Zcash developers have successfully patched a critical security vulnerability affecting the protocol’s Orchard shielded pool. If exploited on the live network, the flaw could have allowed malicious actors to mint an unlimited amount of counterfeit ZEC tokens without detection.
The vulnerability had been present in the protocol’s core zero-knowledge circuit since Orchard’s activation in May 2022. Security researcher Taylor Hornby discovered the issue on May 29, prompting developers to launch an emergency response and deploy a network-wide fix by June 2.
The disclosure was shared by Shielded Labs and Zcash Founder Zooko Wilcox in a statement on X.
Significant price movement
The news came at a difficult time for the privacy-focused cryptocurrency, which was already under market pressure. ZEC fell more than 37% over 24 hours and briefly dropped to an intraday low of $385.8, as investors weighed the implications of the vulnerability.
Prior to the Orchard vulnerability disclosure on May 29, 2026, Zcash (ZEC) had emerged as one of the strongest trending cryptocurrencies of the cycle. After an explosive rally in late 2025 that saw it surge over 1,000% from early-year lows and hit an all-time high near $748 in November, ZEC carried strong momentum into 2026.
In the months leading up to the incident, the token delivered impressive gains, including a more than 110% surge in the 30 days through early May, a 30% single-day jump to a fresh 2026 high around $550–$646, and year-to-date gains exceeding 27% at multiple points amid renewed privacy coin interest and positive regulatory developments.
This performance briefly positioned ZEC as the top-performing large-cap altcoin, outperforming Bitcoin and drawing significant institutional attention, with its market cap climbing above $6–7 billion and shielded transaction volumes hitting record levels.
How the vulnerability worked
According to Shielded Labs, Taylor Hornby found a major issue in Zcash’s Orchard circuit during a targeted protocol audit commissioned by Shielded Labs. Hornby discovered that some faulty code could let bogus inputs get past essential checks. This could’ve allowed an attacker to make unlimited fake ZEC without anyone catching them.
To check how real this threat was, Hornby created and tested an actual exploit. In a local setup, the test minted endless fake coins. So, the bug could indeed have been used on the live network until it got fixed.
However, determining whether the vulnerability was ever exploited remains difficult. Because Orchard transactions are designed to protect user privacy, developers cannot rely on cryptographic evidence alone to confirm whether counterfeit coins were created before the issue was discovered and fixed.
Why developers believe exploitation was unlikely
Despite the severity of the flaw, Shielded Labs said prior exploitation appears unlikely. First, the vulnerability escaped detection despite years of review by experienced cryptographers.
Additionally, Shielded Labs specifically hired Hornby to uncover difficult security weaknesses before attackers found them. The researcher combined traditional auditing methods with Anthropic’s Opus 4.8 AI model during his review.
Moreover, developers moved quickly after the disclosure. Consequently, they significantly reduced the time available for potential attackers to exploit the flaw.
Restoring absolute supply trust
To eliminate lingering uncertainties, Shielded Labs has proposed a network upgrade designed to allow public verification of Zcash’s total coin supply.
The initiative would involve implementing a new, isolated shielded pool. Users would migrate their assets from the current Orchard pool through a cryptographic “turnstile” mechanism. This process would cleanly audit tokens on-chain and mathematically prove that no counterfeit supply inflation took place while the bug was live.
Shielded Labs plans to publish the full technical documentation for the supply-verification framework next week, after which the upgrade will proceed through Zcash’s decentralized governance process for community approval.
Market reacts as analysts raise concerns
The disclosure quickly triggered debate across the crypto industry. Analyst Udi Wertheimer said the incident could revive old concerns among investors, noting that a previous vulnerability also went undetected for an extended period before it was disclosed.
Meanwhile, analyst 0xSammy said the uncertainty surrounding the flaw may have contributed to the sharp decline in ZEC’s price. One of the biggest concerns, he noted, is that developers cannot say with certainty whether the vulnerability was exploited before it was patched.
As the network works to restore confidence, Shielded Labs said it plans to strengthen its security efforts. The organization intends to pursue formal verification of the Orchard circuit and bring in additional security experts to help identify and prevent similar issues in the future.
Also Read: SIREN Pumps 22% to $0.719 as Market Dumps, But Is It Sustainable?
