Zcash developers rushed out emergency patches last week after discovering a critical vulnerability in the Orchard shielded pool that could have allowed an attacker to create unlimited counterfeit ZEC. The bug was found by security researcher Taylor Hornby on May 29 using AI-assisted formal methods, triggering a fire drill that ended with a hard fork just four days later. But because Zcash's privacy architecture makes supply auditing impossible, the team cannot prove the exploit was ever used — or that it wasn't.
The bug and its discovery
The flaw lived in an under-constrained element inside the elliptic-curve multiplication gadget in the halo2_gadgets crate, part of the zero-knowledge proof system underpinning Orchard. It had been there since Orchard's mainnet activation in May 2022 — roughly four years. That meant anyone who knew about it could, in theory, mint ZEC out of thin air without leaving a trace on-chain.
Hornby found the issue using formal verification tools trained on cryptographic code. The vulnerability affected all halo2_gadgets versions before v0.5.0, orchard before v0.14.0, and zcashd versions v5.0.0 through v6.12.3.
Emergency patches deployed
Within hours of the disclosure, the team pushed a soft fork via Zebra 4.5.3 that temporarily disabled Orchard transactions entirely. A permanent fix came with the NU6.2 hard fork — Zebra 5.0 — which activated on June 2 at block 3,364,600 and corrected the circuit itself. Users on affected nodes needed to upgrade immediately to stay on the right chain.
Shielded Labs, which contributes to Zcash development, said in a statement that they believe prior exploitation is unlikely but cannot definitively prove it. That uncertainty is baked into the system's design: shielded pools hide transaction amounts and balances, making it cryptographically impossible to audit total supply.
The unanswerable question
Ripple CTO David Schwartz weighed in on the practical risk. Passive holders who never move their coins will be safe, he said — assuming the bug was never triggered. But that condition cannot be verified. The only way to be sure would be to compromise the shield that Zcash was built to protect.
It's a rare moment when a privacy coin's core feature becomes its biggest liability. If an attacker minted counterfeit ZEC and slipped it into circulation, there's no way to tell. The supply could be inflated and nobody would know.
Market reaction
ZEC didn't wait for answers. The price dropped more than 30% in a single session after the May 29 disclosure, briefly hitting its lowest level in over a month. The selloff reflected not just the bug itself but the uncertainty around its potential impact. A privacy coin that can't verify its own supply is a tough sell, at least in the short term.
The patches are live now, and Orchard transactions are back online. But the question that remains — was the bug ever exploited? — is one Zcash's architecture may never let anyone answer.
