Zcash founder Zooko Wilcox disclosed details this week of a critical forgery vulnerability in the Orchard shielded pool, a flaw discovered, patched, and resolved through an emergency network upgrade between May 29 and June 3. The bug had been sitting in the codebase since Orchard went live in May 2022.
Here is the uncomfortable part. Because Orchard is private by design, nobody can cryptographically prove whether anyone exploited the bug before it got fixed. Wilcox said as much in his disclosure post, framing the network upgrade as the thing that restores confidence in the supply going forward, not a guarantee about the past.
What actually broke
The flaw lived in the Orchard zero-knowledge proof circuit, specifically inside the halo2_gadgets crate. Soundness, in ZK terms, means the system only accepts valid state transitions. This bug broke that. A successful exploit could have forged transactions and let someone double-spend inside the Orchard pool.
It could not, however, inflate the total ZEC supply. Zcash's turnstile mechanism tracks balance invariants across every value pool, and that gave engineers a verifiable ground truth that the 21-million cap held throughout. So the worst case was counterfeit coins circulating inside the private pool, not money printed out of thin air. Bad, but bounded.
The AI part everyone is talking about
Taylor Hornby, an independent researcher running a protocol audit funded by Shielded Labs, found the bug on May 29. He used Anthropic's Opus 4.8 model during a targeted review of the Orchard circuit, then went further and wrote a working proof-of-concept that generated counterfeit ZEC in local testing.
Shielded Labs stated plainly that the same tool, run on the live network, would have produced counterfeit tokens in the attacker's wallet. That is the detail that should make people sit up. Not that AI found a bug, but that it found one humans missed for four years in code that had passed audits before.
"The vulnerability could have been exploited to undetectably create an unlimited amount of counterfeit ZEC within Orchard," Wilcox wrote, which reads like a nightmare until you remember the turnstile capped the actual damage and no exploit was ever detected on mainnet.
Five days, two forks
The response came in two stages. On June 2 at roughly 02:00 UTC, a soft fork at block height 3,363,426 disabled all Orchard-containing transactions while engineers finalized the fix. Orchard came back on June 3 when the NU6.2 hard fork activated at block 3,364,600 with a corrected circuit. Sapling and transparent transactions kept running the whole time.
Engineers Daira-Emma Hopwood, Kris Nuttycombe, and Jack Grigg confirmed the bug within hours of Hornby's disclosure and coordinated from there. This was only the second security-driven protocol upgrade in Zcash history since the network launched in 2016, which tells you both how rare these events are and how seriously the team treated this one.
So why did ZEC crash?
By any reasonable standard this was a clean incident response. Hire a researcher to hunt for exactly this kind of flaw, find it before attackers do, fix it in days, prove the supply is intact. And the token fell more than 30% after the public disclosure on June 5 regardless.
Price figures vary depending on which outlet you read and when they pulled the number, so take the exact percentages with a grain of salt. The direction is not in dispute. The market punished a project for being transparent about a bug that, as far as anyone can verify, was never used. That is either irrational or a sign that privacy coin holders quietly understand the limits of "trust us, the supply is fine" when the whole point is that you cannot see inside the pool.
Shielded Labs has separately said it plans a new privacy pool with turnstile accounting applied to all Orchard tokens, a further supply-integrity measure. No date on that yet.
