Arthur Hayes, co-founder of BitMEX, has liquidated his entire Zcash (ZEC) position after a critical bug was discovered in the protocol's Orchard Pool. The flaw, an insufficient constraint in elliptic-curve multiplication inside the halo2_gadgets crate, could have allowed counterfeit ZEC to pass verification. Hayes said he sold because the privacy narrative demands cryptographic certainty — and that's no longer possible to guarantee.
Inside the Orchard Pool Bug
Security engineer Taylor Hornby of Shielded Labs found the bug on May 29, 2026, using AI-assisted formal methods that included Anthropic's Claude Opus 4.8. The vulnerability had been present since the NU5 upgrade in May 2022 — nearly four years. An emergency hard fork patched the flaw on June 3, but the damage to trust may be lasting.
Because of Orchard's privacy architecture, it is cryptographically impossible to prove that counterfeit ZEC was never minted during that window. Hayes noted the probability of unauthorized minting is extremely low, but said that's not enough for a privacy coin. “You can't prove a negative in a shielded pool,” he remarked.
Why Hayes Sold
Hayes had held ZEC as part of his 'Holy Trinity' portfolio alongside HYPE and NEAR tokens — both of which he'd already sold. This week he exited the remaining ZEC position. He continues to hold Worldcoin (WLD), which was not part of the Trinity framework.
His reasoning was blunt: the bug erodes the very premise of a privacy asset. Without mathematical proof that no coins were minted illicitly, the trust model breaks.
The Price Hit
Following the bug's disclosure, ZEC dropped 30–36%, falling from above $600 to roughly $390. That wiped out over $3 billion in market capitalization. The sell-off accelerated after Hayes's liquidation became known, though the broader market had already started pricing in uncertainty.
An Open Question
The Zcash community now faces a hard problem: restore confidence in a protocol whose core privacy feature makes audits impossible. The emergency patch closed the technical hole, but the shadow of four years of potential exploitation remains. Whether users and investors can shrug that off — or whether this marks a turning point for privacy coins — is the unresolved question as the week closes.
