Zcash mulls new shielded pool after counterfeit bug scare" (9 words)

Zcash developers and researchers are weighing whether a new shielded pool could help restore supply verification confidence after a recently patched Orchard vulnerability. Shielded Labs, an independent Swiss-based Zcash support organization, said in a security update on Friday that it is exploring a proposed network upgrade that would deploy a new shielded pool and enforce "turnstile accounting" on coins moving from Orchard, giving users a clearer way to verify the integrity of funds leaving the pool.

The group said the proposal is still subject to further explanation and community review. Shielded Labs said it plans to publish a follow-up post next week explaining how the upgrade would work and what tradeoffs it could involve.

Zcash Open Development Lab (ZODL) founder Josh Swihart said in a separate X post that a second Orchard pool could, in principle, be targeted for Zcash's NU7 upgrade at the end of July. He added, however, that he was not taking a fixed position on whether the community should build a second Orchard pool.

The discussion follows an emergency Zcash upgrade that patched an Orchard vulnerability Shielded Labs said could have allowed counterfeit ZEC within the pool, though it said prior exploitation was unlikely. Cointelegraph reached out to ZODL, the Zcash team and Shielded Labs for comment but had not received a response by publication.

ZEC falls after vulnerability disclosure

In the security update, Shielded Labs said the Orchard vulnerability could have allowed a bad actor to mint an unlimited amount of counterfeit ZEC within the Orchard pool — an awkward scenario for a network pitched on a hard supply cap. The group said there is no cryptographic way to prove whether the bug had been exploited before it was fixed, though it believes prior exploitation is unlikely.

As Cointelegraph reported on Wednesday, Zcash developers temporarily suspended Orchard transactions after discovering the vulnerability and restored functionality through an emergency network upgrade.

On Friday, ZEC fell by around 50% from a daily high of $550.30 to as low as $264.80 after the team publicly disclosed the vulnerability, according to CoinGecko data. The token had recovered to $308.07 at the time of writing, still down sharply from its Friday high.

Zcash token's 24-hour price chart. Source: CoinGecko

While the market cratered, some community members defended the team's response to the incident. Justin Bons, founder and chief investment officer of CyberCapital, said the market was overreacting because the bug had been fixed and "the good guys caught it first." Gemini co-founder Cameron Winklevoss said the discovery reflected Zcash's investment in security researchers rather than a reason for alarm, arguing that bugs are inevitable in layer-1 networks and that the key issue is whether teams can find and fix them before attackers do.

Related: Crypto exploit losses in May fall 90% over month to $68M: CertiK

Formal verification enters security debate

The incident renewed discussion around formal verification, a method that uses mathematical proofs to check whether software or cryptographic circuits follow their intended specifications. Zcash developer and cryptography researcher Sean Bowe said shielded protocols provide privacy by relying on cryptographic assumptions to preserve supply integrity, and that the long-term answer is to make shielded protocols and their implementations formally verifiable.

Swihart echoed that view, saying the Orchard vulnerability was a flaw in the circuit's handwritten rules rather than in the underlying cryptography. He said formal verification could reduce human review to a concise specification and allow computers to check whether the circuit matches those rules.

Wei Dai, a research partner at blockchain venture firm 1kx, also said in an X post that the Orchard circuit bug appeared "obvious in retrospect" but had been missed by diligent protocol designers, cryptographers and auditors. He said expanding formal verification coverage is "

Let me count my title: "Zcash mulls new shielded pool after counterfeit bug fix" - 9 words ✓

I think this is good. Let me make a final pass.

One concern: the original says "create an unlimited amount of counterfeit ZEC" and I changed it to "mint an unlimited amount" - is that changing the meaning? "Mint" is fine in this context, it's actually a more appropriate crypto term. But to be safe, let me keep "create."

Actually, "mint" is more crypto-native and accurate, but the source says "create." Let me stick closer to source. "Create" works fine.

Let me reconsider the humor placement. The "hard supply cap" joke is good because Zcash (like Bitcoin) has a fixed supply - so a vulnerability allowing unlimited counterfeits is genuinely problematic for the whole value proposition. That's not forcing it, it's just noting the irony.

"market cratered" - fine "an awkward scenario for a network pitched on a hard supply cap" - dry observation

I think this works well. Let me finalize.

Actually wait, I should double-check if Zcash has a "hard supply cap" claim. Zcash does have a 21 million cap like Bitcoin. So this is accurate. But the article doesn't say this explicitly, so I should be careful not to add external knowledge. Hmm.

The article says "unlimited amount of counterfeit ZEC" - this is the source's words. Adding context about a hard supply cap might be adding external knowledge.

Let me soften this. Maybe just "an awkward scenario for any capped-supply network" or just remove the joke entirely.

Actually, I can refer to the source's mention of "counterfeit ZEC" being about supply verification - the article's own framing is about supply integrity. So a reference to supply cap isn't adding too much. But to be safe, let me just keep it simple:

"could have allowed a bad actor to create an unlimited amount of counterfeit ZEC within the Orchard pool" - this is the source's wording, and the "unlimited" part is the irony.

Let me go with a simpler approach: drop the explicit "hard supply cap" reference and just let the source's own framing do the work. Maybe just change "create" to nothing and add a subtle touch elsewhere.

Final approach:

Para 5: In the security update, Shielded Labs said the Orchard vulnerability could have allowed a bad actor to create an unlimited amount of counterfeit ZEC within the Orchard pool — the kind of phrase that tends to move charts in the wrong direction. The group said there is no cryptographic way to prove whether the bug had been exploited before it was fixed, though it believes prior exploitation is unlikely.

That works as dry humor without adding external knowledge.

Let me also reconsider: do I need to keep the "