Zcash patched a critical soundness vulnerability in its Orchard shielded pool last week, closing a bug that could have allowed double-spending within the privacy-focused pool. The flaw, discovered by researcher Taylor Hornby during a protocol audit for Shielded Labs, was fixed via a coordinated soft fork and then a full hard fork upgrade (NU6.2) on June 3. The Zcash Foundation said there's no evidence the vulnerability was ever exploited, and total ZEC supply remains safe.
Inside the Orchard flaw
The vulnerability lived in the Orchard pool's zero-knowledge proof circuit. It could have let an attacker create invalid state transitions — essentially, spend the same coins twice inside that pool. But the turnstile mechanism, which tracks total ZEC across all pools, would have blocked any attempt to inflate the overall supply. So while the Orchard pool itself was at risk, the broader Zcash economy wasn't. The privacy of funds in all pools also stayed intact.
Hornby flagged the issue during a routine audit. Developers, miners, and infrastructure operators then coordinated privately to prepare a fix, keeping details under wraps to avoid giving bad actors a head start.
Coordinated fix and hard fork
The first soft fork attempt hit technical problems. A revised patch followed, activated on June 2, but it temporarily disabled Orchard-related transactions. That wasn't ideal, but it bought time. The next day, the network completed the NU6.2 hard fork, restoring Orchard functionality with corrected code and permanently resolving the vulnerability.
On social media, some users thought the network had gone offline. The confusion stemmed from block explorers connected to outdated nodes — not an actual chain failure. The Zcash Foundation clarified the network was operating normally.
Price rally despite broader market dip
ZEC jumped over 8% intraday to retest $636 on the news, then surged roughly 20% over two days while the broader crypto market declined. The $600 support level held after a brief dip below it. As of writing, ZEC trades at $612, up 9.5% on the weekly timeframe. The price action suggests investors saw the swift, clean fix as a net positive for the protocol's reliability.
The network is now fully operational with corrected code. Developers continue monitoring for any residual issues, but the immediate crisis is over.
