TLDR
- A critical bug in Zcash’s Orchard privacy pool could have allowed unlimited, undetectable counterfeit ZEC to be minted.
- The vulnerability existed since May 2022 but was found on May 29, 2026 by security engineer Taylor Hornby using Anthropic’s Claude Opus 4.8 AI model.
- An emergency fix was deployed via hard fork on June 3, 2026, but there is no way to cryptographically prove the bug was not previously exploited.
- ZEC dropped over 30% in 24 hours to around $400–$410, with its market cap shrinking by more than $3 billion.
- Shielded Labs is proposing a network upgrade to allow public verification of ZEC’s total supply integrity.
Zcash’s native token ZEC suffered one of its worst single-day drops in recent memory after a privacy-focused developer nonprofit revealed a serious flaw in the protocol’s core architecture. The disclosure came from Shielded Labs and outlined a bug that had been sitting undetected in the Orchard shielded pool since May 2022.
The Orchard pool is the most advanced privacy layer in the Zcash protocol. It uses zero-knowledge cryptography to keep transaction details private. The bug allowed false inputs into an elliptic curve multiplication check — the mathematical process that verifies transactions — meaning an attacker could, in theory, have created counterfeit ZEC tokens that were completely invisible on-chain.
Security engineer Taylor Hornby, who was hired by Shielded Labs in April 2026 specifically to find vulnerabilities, discovered the flaw on May 29 using Anthropic’s Claude Opus 4.8 AI model. He built and tested a working exploit in a controlled environment that successfully generated unlimited counterfeit ZEC. Shielded Labs confirmed that if the same exploit had been run on Zcash’s mainnet, it would have produced unlimited undetectable counterfeit tokens.
JUST IN: Zcash crashes 48% after Claude AI finds critical vulnerability allowing unlimited minting of $ZEC.
It went unnoticed for 4 years until it was patched on June 1st. pic.twitter.com/Ddv5JLMvUY
— Watcher.Guru (@WatcherGuru) June 5, 2026
The Zcash Open Development Lab (ZODL) was notified immediately and coordinated an emergency hard fork fix that was activated on June 3, 2026.
Markets React to Four Years of Uncertainty
The patch itself was swift, but the market reaction was sharp. ZEC fell more than 30% in 24 hours, dropping to around $400–$410 at time of writing. Its market capitalization shrank by more than $3 billion.
The core issue weighing on investors is simple: Shielded Labs admitted there is no cryptographic way to determine whether the bug was exploited before it was patched. Due to the privacy properties of Orchard, any potential exploitation would have left no traceable footprint.
Shielded Labs said it believes exploitation likely did not occur, citing how subtle the bug was and how much deliberate skill and tooling were required to find it. The organization said it is not overly concerned, but acknowledged users should not rely solely on their assessment.
BitMEX co-founder Arthur Hayes addressed the situation directly on X, stating he had sold his entire ZEC position. “Sadly, due to the Orchard Pool exploit, I had to dump our entire ZEC bag,” Hayes wrote. He also referred to Zcash, Hyperliquid, and Near Protocol — all tokens he sold this week — as “The Holy Trinity,” adding: “The Holy Trinity is dead.” Hayes did note, however, that it is unlikely ZEC was illegally minted, though he acknowledged it “cannot be formally cryptographically proved impossible.”
The Holy Trinity is dead. Sadly due to the Orchard Pool exploit, I had to dump our entire $ZEC bag.
– While I think it's extremely unlikely of any minting, it cannot be formally cryptographically proved impossible
– The privacy from AI, govt, big tech narrative demands perfection…— Arthur Hayes (@CryptoHayes) June 5, 2026
This Is Not the First Time
This is not the first counterfeiting vulnerability Zcash has faced. In 2018, the Electric Coin Company discovered a similar flaw in the cryptography underlying zk-proofs. It was remediated in 2019 with no reported losses.
Mert Mumtaz, co-founder and CEO of Solana tooling firm Helius, said this type of vulnerability is not unique to Zcash. “Almost all privacy protocols have a variant of this same vulnerability,” he said, describing it as a theoretical risk common to most zero-knowledge privacy protocols. “This same FUD comes back every five months as new people learn how privacy pools work,” he added.
Shielded Labs is now proposing a network upgrade that would deploy a new shielded pool and enforce turnstile accounting on all coins migrating from the Orchard pool. This would allow anyone to independently verify the integrity of ZEC’s total supply. The organization said it plans to publish a detailed proposal next week.
