Critical vulnerability discovered: Researcher Taylor Hornby identified a flaw in Zcash’s Orchard shielded pool on May 29, 2026. Potential impact: The bug could have enabled the creation of un
Zcash developers have remediated a critical vulnerability in the network’s Orchard shielded transaction pool after security researcher Taylor Hornby demonstrated that the flaw could be exploited to create an unlimited amount of counterfeit ZEC within the privacy-focused pool.
— zooko
ⓩ (@zooko) June 4, 2026
The issue was disclosed publicly by Shielded Labs, an independent organization supporting the Zcash ecosystem. According to the organization, Hornby discovered the vulnerability on May 29, 2026, during an ongoing security review commissioned in April. The finding was immediately reported to engineers at the Zcash Open Development Lab (ZODL), which coordinated an emergency response across the ecosystem.
The vulnerability was patched on June 1, with remediation efforts completed across the network by June 2.
The vulnerability disclosure followed a turbulent period for the privacy-focused network. On June 3, several block explorers temporarily showed no new Zcash blocks being produced for more than four hours, triggering concerns among community members before infrastructure providers confirmed that the blockchain itself remained operational. The incident came just days after ZEC had traded near the $665 level following one of the cryptocurrency market’s strongest weekly rallies, highlighting the heightened attention surrounding the network ahead of the Orchard vulnerability announcement.
Orchard is Zcash’s newest shielded transaction pool, introduced in May 2022, and is designed to provide private transactions using zero-knowledge proofs. The flaw existed from Orchard’s activation until the emergency patch was deployed.
According to Shielded Labs, Hornby successfully developed a working exploit in a local testing environment that generated unlimited counterfeit ZEC without detection. The vulnerability originated from an under-constrained component of the Orchard circuit, allowing arbitrary false inputs to pass a critical elliptic curve multiplication verification step.
“The vulnerability was real and exploitable,” Shielded Labs stated, noting that the exploit could have generated unlimited counterfeit ZEC if executed on the main network before remediation.
Because Orchard transactions are shielded by design, there is no cryptographic method to conclusively determine whether the vulnerability was exploited before it was fixed. This limitation stems from the privacy guarantees that conceal transaction amounts and histories within the shielded pool.
Despite that uncertainty, Shielded Labs said it considers prior exploitation unlikely. The organization noted that the flaw had remained undiscovered despite years of review by cryptographers and security researchers. It also emphasized that the vulnerability was uncovered through a targeted effort using advanced AI-assisted auditing techniques rather than through accidental discovery.
The organization further pointed to the rapid response by ZODL and other ecosystem participants, which significantly reduced the potential window for exploitation once the issue was identified.
To address lingering concerns about supply integrity, Shielded Labs is working with developers on a proposal that would allow anyone to verify the Zcash supply and demonstrate that no counterfeit ZEC exists within Orchard. The proposal would involve deploying a new shielded pool and implementing turnstile accounting for Orchard-held coins.
The proposal is expected to be discussed publicly in greater detail in the coming weeks and would require community support and governance approval before activation.
The incident has intensified discussions around formal verification, a process that uses mathematical proofs to validate that software behaves exactly as intended.
— Josh Swihart
(@jswihart) June 5, 2026
Josh Swihart, founder of ZODL, said the more important question is not whether a second Orchard pool should be created, but how similar vulnerabilities can be prevented in the future. He argued that formal verification offers the strongest long-term solution by mathematically proving that shielded transaction rules are implemented correctly.
Swihart explained that the vulnerability originated from a flaw in Orchard’s transaction rules rather than from a failure of the underlying cryptography. Multiple teams are now working to formally verify the existing Orchard circuit, while future Zcash technologies are already being developed with formal verification in mind.
Shielded Labs also announced plans to expand its security efforts, including pursuing a formal verification project for Orchard and recruiting a Head of Security and a Cryptographer.
The discovery comes less than three months after Cypherpunk Holdings announced a $5 million investment in Zcash Open Development Lab on March 9, underscoring ongoing development and infrastructure support within the Zcash ecosystem.
Zcash FIXED an inflation bug & you are all panicking…
Stop overreacting! What matters is that the good guys caught it first: ZEC’s team is competent!
It was always known this could happen; it even happened before
Privacy is too worthy a cause to get dragged down by ignorance
— Justin Bons (@Justin_Bons) June 5, 2026
Several industry figures publicly backed the project’s response. Cyber Capital founder Justin Bons said the focus should be on the fact that the vulnerability was discovered and fixed before any confirmed exploitation occurred. Gemini co-founder Tyler Winklevoss also defended the development team’s handling of the issue, stating that software security remains an ongoing race between defenders and attackers and that continuous security improvements are essential for all blockchain networks.
Zcash was originally created by cryptographer and privacy advocate Zooko Wilcox, and the network remains one of the cryptocurrency industry’s most prominent privacy-focused blockchain projects.
Zcash GraphFollowing the disclosure of the critical Orchard vulnerability, Zcash’s native token, ZEC, experienced a sharp market correction, falling approximately 36% within 24 hours. The decline came as investors reacted to news that the flaw could have allowed the creation of unlimited counterfeit ZEC before it was patched. Although developers and security researchers said there is no evidence that the vulnerability was exploited on the live network, the revelation triggered heightened uncertainty among market participants, contributing to increased volatility and selling pressure across the asset.
