Zcash Patches Critical Bug in 'Most Ambitious' Network Upgrade

The Zcash Foundation disclosed Wednesday that it quietly patched a critical flaw in the privacy cryptocurrency's core transaction system, executing a rare emergency network upgrade after a security researcher uncovered a bug that could have allowed bad actors to spend funds they didn't actually have. The vulnerability, discovered May 29 by independent security researcher Taylor Hornby, resided in the Orchard Action circuit—the cryptographic machinery underpinning Zcash's most advanced privacy pool. The Orchard pool, introduced in 2022, is considered the crown jewel of Zcash's privacy architecture, requiring no trusted setup and holding a significant share of circulating ZEC tokens. Hornby disclosed the flaw to Zcash Open Development Lab (ZODL) engineers that same evening. Within hours, a team of protocol developers confirmed the issue and began a carefully orchestrated, confidential response designed to prevent exploitation before a fix could be deployed.

The coordinated repair unfolded over five days. Developers first issued an emergency soft fork—essentially a temporary rule change—that shut down Orchard transactions entirely while the patch was being finalized. Private coordination with miners and exchanges began the evening of May 31. An initial activation attempt ran into deployment snags, but a second attempt succeeded early Monday morning, halting all Orchard activity at block 3,363,426. The permanent fix arrived Wednesday, when a full network upgrade—dubbed NU6.2—restored Orchard functionality using a corrected circuit. Such a hard fork was necessary because repairing a zero-knowledge proof system requires updating a cryptographic verifying key, a change that cannot be made through ordinary software patches.

Officials said the total supply of ZEC was never at risk. Zcash's built-in "turnstile" mechanism, which tracks value across all transaction pools, confirmed no unauthorized coins were created. There is no evidence the bug was ever exploited. "Given the time available and the number of parties involved (the devs at ZODL and Zcash Foundation, miners, exchanges, others), this was the most ambitious network upgrade in Zcash's history," ZODL founder Josh Swihart wrote on X.

Given the time available and the number of parties involved (the devs at @zodl_app and @ZcashFoundation , miners, exchanges, others), this was the most ambitious network upgrade in Zcash's history. I'm especially grateful to my team, including @feministPLT , @nuttycom , @str4d ,… https://t.co/C9DePWVBT2 — Josh Swihart 🛡 (@jswihart) June 3, 2026

The Foundation urged all node operators to upgrade immediately to Zebra 5.0.0, the software release that activates the corrected network rules. Following the upgrade, block explorers appeared to show that the network hadn't produced blocks in hours, fueling speculation of downtime. However, experts and the block explorers themselves have said that the network was running as normal, but that explorers were temporarily impacted as they upgraded their own network nodes. "Block explorers are just readers. They pull data from a node, parse it, and display it. If the node is upgrading or resyncing, the explorer goes stale," block explorer CipherScan wrote on X. "The chain itself kept producing blocks the entire time. Miners didn't stop. Transactions kept confirming." Classic case of the messenger going quiet, not the chain.

Privacy coin Zcash is the latest cryptocurrency preparing to address the mounting threat of quantum attacks. Speaking during a Thursday address at Consensus Miami's Privacy track, Zcash Open Development Lab founder and CEO Josh Swihart said that quantum-recoverable wallets for the privacy coin are set to roll out within a month, with Zcash targeting full post-quantum status within 12 to 18 months. Within the same period, the network is also aiming to achieve throughput on a par with Mastercard.

The price of Zcash (ZEC) doesn't appear to have been impacted at all by the disclosure of the emergency upgrade, with the privacy-centric coin continuing its latest