Zcash shed more than $5 billion in market value this week after a bug was discovered in its Orchard shielded pool — a vulnerability that could have let an attacker mint counterfeit coins without detection. The flaw, which had lurked in the protocol since May 2022, was found by security engineer Taylor Hornby on May 29 using Anthropic's Claude AI model. An emergency network upgrade and hard fork patched it within days, before any exploit occurred.
How the bug was found
Hornby, a security engineer engaged by Shielded Labs, spotted the issue while analyzing Zcash's Orchard circuit implementation with Anthropic's Opus 4.8 AI model. The bug allowed false information to pass as valid in private transactions — essentially a backdoor that could be used to counterfeit ZEC inside the shielded pool. The vulnerability existed despite multiple reviews by cryptographers, engineers, and auditors over the years.
The market reaction
ZEC's price plunged more than 50% to a low of $255, before recovering to roughly $321 at press time. The total market cap dropped from around $10 billion to $4.5 billion during the worst of the sell-off, then climbed back to about $5.3 billion. The sell-off wiped out roughly half the project's valuation in a matter of days, though the patch appears to have calmed some fears.
Why it went unnoticed for so long
The bug had been present in the Orchard pool since its launch in May 2022 — about four years. That's a long time for a critical vulnerability to sit in a protocol claiming to offer privacy. Roughly 30% of circulating ZEC — over 5 million coins — sits in shielded addresses, according to data from Zechub, making the Orchard pool a high-value target. The fact that it survived repeated audits highlights the difficulty of auditing zero-knowledge circuits, even for experts.
What happens now
The hard fork is live; the exploit window is closed. But the incident raises questions about the long-term viability of Zcash's approach to privacy and the adequacy of its security processes. For now, the project's focus is on regaining user trust and ensuring the Orchard codebase gets more frequent, independent reviews. The next major test will be whether ZEC can hold its recent price floor or whether the confidence damage proves lasting.
