC inside the shielded pool at any point before June 2 cannot be independently audited. The same privacy guarantee that hides a legitimate user's balance from external observers also hides any counterfeit ZEC introduced through the circuit flaw. The Zcash Foundation's statement that there is no evidence of exploitation is accurate in a narrow sense: no evidence exists. That is the problem, not the solution. A four-year window during which unlimited undetectable counterfeiting was possible cannot be disproven through the same cryptographic tools that would normally be used to detect it.

Shielded Labs has proposed a network upgrade introducing a new shielded pool with turnstile accounting, a mechanism allowing external observers to verify that ZEC entering and leaving a pool balances correctly without revealing individual transaction amounts. The proposal addresses future pools. It does not address the pre-patch Orchard pool. The counterargument to the supply-integrity concern is that sophisticated counterfeiting at scale would likely have left traces in ZEC's market behavior over four years, and the absence of such anomalies is circumstantial evidence against exploitation. That is a reasonable prior. It is not a cryptographic proof. Hayes' decision to exit reflects the rational assessment of an unanswerable question: how much of the current ZEC supply is legitimate, and how much might represent coins introduced through a vulnerability that cannot be proven unexploited.

The Privacy Mechanism Was the Vulnerability Mechanism

The Orchard story is the Trust Inversion pattern made explicit. Orchard's zero-knowledge proofs hide transaction amounts from surveillance: no chain observer can see your balance or transfers. That same property is what made a counterfeiting exploit undetectable for four years, because the network is explicitly designed to accept amounts without cross-referencing them against a transparent ledger. The privacy protection and the exploit invisibility are the same feature seen from two angles.

Bitcoin's transparent UTXO set is often framed as a privacy failure: every transaction is visible to any observer. It is also what makes Bitcoin's supply independently auditable by any participant at any time. Any node can count every UTXO, verify every block reward, and confirm that total supply matches the issuance schedule. Counterfeit Bitcoin cannot be introduced without appearing as a consensus violation that every validating node rejects. Zcash's Orchard pool made the opposite trade: privacy over transparency. June 5 is the day Zcash holders had to price that trade-off at the supply-integrity layer.

What This Means for You

If you hold ZEC in the Orchard shielded pool, the patch is real and the circuit is now correctly constrained on the NU6.2 network. The forward-looking integrity of the pool is restored. The question of whether prior exploitation diluted the overall supply remains structurally unanswerable. Shielded Labs' proposed turnstile accounting upgrade, when deployed, will provide supply verification for the new pool going forward. If you are assessing your Orchard exposure, the honest answer is that the pre-patch supply cannot be audited and any estimate of the damage, including zero, cannot be proven cryptographically.

If you self-custody Bitcoin using your own private keys, the Orchard story adds a structural distinction worth holding. Your private keys give you key control: no one can spend your Bitcoin without your signature. That is the foundation of self-custody and it is a strong property. Bitcoin also gives you supply verifiability: every node on the network can confirm that total supply matches the protocol schedule, that no counterfeit coins exist, and that every UTXO traces to a valid coinbase transaction. Privacy coins trade supply verifiability for transaction privacy. That is a coherent choice for specific operational contexts. It is not a free one. Zcash's Orchard pool illustrates what the cost looks like when a zero-knowledge circuit carries a flaw for four years and the privacy mechanism prevents detecting it.

What to Watch

Watch Shielded Labs' turnstile accounting network upgrade proposal for both the design details and community response to whether it addresses the pre-patch supply question at all or only forward-looking integrity. The Zcash Foundation's post-mortem on why the vulnerability survived four years of expert circuit audits deserves close attention, since that methodology gap is relevant to every zero-knowledge protocol currently in production. Whether Hornby's AI-assisted auditing technique, pairing a custom framework with Opus 4.8, produces additional findings in other zero-knowledge systems is the next test, since the Orchard discovery suggests this class of targeted AI-accelerated circuit review is finding real bugs faster than prior methods. Watch the Monero and Firo communities for whether they commission analogous targeted audits in response, and the ZODL future disclosure process for whether the three-day private-fix window before public disclosure becomes a documented standard or generates pressure for more transparent response timelines.

Privacy hides your balance from surveillance and your supply from auditors equally. Zcash's four-year counterfeiting window shows the trade-off.

Sources

  1. [1]CoinDesk — 'Zcash plummets 38% as Shielded Labs reveals a major bug that went undetected for four years', June 5, 2026
  2. [2]Decrypt — 'ZEC Crashes 38% as Zcash Discloses Critical Counterfeiting Vulnerability', June 5, 2026
  3. [3]The Block — 'Security researcher finds Zcash vulnerability allowing unlimited counterfeit minting; ZEC drops 31%', June 5, 2026
  4. [4]Unchained — 'AI-Assisted Audit Uncovers Critical Zcash Orchard Vulnerability That Could Have Minted Unlimited Counterfeit ZEC', June 5, 2026
  5. [5]Zcash Community Forum / ZODL — 'The Orchard Counterfeiting Vulnerability and Next Steps', June 5, 2026
  6. [6]Bitcoin.com News — 'Arthur Hayes Dumps His Entire ZEC Bag After Orchard Exploit, Prices Down Nearly 50%', June 5, 2026
  7. [7]BeInCrypto — 'An Opus 4.8 Audit Uncovered Zcash's Bug', June 5, 2026
Trust Inversion series · Part 7 of 11
← Previous part
Trafficking Victims Unpaid as 127,000 BTC Sit in Reserve
Next part →
AudiA6 Takedown Hits $389M Wash for 20 Ransomware Groups

More in Trust Inversion

Hinkal Lost $820,000 After Its Privacy Proof Verification Failed to Verify Anything$1.7 Million Drained Through a Single Forged Proof on TaikoFTX Repays Bitcoin Creditors at $16,871 Petition-Date Price