Zcash Discloses Four-Year Orchard Bug That Could Have Minted Unlimited ZEC

Zcash developers have revealed that a critical vulnerability in the network's Orchard shielded pool could have allowed attackers to create unlimited counterfeit ZEC without detection. In a detailed post published June 5, Shielded Labs said the flaw existed from Orchard's activation in May 2022 until an emergency fix was deployed earlier this week. The disclosure significantly escalates the severity of what was initially described as a coordinated network upgrade affecting Orchard transactions. According to the report, the vulnerability could generate "unlimited, undetectable counterfeit ZEC" within the Orchard pool — which is, notably, not the kind of feature you want to find in production.

Developers stressed that there is currently no evidence that the flaw was exploited before remediation. However, they also acknowledged there is "no definitive way to determine using only cryptography whether such exploitation occurred." The cryptographic privacy that keeps transactions private also, inconveniently, keeps the auditors in the dark.

The vulnerability was discovered on May 29 by security researcher Taylor Hornby during an ongoing security review commissioned by Shielded Labs. According to the disclosure, Hornby successfully created a working exploit in a local testing environment that generated unlimited counterfeit ZEC. A working exploit in a lab is, at minimum, a working exploit in a lab.

The flaw reportedly stemmed from an "under-constrained element" in the Orchard circuit that allowed arbitrary false inputs to pass elliptic-curve multiplication checks. Developers said the issue persisted for roughly four years before the emergency remediation was completed on June 2. The remediation was done through a coordinated ecosystem-wide response involving Zcash developers, infrastructure operators, and validators — the kind of weekend nobody wants to have.

One of the most serious implications of the vulnerability is that Zcash cannot cryptographically prove whether counterfeit coins entered circulation before the flaw was fixed. Because Orchard transactions are shielded by privacy-preserving cryptography, developers said there is no reliable way to independently verify whether the exploit was ever used on the live network. Shielded Labs said it believes prior exploitation was unlikely, partly because the vulnerability had eluded scrutiny by experienced cryptographers for years. It was only uncovered through a targeted security effort using advanced AI-assisted auditing tools. In other words, the most sophisticated bug-hunters on the planet were apparently looking at the wrong corner of the codebase for half a presidential term.

The company also said the exploit window narrowed significantly once the flaw was identified and disclosed internally. Still, the uncertainty surrounding supply integrity is likely to reignite long-running debates around hidden inflation risks in privacy-preserving cryptocurrency systems. For some, "trust me bro" is not a consensus mechanism.

The disclosure also highlights the growing role of artificial intelligence in advanced security research. Shielded Labs said Hornby used Anthropic's Opus 4.8 model alongside custom AI-assisted auditing techniques during the Orchard review. According to the report, the vulnerability was discovered shortly after the updated AI model was released on May 28. The bug, in this case, appears to have been found the old-fashioned way: with help from a sufficiently motivated human and a sufficiently new model.

Shielded Labs said it is now exploring a follow-up network upgrade to verify the integrity of the Zcash supply and eliminate uncertainty about counterfeit ZEC. The proposal would involve deploying a new shielded pool and implementing "turnstile accounting" to verify coins moving out of Orchard. The organization said additional details on the proposal and its tradeoffs will be released next week. If the phrase "turnstile accounting" sounds like a clever solution, that's because it is — and also because the alternative is asking everyone to simply trust the numbers.

Concerns around hidden inflation risks in shielded systems have circulated in crypto communities for years. In a 2025 post, Crypto Bitlord warned that compromising Zcash's shielded infrastructure could, in theory, enable unlimited undetected ZEC creation. The newly disclosed Orchard flaw involved a different technical mechanism, but the underlying concern has now moved from theory to disclosure.