The article disclosed that security researcher Taylor Hornby discovered on May 29th that the latest privacy pool Orchard in Zcash has a serious forgery vulnerability. Attackers can craft a transaction that should not pass verification, generating unlimited and undetectable fake ZEC within Orchard.

This is not just a theoretical risk. Taylor has already written a complete exploit program in a local testing environment, which has actually generated fake ZEC. If the same program is deployed to the mainnet, attackers could theoretically generate unlimited fake assets in their own mainnet wallets.

After the information was made public, ZEC once dropped over 30%. CoinMarketCap data shows that ZEC fell to a low of $408.39 within 24 hours, about one-third below the peak of $610.47 during the same period. Unfortunately, this was one of the few recent tokens in the crypto space with excellent wealth effects, favored by many big players with promising narratives, now completely shattered by this vulnerability.

If only looking at the result, it seems like another familiar crypto security incident: vulnerability discovered, developers rush to fix, market falls into panic.

But the real tricky part of the Orchard incident is that, although the vulnerability has been fixed, the Zcash community cannot directly answer another more sensitive question:

Has anyone exploited this vulnerability in the past four years?

Four days of emergency fix, Orchard temporarily halted

Orchard is a new generation privacy payment protocol launched by Zcash in 2022, and it is also one of the main privacy pools currently used by Zcash. Users can hide balances, transaction amounts, and fund flows, while proving transaction compliance to the network via zero-knowledge proofs.

According to the timeline disclosed by Zooko, Shielded Labs, and the Zcash community, Taylor discovered anomalies during a targeted security review of the Orchard circuit on May 29th, and immediately privately disclosed the vulnerability to Zcash Open Development Lab (ZODL). Shielded Labs is an independent Zcash ecosystem support organization based in Switzerland, funded by donations, involved in protocol development, security, and network sustainability, and not affiliated with Zcash Foundation or ZODL.

ZODL engineers confirmed the issue’s existence within hours of receiving the report and began seeking a fix. Since directly publicizing the code patch could expose the vulnerability’s details, the team first chose to temporarily shut down Orchard: disabling the creation of new Orchard outputs and preventing spending of existing funds within Orchard.

After coordinating upgrades with developers, miners, node operators, exchanges, and infrastructure providers, an emergency soft fork took effect on June 2nd. Subsequently, Zcash performed a hard fork to update the Orchard verification keys, and on June 3rd, restored Orchard functionality. During this period, transparent addresses and the Sapling privacy pool continued to operate.

From disclosure to fix completion, the entire process took only a few days. By emergency response standards, this was a fairly successful handling.

But the market did not calm down just because the vulnerability was fixed, because the fix addressed the future, not the past.

Market concern is not whether attacks will still happen, but whether they have already occurred

Ordinary security incidents usually have a relatively clear loss scale. If a smart contract is hacked, on-chain tracking can show how much assets the attacker stole; if a cross-chain bridge has a vulnerability, fund flows and affected addresses can be analyzed.

The Orchard incident is different.

According to Shielded Labs, this vulnerability could be used to generate unlimited and undetectable fake ZEC within Orchard. Because Orchard itself has privacy features, external parties cannot definitively prove whether anyone exploited this attack vector before the fix, solely through cryptography.

This means the market faces not a confirmed loss figure, but an uncertain, hard-to-quantify risk:

If someone did discover and exploit the vulnerability in the past, does fake ZEC already exist inside Orchard? If so, what is the scale? Are these assets still in the privacy pool? Have they been gradually drained through normal transactions?

More importantly, this risk window did not only start on May 29th. Shielded Labs states that the vulnerability has existed since Orchard was enabled in May 2022, until the emergency fix was completed in June 2026. In other words, the issue has been lurking for nearly four years.

The market’s real concern is not what happened between May 29th and June 2nd, but whether any abnormal activity has already occurred over the past four years that cannot be directly observed.

This is also the core reason why ZEC plunged over 30%.

The market is not just selling off a vulnerability, but re-pricing the credibility of supply.

A mathematical constraint omission evolving into an “infinite minting” risk

When we see the words “infinite minting vulnerability,” our first reaction is that hackers have gained admin privileges or obtained some protocol backdoor.

The reality is more fundamental.

The security of Orchard relies on a set of zero-knowledge proof circuits (Orchard circuit). Users can hide transaction details, but must prove to the network that their transactions satisfy protocol rules. The most critical rule is asset conservation: a transaction cannot create value out of thin air.

In simple terms, users can choose not to disclose how many ZEC they own or to whom they transfer, but the network must be able to verify that:

The assets spent indeed come from legitimate inputs.

The problem Taylor discovered lies in an elliptic curve multiplication check within the Orchard circuit.

Shielded Labs describes this as an “under-constrained element,” meaning the circuit’s constraints are incomplete. Because the related mathematical relationships are not fully constrained, an attacker can input arbitrary incorrect data into the elliptic curve multiplication process, yet the verification might still return a pass.

In other words, attackers do not need to break cryptography or control network nodes.

They only need to craft a set of data that should not be valid, causing the system to erroneously believe the transaction still satisfies asset conservation.

Once this false proof is accepted by the network, nonexistent ZEC can be regarded as legitimate assets, continuing to exist within Orchard.

This is why Shielded Labs used extremely strong language:

unlimited, undetectable counterfeit ZEC

The real danger is not just “infinite,” but “undetectable.”

There is an important distinction between these two statements.

The Zcash Foundation, in its post-upgrade announcement, stated that there is no evidence that the vulnerability has been exploited, and no unauthorized value creation has been detected; user funds and privacy remain unaffected. The announcement also emphasized that Zcash’s original Turnstile Accounting mechanism can track value flows between different pools and protect the total supply cap of 21 million ZEC.

Meanwhile, Shielded Labs explicitly states that it cannot rely solely on cryptographic proofs to confirm that no counterfeit ZEC has ever appeared in Orchard’s history.

These two statements may seem contradictory, but they focus on different levels.

Zcash’s existing Turnstile Accounting can be understood as a “gate” between different pools. The system can count how much legitimate assets have entered Orchard and limit the amount that can flow out.

Suppose Orchard originally held 1 million legitimate ZEC. Even if an attacker internally forges more assets, the system would not allow all assets exceeding the legitimate amount to be fully drained. This prevents the total supply of Zcash from being easily broken.

But this mechanism cannot directly prove that no counterfeit assets have ever existed inside Orchard.

If forged assets still remain in Orchard, or are gradually replacing real assets within the legal withdrawal limit, the existing accounting mechanism may not be able to provide a definitive historical conclusion.

For this nearly ancient privacy project, we only know that no evidence of abnormal minting has been found so far, but the community still cannot directly prove that no counterfeit assets have ever existed inside Orchard.

This is the most difficult risk type for the market to handle.

The issue is not how many fake coins have been discovered, but that no one can conclusively confirm that fake coins have never appeared.

How can Zcash re-verify that Orchard contains no counterfeit coins?

Fixing the vulnerability is only the first step.

Shielded Labs has announced that it is working with other Zcash developers on a new network upgrade proposal. The plan includes deploying a new privacy pool and enforcing Turnstile Accounting on all assets migrated out of Orchard.

This is akin to setting a new migration gate for Orchard.

Assets in the old Orchard must migrate to the new privacy pool according to verifiable rules. The system can re-count the legitimate assets that have flowed out and determine whether there are additional ZEC that cannot be migrated normally.

If the upgrade proceeds smoothly, anyone can verify the integrity of Zcash’s supply and further prove that no counterfeit assets exist inside Orchard.

The significance of this plan is not just fixing code, but rebuilding market trust in Orchard.

Because in privacy systems, trust does not come from “we believe no attack has occurred,” but from “anyone can verify that no attack has occurred.”

Shielded Labs also admits that the probability of prior malicious exploitation was low. The vulnerability was hidden for years, and its discovery was extremely difficult; Taylor actively searched for such issues in dedicated security research projects; after disclosure, the ecosystem rapidly closed the attack window within days.

But Shielded Labs emphasizes that users should not rely solely on the developers’ subjective judgment.

What the market needs is proof.

A four-year hidden vulnerability, why was it only discovered now?

The Orchard incident also has a detail that is easily overlooked by the market.

On May 28th, Anthropic released Claude Opus 4.8.

One day later, Taylor discovered the Orchard vulnerability.

According to Zooko and Shielded Labs’ review, Taylor used Opus 4.8 shortly after its release to conduct a highly targeted review of the Orchard circuit, and on May 29th, found the issue. Subsequently, with the help of Opus 4.8, he developed a complete exploit program that generated unlimited, undetectable fake ZEC in a local environment.

This detail is worth noting, not because AI can now independently perform cryptographic audits.

Public information does not support such an exaggerated conclusion.

Taylor himself is an experienced security researcher. Shielded Labs also mentions that he used a combination of traditional security research methods, customized AI tools, and specially designed prompts. Opus 4.8 was an important tool in the review process, but not the only factor.

What is truly noteworthy is that Taylor did not use Anthropic’s specialized, restricted, publicly accessible Claude Mythos Preview for network security scenarios, but the recently released general model Opus 4.8.

Anthropic positions Mythos Preview as a cutting-edge model with significant vulnerability discovery and exploitation capabilities. Due to potential misuse risks, Anthropic has not made this model directly available to the public, but provides access to selected partners via Project Glasswing.

In contrast, Opus 4.8 is a general model accessible to ordinary developers. Anthropic emphasizes that it has improved in code analysis, complex task execution, and code defect detection.

This sends a more noteworthy signal from the Orchard incident:

The ability to discover high-value vulnerabilities is spreading from specialized security models to general-purpose models.

A general model released just one day ago, under expert guidance, can already participate in reviewing complex zero-knowledge proof circuits and help discover a nearly four-year-old critical vulnerability.

This does not mean cryptography experts are no longer important.

On the contrary, Taylor’s experience, the choice of review targets, and the ability to verify model outputs remain central to the process.

But the combination of experts and AI is significantly lowering the cost of discovering complex vulnerabilities.

Vulnerability closed, but the market still awaits answers

For Zcash, the most urgent attack window has closed.

Orchard functionality has been restored, verification circuits updated, and there is no current evidence of malicious exploitation.

But the over 30% plunge in ZEC indicates that the market’s concern is not just whether the code has been fixed.

The market is still waiting for a more thorough answer:

In the nearly four years since, has there ever been fake ZEC inside Orchard?

If the new privacy pool and Turnstile Accounting upgrade are successfully implemented, the community will finally have the opportunity to verify supply integrity and rebuild market trust.

But before that proof is complete, the Orchard incident still leaves an unavoidable suspense:

Have those theoretically infinitely creatable fake ZEC ever truly not existed, or have they been hidden somewhere unseen by anyone?

ZEC-42.19%

View Original

This page may contain third-party content, which is provided for information purposes only (not representations/warranties) and should not be considered as an endorsement of its views by Gate, nor as financial or professional advice. See Disclaimer for details.

1 Likes