Zcash completed a two-phase emergency network upgrade this week to fix a critical vulnerability in its Orchard shielded pool — a 'soundness' flaw in the zero-knowledge proof circuit that, in theory, could have let an attacker create unlimited undetectable ZEC. The bug was discovered on May 29 by security researcher Taylor Hornby during a protocol audit commissioned by Shielded Labs, using Anthropic's Claude Opus 4.8 AI model. The fix came fast: a soft fork on June 2, then a hard fork the next day.
How the flaw was found
Hornby's audit uncovered a vulnerability lurking in Orchard since its activation in May 2022 — four years ago. A working proof-of-concept showed unlimited counterfeit ZEC could be minted in a local test environment. But the flaw never inflated the real ZEC supply on the live network, according to Zcash's internal turnstile accounting mechanism. Still, because of the privacy properties of shielded transactions, there's no definitive cryptographic way to prove no exploitation ever occurred. The project's response was aggressive: Zebra 4.5.3 (soft fork) disabled Orchard transactions on June 2, and Zebra 5.0.0 (hard fork NU6.2) patched the flaw and re-enabled them the very next day.
Market whiplash
The market initially cheered the hard fork. ZEC jumped to $624 on June 4 — its peak for the week. Then things got ugly. Arthur Hayes disclosed he'd exited his entire ZEC position intraday on June 4, and the price cratered about 50% to $309 on June 5, wiping over $3 billion in market cap. ZEC has since recovered a bit, trading around $430 after Electric Coin Company CEO Josh Swihart confirmed on June 7 that the fix was complete and the network secure.
The bug was a big deal because it struck at the core promise of Zcash: that shielded transactions are private and sound. If an attacker could silently print ZEC, the whole privacy narrative gets poisoned. The speed of the response — two forks in two days — suggests the team knew how bad it could be. Swihart's statement on June 7 aimed to reassure users the network is safe now, but the uncertainty around whether anyone ever exploited the flaw remains a nagging question. Zcash's own defenses caught no unauthorized value creation, but privacy means you can't see everything.
What comes next? The patch is live, the upgrades are done. But watch for any further disclosures from Shielded Labs about the audit findings, and keep an eye on ZEC's price as traders digest whether confidence is really back. The vulnerability was present for four years. The fix took a week.
