Zcash developers have fixed a critical security hole in the Orchard shielded pool that could have let attackers mint an unlimited number of counterfeit ZEC tokens. The vulnerability, which went undetected since 2022, was disclosed alongside a patch — and the price of ZEC plunged more than 40% on the news.
The vulnerability in the shielded pool
The flaw lived inside Orchard, Zcash's newer private-transaction system. By exploiting it, an attacker could generate fake ZEC out of thin air, undermining the entire supply cap of 21 million coins. The problem was present in the network's code for roughly two years before anyone caught it.
Discovery and confirmation
Security researcher Taylor Hornby found the bug and reported it through the project's responsible-disclosure process. Zcash founder Zooko Wilcox confirmed the severity, describing the flaw as critical. The team moved quickly to produce a fix and roll it out before publishing details of the exploit.
Market fallout
Once news of the vulnerability broke, traders reacted swiftly. ZEC lost more than 40% of its value in a single day, wiping out hundreds of millions in market capitalization. The drop reflected both the seriousness of the potential exploit and lingering uncertainty about whether any counterfeit coins had already been created — though the developers have seen no evidence of prior abuse.
Patch deployed, questions remain
The Zcash team has now shipped the patch, and all node operators are urged to upgrade. The network itself is safe again. But the fact that such a fundamental bug sat in the code for two years before Hornby discovered it raises an uncomfortable question: how many other silent flaws might still be waiting inside the shielded pool?
