Zcash (ZEC) lost more than 30% of its value in 24 hours, bottoming out at $385.8, after news broke of a counterfeiting vulnerability in its Orchard shielded pool. The bug was discovered by security researcher Taylor Hornby on May 29 using an Opus 4.8 audit agent. It had been present since the Orchard pool launched in May 2022 and was patched on June 2.
How the bug was found and fixed
Hornby found the flaw during an audit, though the exact nature of the counterfeiting mechanism hasn't been publicly detailed. Shielded Labs, the development group behind Zcash, confirmed the patch was deployed on June 2. Zcash founder Zooko Wilcox disclosed details on X, prompting a sharp selloff. Investor Arthur Hayes said he sold his entire ZEC position after the disclosure, citing the inability to prove no illicit minting occurred.
The supply audit challenge
Shielded Labs says exploitation before the patch appears unlikely but cannot be cryptographically proven. That uncertainty hit the market hard. The episode highlights a core tension: Zcash's privacy features make it hard to independently audit the total supply. A user, Udi Wertheimer, noted on social media that a similar bug previously caused Zcash to lose faith and drop near zero for seven years.
Planned network upgrade
Shielded Labs plans to propose a network upgrade that would let anyone verify the ZEC supply. The proposal includes a new shielded pool and turnstile accounting — a mechanism to track inflows and outflows. It’s a direct response to the current bug's blind spot.
Shielded Labs now aims to bring that proposal to the community. Until then, the question of whether the bug was ever exploited remains open — a reality that shook markets this week.
