Zcash founder Zooko Wilcox has publicly disclosed the details of a critical forgery vulnerability in the Orchard shielded pool that was discovered, patched, and resolved through an emergency network upgrade between May 29 and June 3.
"The vulnerability could have been exploited to undetectably create an unlimited amount of counterfeit ZEC within Orchard. Because of the privacy properties of Orchard, there is no way to cryptographically prove whether the vulnerability was exploited before it was remediated. However, a network upgrade can be deployed to protect users and prove the integrity of the Zcash supply," Wilcox said in a post on X.
ZEC fell more than 30% on June 5 following the public disclosure, trading at approximately $40 against a prior close of $457. The token had been trading as high as $736 earlier in its 52-week range. The sell-off reflects standard market reaction to critical protocol disclosures, even when no exploitation occurred and the fix is already live.
The bug was found by Taylor Hornby, an independent security researcher conducting an ongoing protocol audit on behalf of Shielded Labs. Hornby, who used Anthropic's Opus 4.8 model as part of a highly targeted review of the Orchard circuit, disclosed the issue to ZODL core engineers on the evening of May 29. Within hours, engineers Daira-Emma Hopwood, Kris Nuttycombe, and Jack Grigg confirmed the vulnerability and began coordinating a response.
The flaw was a soundness bug in the implementation of the Orchard zero-knowledge proof circuit in the halo2_gadgets crate. In a ZK-proof system, soundness means the protocol should only accept valid state transitions. This vulnerability broke that property: a successful exploit could have allowed an attacker to forge transactions and double-spend funds within the Orchard pool. It could not, however, inflate the total ZEC supply. Zcash's turnstile mechanism – which tracks and enforces balance invariants across all value pools – provided a verifiable ground truth that the supply cap remained intact throughout the incident.
Hornby went further than identifying the flaw. Aided by an AI model, he wrote a complete proof-of-concept exploit and successfully generated counterfeit ZEC in local testing. There is no evidence the vulnerability was exploited on mainnet, and no unauthorised value was created.
The response unfolded in two stages. On June 2 at approximately 02:00 UTC, a soft fork at block height 3,363,426 temporarily disabled all Orchard-containing transactions while the circuit fix was finalised. Orchard was then re-enabled on June 3 at 00:05 EDT when the NU6.2 hard fork activated at block height 3,364,600, introducing a corrected circuit and permanently closing the vulnerability. Sapling and transparent transactions continued operating normally throughout. The five-day response from disclosure to full resolution was only the second security-driven protocol upgrade in Zcash history since the network launched in 2016.
The Orchard pool was introduced with NU5 in May 2022 as the centrepiece of Zcash's privacy architecture. Built on the Halo 2 proving system, it was the first Zcash pool to require no trusted setup, a milestone the ecosystem had targeted for years. The bug had existed in the codebase since that launch – a four-year window during which it went undetected. The independent audit that found it was funded by Shielded Labs, which has separately announced plans to deploy a new privacy pool with turnstile accounting for all Orchard tokens as a further supply-integrity measure.
