What Happened
On June 5, 2026, Shielded Labs and Zcash Open Development Lab (ZODL) publicly disclosed that security engineer Taylor Hornby discovered a critical vulnerability in Zcash's Orchard shielded pool on May 29. Hornby, hired by Shielded Labs in April for an ongoing protocol review, was using a custom AI auditing framework powered by Anthropic's Opus 4.8 when he identified an under-constrained element in the Orchard zero-knowledge circuit. Testing in a local environment, his exploit generated unlimited counterfeit ZEC without triggering any on-chain detection. Hornby disclosed immediately to ZODL, which coordinated a three-day emergency response: Orchard was disabled via a soft fork on June 2, and the NU6.2 hard fork shipped June 3.
The vulnerability was present from Orchard's NU5 activation in May 2022 until the June 2 fix, a window of approximately four years during which the bug survived multiple independent expert audits. Public disclosure on June 5 sent ZEC down roughly 45%. ZEC liquidations topped $81.91 million in the 24-hour period following the announcement. Arthur Hayes posted on social media that he liquidated his entire ZEC position: 'Sadly due to the Orchard Pool exploit, I had to dump our entire $ZEC bag.' Hayes added that while he considers exploitation unlikely, 'it cannot be formally cryptographically proved impossible.'
What the Orchard Circuit Got Wrong
The Orchard shielded pool is built on a zero-knowledge proof system called a zk-SNARK. Each Orchard transaction includes a cryptographic proof demonstrating the transaction is valid and balances add up correctly, without revealing the amounts involved. The proof logic is encoded in an arithmetic circuit: a mathematical structure that defines all constraints a valid transaction must satisfy. The vulnerability was an under-constrained elliptic curve multiplication check. In a correctly written circuit, that check ensures balances can only be valid if they satisfy specific mathematical relationships. In the pre-patch Orchard circuit, arbitrary false inputs could pass the check without satisfying those relationships.
An attacker who knew the flaw could construct Orchard proofs that the network accepted as valid while encoding counterfeit ZEC amounts. No control over mining infrastructure, no theft of private keys, and no observable network behavior was required. The attack surface was knowledge of the circuit internals, and the barrier to that knowledge was deep familiarity with the Orchard specification. Hornby's AI-assisted framework brought that kind of systematic, exhaustive circuit analysis to bear in a way prior manual audits had not.
The Irrefutability Problem
The patch closed the vulnerability. It does not resolve the past. Orchard's zero-knowledge design means the supply of ZEC inside the shielded pool at any point before June 2 cannot be independently audited. The same privacy guarantee that hides a legitimate user's balance from external observers also hides any counterfeit ZEC introduced through the circuit flaw. The Zcash Foundation's statement that there is no evidence of exploitation is accurate in a narrow sense: no evidence exists. That is the problem, not the solution. A four-year window during which unlimited undetectable counterfeiting was possible cannot be disproven through the same cryptographic tools that would normally be used to detect it.
Shielded Labs has proposed a network upgrade introducing a new shielded pool with turnstile accounting, a mechanism allowing external observers to verify that ZEC entering and leaving a pool balances correctly without revealing individual transaction amounts. The proposal addresses future pools. It does not address the pre-patch Orchard pool. The counterargument to the supply-integrity concern is that sophisticated counterfeiting at scale would likely have left traces in ZEC's market behavior over four years, and the absence of such anomalies is circumstantial evidence against exploitation. That is a reasonable prior. It is not a cryptographic proof. Hayes' decision to exit reflects the rational assessment of an unanswerable question: how much of the current ZEC supply is legitimate, and how much might represent coins introduced through a vulnerability that cannot be proven unexploited.
The Privacy Mechanism Was the Vulnerability Mechanism
The Orchard story is the Trust Inversion pattern made explicit. Orchard's zero-knowledge proofs hide transaction amounts from surveillance: no chain observer can see your balance or transfers. That same property is what made a counterfeiting exploit undetectable for four years, because the network is explicitly designed to accept amounts without cross-referencing them against a transparent ledger. The privacy protection and the exploit invisibility are the same feature seen from two angles.
Bitcoin's transparent UTXO set is often framed as a privacy failure: every transaction is visible to any observer. It is also what makes Bitcoin's supply independently auditable by any participant at any time. Any node can count every UTXO, verify every block reward, and confirm that total supply matches the issuance schedule. Counterfeit Bitcoin cannot be introduced without appearing as a consensus violation that every validating node rejects. Zcash's Orchard pool made the opposite trade: privacy over transparency. June 5 is the day Zcash holders had to price that trade-off at the supply-integrity layer.
What This Means for You
If you hold ZEC in the Orchard shielded pool, the patch is real and the circuit is now correctly constrained on the NU6.2 network. The forward-looking integrity of the pool is restored. The question of whether prior exploitation diluted the overall supply remains structurally unanswerable. Shielded Labs' proposed turnstile accounting upgrade, when deployed, will provide supply verification for the new pool going forward. If you are assessing your Orchard exposure, the honest answer is that the pre-patch supply cannot be audited and any estimate of the damage, including zero, cannot be proven cryptographically.
If you self-custody Bitcoin using your own private keys, the Orchard story adds a structural distinction worth holding. Your private keys give you key control: no one can spend your Bitcoin without your signature. That is the foundation of self-custody and it is a strong property. Bitcoin also gives you supply verifiability: every node on the network can confirm that total supply matches the protocol schedule, that no counterfeit coins exist, and that every UTXO traces to a valid coinbase transaction. Privacy coins trade supply verifiability for transaction privacy. That is a coherent choice for specific operational contexts. It is not a free one. Zcash's Orchard pool illustrates what the cost looks like when a zero-knowledge circuit carries a flaw for four years and the privacy mechanism prevents detecting it.
What to Watch
Watch Shielded Labs' turnstile accounting network upgrade proposal for both the design details and community response to whether it addresses the pre-patch supply question at all or only forward-looking integrity. The Zcash Foundation's post-mortem on why the vulnerability survived four years of expert circuit audits deserves close attention, since that methodology gap is relevant to every zero-knowledge protocol currently in production. Whether Hornby's AI-assisted auditing technique, pairing a custom framework with Opus 4.8, produces additional findings in other zero-knowledge systems is the next test, since the Orchard discovery suggests this class of targeted AI-accelerated circuit review is finding real bugs faster than prior methods. Watch the Monero and Firo communities for whether they commission analogous targeted audits in response, and the ZODL future disclosure process for whether the three-day private-fix window before public disclosure becomes a documented standard or generates pressure for more transparent response timelines.