Zcash (ZEC) fell 45% to roughly $309 after developers disclosed a critical vulnerability in the cryptocurrency's Orchard shielded transaction pool. The flaw, which has existed since Orchard went live in May 2022, could theoretically let an attacker create unlimited counterfeit ZEC tokens.
The flaw in zero-knowledge proofs
The vulnerability stemmed from under-constrained elliptic curve computations inside the zero-knowledge proofs that underpin Orchard's shielded transactions. Those computations, part of the cryptographic machinery meant to hide transaction details, left a door open: a bad actor could craft a proof that appeared valid but actually created tokens out of thin air. The issue was specific to how the curve arithmetic was checked during proof generation.
Discovery and patch
Security researcher Taylor Hornby found the bug during an audit commissioned by Shielded Labs, a development group focused on Zcash. Hornby's report led to a patch that went out on June 1, 2024. Shielded Labs said it has no evidence anyone ever exploited the flaw in the real world. But the nature of shielded transactions — they're designed to be private — makes absolute certainty impossible. If someone did mint counterfeit coins, they'd be hard to spot.
Market reaction and price outlook
The disclosure hit the market hard. ZEC lost nearly half its value in short order, settling around $309. Technical analysis points to two possible scenarios: a further drop to the $200 support level if selling continues, or a rebound toward $413 resistance if bullish momentum returns. The wide range reflects the uncertainty around how the news will settle with traders and Zcash users.
For now, the core question is whether the patch fully closes the door Hornby opened. Shielded Labs says it does. But the privacy guarantee that makes Zcash appealing also makes it hard to fully audit past transactions. The company has urged users to update their software. No new reports of exploitation have surfaced since the fix.
