Zcash's ZEC token jumped about 10% to near $620 Tuesday, making it a rare gainer as Bitcoin and Ethereum each dropped more than 4%. The rally came after the Zcash development team pushed through an emergency soft fork and then a hard fork to patch a soundness vulnerability in the Orchard shielded pool — a bug that could have let attackers double-spend inside the privacy protocol.
The bug and the response
Security researcher Taylor Hornby discovered the flaw on May 29. The vulnerability lived inside the zero-knowledge proof circuit that powers Orchard, the newest shielded pool on Zcash. Because the verifying key is pinned to that circuit, a permanent fix required a hard fork — only the second security-driven protocol upgrade in Zcash’s history since 2016.
The response came in two stages. First, at block height 3,363,426, an emergency soft fork effectively disabled Orchard by rejecting any transactions or blocks that used it. Sapling and transparent transactions kept running normally. Then, at block height 3,364,600, the NU6.2 hard fork went live, re-enabling Orchard with a corrected circuit.
What users saw — and what they didn't
During the window between the two upgrades, some block explorers appeared stale, giving the impression that the network had halted. It hadn't. Zcash never went offline, ZODL founder Josh Swihart stressed on X: “Zcash was never down.” The coordination for the upgrade was unusually compressed, which likely contributed to the confusion.”
Why a hard fork was unavoidable
The bug was baked into the ZK proof circuit itself. Because the verifying key is pinned at the protocol level, the only way to swap in a corrected circuit is through a hard fork. That's why the team chose a two-stage rollout: disable Orchard quickly via soft fork, then bring it back with the fix once the hard fork was ready. Orchard uses Halo 2 and doesn't require a trusted setup, a design choice that simplified the patch but didn't eliminate the need for a chain split.
Market reaction
The initial rumor of a bug sparked a brief scare, but once the fix details emerged and it became clear that Zcash's 21 million supply cap had never been at risk — the vulnerability could allow double-spending but not inflation — sentiment flipped. ZEC became a rare winner in a broader crypto sell-off driven by geopolitical stress and forced liquidations. The irony isn't lost: a security incident that could have crushed confidence instead reminded traders that the protocol's response mechanism works.
Zcash developers have not announced any further patches. The Orchard pool is live again, and the corrected circuit is baked into the chain.
