ZEC surges 42%, ZODL co-founder explains Zcash's two-phase emergency upgrade

Zcash Launches Two-Stage Emergency Upgrade: First Soft Fork Pauses Orchard Transactions, Then Hard Fork NU6.2 Fixes Core Vulnerability. ZODL Co-Founder Josh Swihart Details the Entire Repair Process.
(Background Recap: Zcash Resolves Double-Spend Crisis! Emergency Hard Fork Upgrade Fixes Zero-Knowledge Proof Vulnerability, Officially Confirming No Funds Lost)
(Additional Context: Zcash Publishes "Ironwood" Proposal: Allow Anyone to Verify ZEC Circulation, Restoring Confidence?)

Table of Contents

Toggle

• Stage One: Soft Fork Pauses Orchard Transactions
• Stage Two: NU6.2 Hard Fork Fixes Core Vulnerability
• Independent Organization ShieldedLabs Takes Proactive Action
• Miner Collaboration and Code Review

Privacy Cryptocurrency Zcash’s ZODL Co-Founder Josh Swihart detailed on June 8th via X platform how the Zcash team fixed a serious vulnerability in the Orchard privacy pool. Zcash has rolled out a two-stage emergency upgrade plan: the first stage is a soft fork to temporarily halt Orchard transactions, and the second stage is a hard fork NU6.2 to fix the underlying flaw.

Stage One: Soft Fork Pauses Orchard Transactions

Swihart stated that the ZODL team first used a soft fork to temporarily disable Orchard transactions, ensuring the vulnerability could not be exploited before being fixed. The advantage of a soft fork is that it does not require large-scale upgrades by miners and nodes, while still preserving the full new functionality.

During this first stage, Zcash’s Orchard privacy pool faced two issues: first, the newly added ZEC might have an invisible but valid “zero” output; second, transaction change outputs could be slightly less than expected. The soft fork’s pause measure gave the team ample time to complete verification and fixes.

Stage Two: NU6.2 Hard Fork Fixes Core Vulnerability

On June 3rd, the team successfully launched the NU6.2 hard fork. This upgrade fixed the calculation logic of the underlying Orchard circuit, ensuring all ZEC transactions are validated through the correct path.

NU6.2 also re-enabled Orchard transaction functionality, restoring normal operation of Zcash’s privacy transactions. Swihart pointed out that Orchard is currently Zcash’s core privacy pool, responsible for verifying that each incoming transaction is legitimate.

Independent Organization ShieldedLabs Takes Proactive Action

The vulnerability was first disclosed by the independent technical support organization ShieldedLabs. The organization stated that the Orchard privacy pool had a serious flaw that could theoretically allow attackers to infinitely mint counterfeit ZEC tokens.

ShieldedLabs confirmed that the vulnerability has been fixed and that there is currently no evidence it was exploited in practice. The Zcash network maintained a zero-loss status after the fix.

Miner Collaboration and Code Review

Swihart revealed that during the process, the ZODL team actively responded to code review requests from miners and exchanges to demonstrate the reliability of the fix. Notably, major mining pools ViaBTC and Foundry played key roles in coordinating the emergency response.

This incident highlights the behind-the-scenes quality control mechanisms of Zcash’s privacy blockchain — through a process of disclosure first, then fixing, and finally verification — ensuring the mainnet remains stable before completing the upgrade.