On the evening of June 4, 2026, the nonprofit developer Shielded Labs published a disclosure that would, within hours, erase roughly a third of Zcash’s market value. The post described a critical soundness vulnerability buried in Orchard, Zcash’s flagship shielded pool; specifically a flaw in an elliptic curve multiplication check that could be triggered to make the network accept transactions that it should have rejected.
If exploited, the bug could have allowed an attacker to conjure an unlimited number of counterfeit ZEC tokens, completely undetectably. The most unsettling detail was not the severity. It was the age. The flaw had been sitting in the protocol since Orchard went live in May 2022. It had survived four years of audits, academic scrutiny, and network upgrades before anyone noticed it.
Following the vulnerability disclosure, ZEC fell over 36% in a single session, sliding toward the $300 mark amid a broader market sell-off. This also marked a precipitous drop from a peak of around $610 earlier that same week, wiping more than $3 billion from ZEC’s market capitalization in roughly 24 hours. Across the privacy-coin aisle, Monero did nothing dramatic at all; which, for Monero, is the entire point.
The timing crystallized a debate that has simmered for nearly a decade. Zcash and Monero are the two heavyweight privacy coins, but they are built on opposite philosophies of what privacy even is. One treats it as an optional, mathematically elite tool you switch on when you need it. The other treats it as a non-negotiable default baked into every transaction, with no off switch. In a 2026 defined by chain-analysis firms, MiCA enforcement, central-bank digital currencies, and aggressive exchange delistings, the question is no longer academic: which model actually survives, and which one actually keeps you invisible?
The Philosophical Fork
Monero was born in 2014 out of the CryptoNote protocol with a radical, almost stubborn premise: every transaction must hide the sender, the recipient, and the amount, by default, with no transparent mode and no exceptions. That design produces two things its supporters prize above all else.
The first is perfect fungibility: because every coin is equally opaque, one XMR is indistinguishable from any other, with no “tainted” history a merchant or exchange can reject. The second is the largest possible anonymity set, because privacy is mandatory and therefore universal. Everyone participates whether they think about it or not.
Zcash, launched in 2016 by a company-led effort now associated with the Electric Coin Company, took the other road. It offers selective privacy through zk-SNARKs, zero-knowledge proofs that can shield a transaction’s sender, receiver, and amount entirely. Users can transact on Zcash through transparent t-addresses that behave like Bitcoin, or shielded z-addresses that hide everything.
Crucially, Zcash built in viewing keys and selective disclosure, letting a user hand an auditor, tax authority, or regulator a window into specific transactions without exposing the rest of the network. To Monero’s cypherpunk base, optionality is a weakness—privacy you have to remember to turn on is privacy most people won’t use. To Zcash’s institutional audience, that same optionality is the feature that might keep the asset legal.
This is not merely a technical disagreement. It is an ideological one about whether privacy is a right that should be the default condition of money, or a powerful capability that should bend to compliance when the situation demands it.
How They Actually Hide Your Money
| Monero (XMR) | Zcash (ZEC), shielded | |
|---|---|---|
| Sender privacy | Always on | Only in shielded mode |
| Recipient privacy | Always on (stealth addresses) | Only in shielded mode |
| Amount privacy | Always on (RingCT) | Only in shielded mode |
| Default setting | Mandatory: 100% of transactions | Optional: user chooses |
| Anonymity set | Designed to span the chain’s outputs | Limited to shielded-pool participants |
| Fungibility | Uniform across all coins | Strong only within the shielded pool |
| Selective disclosure | None | Yes, viewing keys for auditors |
| Underlying tech | Ring signatures → FCMP++ | zk-SNARKs (Halo 2 / Orchard) |
Monero’s recent leap is FCMP++ (Full-Chain Membership Proofs), which the project rolled out across late 2025 and early 2026. For most of Monero’s history, sender privacy rested on ring signatures: a real transaction was mixed with a small, fixed set of decoys—canonically 16 since the late-2022 protocol upgrade, after earlier ring sizes of 11.
It was strong, but sophisticated statistical analysis could occasionally chip away at the effective anonymity set, and it was widely regarded as Monero’s weakest link. FCMP++ replaces that model entirely. Instead of proving “I am one of these 16 possible spenders,” a transaction now cryptographically proves “I am one of millions of possible spenders across the entire chain,” without revealing which.
According to analyses of the upgrade, it does this while keeping proof sizes small, fees often under a cent, and verification fast. The practical effect, its proponents argue, is to move Monero from “very hard to trace” to “practically untraceable at scale” against all but the most extraordinary adversaries.
Zcash’s zk-SNARK approach is, in pure cryptographic terms, arguably more elegant. When a user stays fully shielded—moving funds z-address to z-address—the math reveals nothing while still proving the transaction is valid.
The Orchard pool runs on the Halo 2 proving system, which eliminated the “trusted setup” that haunted Zcash’s earliest design. The catch has always been adoption: if most activity stays transparent, the shielded users stand out, and the effective anonymity set shrinks to whoever is actually using the private layer. That has been changing—and that is exactly what makes the June bug sting.
Anatomy of the Orchard Bug
The vulnerability was found on May 29 by Taylor Hornby, a security engineer Shielded Labs had engaged in April specifically to hunt for protocol flaws before malicious actors could. Working with Anthropic’s Opus 4.8 AI model, released the day before on May 28, alongside a custom-built AI auditing harness, Hornby conducted a targeted review of the Orchard circuit (the cryptographic engine behind Zcash’s most advanced privacy pool) and wrote a complete, working exploit.
In a local test environment, Shielded Labs said, the exploit generated unlimited, undetectable counterfeit ZEC. Run on mainnet, it would have done the same in a real wallet. The fact that the audit succeeded literally one day after the model’s release became a story in itself; a marker of how rapidly AI-assisted security research is closing the gap between vulnerability disclosure and exploit construction.
The analogy that circulated was a counterfeiter who not only owns the Federal Reserve’s printing press but prints money the Fed itself cannot detect. The danger was never that user funds would vanish; it was that the integrity of the entire supply could be silently debased, and confidence, the only thing backing any money, could collapse with it.
Hornby disclosed the flaw the same day to the Zcash Open Development Lab, which coordinated a fast response. On June 2, an emergency soft fork shipped via Zebra 4.5.3, disabling Orchard shielded actions at a set block height while leaving transparent transactions live.
On June 3, the NU6.2 hard fork activated at block 3,364,600, patching the proof circuits and restoring functionality through Zebra 5.0.0. The Zcash Foundation confirmed the 21 million ZEC supply cap remained intact and no user funds were lost. The whole sequence, from discovery to patch, took days.
But two facts kept the market nervous. The first is that, because of Orchard’s own privacy properties, there is no way to prove cryptographically whether the bug was exploited before it was fixed. Shielded Labs argued exploitation was unlikely, the flaw had evaded years of expert review and was closed almost immediately once found, but it was candid that certainty is impossible.
The second is the optics of the fix itself: patching the pool meant temporarily freezing it, and reports suggested that over 85% of Zcash’s shielded activity went dark during the transition. Monero supporters seized on the contrast immediately. A network where privacy is mandatory and uniform, they argued, cannot selectively disable the private portion of itself, because there is no separate private portion to disable.
Founder Zooko Wilcox-O’Hearn acknowledged the core uncertainty publicly while pointing to a proposed network upgrade as the path to restoring confidence.
To address the trust gap, Shielded Labs has proposed deploying a fresh shielded pool and enforcing turnstile accounting on all coins migrating out of Orchard, a mechanism that lets anyone independently verify the supply has not been inflated. The organization also said it is launching a formal verification effort to mathematically prove the absence of further bugs in the Orchard circuit, and hiring a Head of Security and a dedicated cryptographer. It is, by any measure, a serious and transparent response.
Whether markets reward proactivity or punish the four-year exposure is the open question; and the early read was punishment, with prominent traders reportedly exiting positions in the aftermath.
BitMEX co-founder Arthur Hayes, who had publicly placed ZEC in his “holy trinity” of altcoins earlier in 2026, disclosed that he had sold his entire ZEC position immediately after the Shielded Labs disclosure. Hayes specifically framed the exit as a failure of his privacy thesis for the asset, saying privacy trades need certainty rather than mere probability of soundness.
Timeline: How It Unfolded
The most revealing part of the episode is its sequence. The fix happened quietly and early; the panic happened days later, when the public learned how bad the flaw had been. The patch did not move the price — the disclosure did.
-
May 2022Origin
Orchard goes live as part of Network Upgrade 5, becoming Zcash’s most advanced shielded pool. The soundness flaw is present from day one — and stays undetected.
-
Apr 2026Setup
Shielded Labs engages Taylor Hornby, a security engineer hired specifically to find protocol vulnerabilities before attackers do.
-
May 29Discovery
Two security events, one day. Hornby — working with a frontier AI model — finds the Orchard counterfeiting bug, writes a working exploit, and privately reports it to ZODL. Separately, the Zcash Foundation ships Zebra 4.5.0, an urgent node fix for unrelated consensus and denial-of-service bugs surfaced by 80-plus reports.
-
Jun 1Patched
ZODL coordinates and closes the Orchard fix — within days of discovery.
-
Jun 2Soft Fork
An emergency soft fork via Zebra 4.5.3 disables Orchard shielded actions at a set block height; transparent transactions keep running. Shielded activity is paused for roughly 24 hours.
-
Jun 3Hard Fork · Calm
The NU6.2 hard fork activates at block 3,364,600, patching the proof circuits and restoring full functionality via Zebra 5.0.0. A false “network is down” rumor — caused by explorers on a faulty node — is quickly debunked. Notably, ZEC is up on the day, near $600. The market hasn’t grasped the severity.
-
Jun 4Disclosure
Late in the day, Shielded Labs publishes its full public disclosure: the bug could have minted unlimited, undetectable counterfeit ZEC, and there is no cryptographic way to prove it was never exploited.
-
Jun 5The Crash
The disclosure collides with a broad market sell-off. ZEC plunges roughly 30–37% toward $400. Prominent traders exit positions, and Monero trends as the “safer” privacy play.
-
NextWhat’s Proposed
Shielded Labs moves to deploy a new shielded pool with enforced turnstile accounting, launch a formal-verification project, and hire dedicated security staff — with a detailed proposal promised within the week.
The On-Chain Reality Check
Here the narrative gets more interesting than either coin’s marketing would suggest, because the data cuts in two directions at once.
For Zcash, the bullish on-chain story is genuinely striking. The shielded supply—the share of ZEC actually sitting in private addresses—has climbed to roughly 30% of circulating coins, about 5 million of 16.7 million ZEC. That is up from 8% in early 2024, passing 18% in October 2025 and 23% in November before crossing 30% in May 2026.
Nearly all of that growth landed in Orchard, the newest and most user-friendly pool, which alone holds about 4.2 million ZEC. Shielded transaction share hit an all-time high of 59.3% in February 2026. Analysts who track these figures argue this is structural adoption rather than speculation, because moving coins into a shielded address requires deliberate, friction-heavy action that exchanges don’t perform automatically.
As former ECC CEO Josh Swihart, who along with the rest of the ECC team departed in January 2026 amid what he described as a “constructive discharge,” put it in his pre-departure commentary: holders who shield their ZEC tend not to sell, which quietly tightens effective liquid supply.
And yet the same data set contains a number that should give any honest writer pause: Zcash’s public transaction count has stayed essentially flat at around 8,500 per day. By the accounts circulating during the June turmoil, Monero processes roughly three times that volume.
Put bluntly, Zcash’s shielded-supply chart describes a population of conviction holders parking value behind zero-knowledge proofs, a powerful store-of-value story, while Monero’s flatter, quieter metrics describe money that is actually being spent.
One chain is winning the “privacy as savings” argument; the other is winning the “privacy as cash” argument. The June crisis arguably reinforced both: capital rotated toward Monero’s steadiness even as Zcash’s defenders pointed to shielded supply as proof that real users weren’t fleeing.
Two more caveats round out the picture. Zcash’s adoption surge has been amplified by institutional signals—a Multicoin Capital position accumulated since February 2026 and revealed at Consensus Miami, a Grayscale spot-ETF filing that would be the first privacy-coin ETF in the U.S., a Robinhood listing, and an SEC review that closed in January with no enforcement action.
Those are real tailwinds, but they are also the kind of narrative fuel that can reverse. And it is worth noting that chain-analysis firm Arkham has claimed it can label more than 53% of Zcash transactions, attributing approximately $420 billion in ZEC volume to identifiable entities, per its December 2025 disclosure.
Though the firm did not crack Zcash’s cryptography, its tracking covers transparent transactions and transparent-to-shielded / shielded-to-transparent flows, not fully shielded z-to-z transactions. Zooko Wilcox himself clarified that, “Arkham didn’t actually deanonymize any ZEC that was held at rest in the shielded pool. That would be impossible because the information just isn’t there.”
The Regulatory Stress Test
Regulators have spent two years tightening the noose, and this is where the two philosophies diverge most consequentially. By late 2025, more than 70 exchanges had delisted privacy coins, with Monero hit hardest precisely because its mandatory design makes conventional KYC/AML compliance close to impossible.
The EU’s MiCA framework is phasing in restrictions on anonymity-enhancing assets, with the toughest provisions arriving by 2027. Several jurisdictions already treat both coins as high-risk, and Japan and South Korea have at various points restricted privacy-coin listings outright.
Zcash’s optional model gives it a regulatory moat Monero structurally cannot replicate. Because transparent transactions exist and shielded ones can be selectively disclosed with viewing keys, some centralized platforms can keep ZEC listed and defensible. That flexibility is the entire institutional thesis, and the January SEC outcome, the ETF speculation, and the broader pro-crypto posture in Washington (the CLARITY Act debate among them) have extended Zcash’s runway in regulated markets.
Monero’s answer is to treat delisting as a feature, not a bug. Pushed off centralized venues, its activity migrates to decentralized swaps, peer-to-peer markets, and the uncensorable corners of the economy, exactly the terrain where unbreakable default privacy is supposed to matter most.
The 2026 lesson is uncomfortably clean: mandatory privacy maximizes censorship resistance but accelerates exile from the regulated system, while optional privacy trades some anonymity for longevity inside it.
Who Actually Uses Each One
The use cases follow the philosophies. Monero dominates where untraceability is the requirement rather than the preference: peer-to-peer remittances, underground commerce, and the financial lives of people operating under surveillance or authoritarian pressure. Its uniformity is the product: there is no shielded-versus-transparent decision to get wrong, no metadata leak from choosing the private option only sometimes.
Zcash appeals to a different user: the institution, the DeFi participant, the privacy-conscious professional who occasionally needs to prove compliance to a tax authority, auditor, or enterprise partner. Shielded transactions provide confidentiality; viewing keys provide an exit ramp to transparency on demand.
The Grayscale Trust and the ETF filing embody this audience — capital that wants exposure to the privacy thesis without necessarily touching the privacy features themselves.
The 2026–2030 Outlook
There is no clean winner here, and any article that declares one is selling something. What the past week clarified is that the two coins are no longer really competing for the same job.
Zcash is becoming the privacy layer for a regulated, institutional, increasingly on-chain financial system—a store of confidential value with compliance hooks, an ETF wrapper on the horizon, and a roadmap (the NU7 upgrade, shielded assets, quantum-recoverable wallets targeted for mid-2026, a planned move toward proof-of-stake) aimed squarely at scaling within the rules. Its risk is exactly what June exposed: complexity.
A privacy system elaborate enough to offer selective disclosure and recursive proofs is a privacy system with more surface area for a four-year bug to hide in. Its credibility now depends on whether the proposed supply-integrity upgrade and formal-verification push convince the market that the patch was the end of the story rather than the first chapter.
Monero is consolidating its position as the people’s untraceable money; the cypherpunk default, hardened by FCMP++ and battle-tested by a decade of adversarial pressure and delisting. Its risk is the mirror image of Zcash’s: the very design that makes it uncensorable also makes it the first asset regulators move to wall off, and its store-of-value upside is capped by the same opacity that makes it useful as cash.
The honest forecast is divergence, not convergence. As CBDCs expand and financial surveillance becomes the baseline, demand for both models should grow—but along separate tracks. Zcash bets that privacy survives by negotiating with power.
Monero bets that privacy survives by refusing to. June 2026 was a brutal week for the first bet and a quiet vindication of the second, but a single incident does not settle a decade-long argument. The shielded-supply trajectory and Monero’s transaction resilience are the two charts to watch; whichever holds up through the next regulatory shock will tell you which philosophy the market actually trusts.
The real takeaway may be the least satisfying one: in the age of surveillance, the existence of both a compliant privacy coin and an uncompromising one is not a contradiction to be resolved. It is the market discovering that financial privacy, like privacy everywhere else, is not one thing—and that how invisible you want to be is now a decision you are forced to make.
