Written by: Shannon@金财经

ZEC plummeted from nearly $700 to $400 in 24 hours, erasing gains over the past month. Now the reason is out.

It turns out that it is not just Arthur Hayes selling ZEC, but also Zcash has revealed a security vulnerability that can infinitely forge ZEC.

What’s more noteworthy is that this vulnerability was discovered with the help of the latest large model Claude Opus 4.8. Moreover, this vulnerability has existed for 4 years.

1. Event background

In early June 2026, the privacy-focused cryptocurrency Zcash (ZEC) experienced one of the most severe security crises since its inception.

On May 29, 2026, during a protocol audit commissioned by Shielded Labs, independent security researcher Taylor Hornby discovered a serious forgery vulnerability in the Zcash Orchard pool using Claude Opus 4.8, the latest large model just released by Anthropic on May 28. The Open Development Laboratory (ZODL) engages in responsible disclosure.

This vulnerability has been lurking in the Orchard pool since it went online in May 2022. Until engineers closed it this week, it remained undiscovered for about four years.

2. Technical Anatomy: Fatal Flaws in Zero-Knowledge Proof Circuits

To understand this incident, you must first understand the core technical architecture of Zcash.

What is Zero-Knowledge Proof (ZKP)? Zcash's privacy protection relies on zero-knowledge proof technology - allowing users to prove to the network that "this transaction is valid" without exposing transaction details. Orchard is Zcash’s newest and most advanced privacy pool, powered by the Halo2 proof-of-concept system.

Root cause of the vulnerability: The problem lies in an insufficiently constrained part of the Orchard circuit, which allows an attacker to pass false input into an elliptic curve check and still have the check pass.

In layman's terms, just like a vault door lock is designed to "check for the correct key shape", but due to loopholes in the verification logic, some keys with the wrong shape can also pass the test.

The meaning of "soundness vulnerability":In ZK-proof projects like Zcash, "soundness" means that the system should only accept valid transactions and state transitions. A soundness vulnerability here could result in the system accepting transactions that should be rejected.

Specific harm: This vulnerability is a sanity vulnerability in the implementation of the Orchard Action circuit in the halo2_gadgets code base. If exploited, double spending could be allowed within the Orchard pool, but the total amount of ZEC cannot be directly inflated due to Zcash's "revolving door" mechanism that protects the total supply.

A milestone in AI-assisted discovery of vulnerabilities: Shielded Labs disclosed that Hornby used Anthropic’s Opus 4.8 model and custom AI tools to write a complete exploit program and successfully generated an unlimited amount of fake ZEC in a local test environment. If run on mainnet, the same tool would be able to produce unlimited, undetectable counterfeit ZEC. This is the first time that a large AI model has been recorded as being used to discover and write exploit code for serious vulnerabilities in encryption protocols, marking a new stage in security research.

3. Emergency response: a textbook-level crisis management

The speed and coordination of the Zcash team are commendable.

The entire process from discovery to restoration took only five days.

Phase 1 – Vulnerability Discovered (May 29-30): On May 29, 2026, Taylor Hornby discovered a serious forgery vulnerability in Zcash’s Orchard pool. Taylor disclosed the vulnerability to the Zcash Open Development Labs (ZODL).

Phase 2 - Emergency Soft Fork (June 1):A temporary soft fork was activated at mainnet block height 3,363,426, approximately 02:00 UTC, disabling Orchard operations across the entire network to buy time for developers to prepare code corrections.

Phase 3 — NU6.2 Hard Fork (June 2): The NU6.2 hard fork was activated at block height 3,364,600, approximately 00:05 ET, reactivating Orchard with a revised circuit. The entire response, from private disclosure to final activation, took approximately five days.

Why is a hard fork needed? The reason why a hard fork is necessary is because the repair of the zero-knowledge proof circuit requires a new "pinned verifying key" (pinned verifying key), and a soft fork cannot complete this change.

The rationality of confidentiality coordination: The team deliberately kept the vulnerability details confidential during the repair process and coordinated privately with miners and exchanges to avoid being exploited by malicious actors before the patch was launched. This "responsible disclosure" model (Responsible Disclosure) is a standard practice in the industry, and this time it is fully regulated.

4. The market remains unresolved: the price of privacy

The most profound dilemma in this incident comes precisely from the feature that Zcash is most proud of - privacy.

Due to Orchard's privacy design, it is cryptographically impossible to prove whether this vulnerability has been exploited before being fixed.

In other words, "No signs of exploitation found" is not the same as "Confirmed not to be exploited."

This fundamental contradiction prevents the Zcash Foundation’s statement from being entirely reassuring.

That's why: Shielded Labs proposes a new Zcash network upgrade that would allow anyone to verify that the privacy coin's supply has not been secretly inflated. This step goes beyond the emergency fix activated on June 3.

This proposal itself also reflects an eternal paradox faced by privacy blockchain: The stronger the privacy, the harder it is to prove one's innocence

5. Historical precedents and industry inspiration

This is not the first time Zcash has encountered major cryptographic flaws.

In 2019, the team disclosed a forgery vulnerability in the old version of Sprout privacy pool that had not been discovered for many years. There is also no known exploit record for this vulnerability, and the market's reaction was confidence rather than panic.

Broader thoughts brought about by this incident:

1. AI will reshape the security audit landscape. AI-assisted discovery of vulnerabilities means both attackers and defenders will have more powerful tools. Regular, high-frequency AI-assisted audits will become the security baseline for high-value protocols.

2. The contradiction between "privacy" and "auditability" will continue to deepen. The interest tension between regulatory agencies, users and protocol developers will be amplified in more similar events. How to strike a balance between privacy protection and crisis transparency is a long-term proposition on the privacy coin track.

3. Emergency response capability is the core competitiveness of the agreement. The complete closed loop from discovery, private coordination, soft fork to hard fork was completed within five days, demonstrating the collaborative capabilities of a mature ecosystem. Compared with some cases where coordination failures have led to delays in fixing vulnerabilities, Zcash’s disposal can be regarded as an industry model.

4. It takes time to rebuild market confidence. Short-term price fluctuations reflect information asymmetry and emotional reactions, rather than judgments of the fundamental value of the agreement. ZEC had surged more than 16 times from the low in July 2024 long before this incident. It remains to be seen whether this basic trend is established.

Conclusion

The Zcash Orchard vulnerability incident is a multi-dimensional intersection of technical vulnerabilities, AI capabilities, emergency management and market psychology.

It clearly outlines the challenges that privacy blockchains face in the real world: when cracks appear in the shield of cryptography, the tension between transparency and privacy will be exposed in the most direct way.

Repair has been completed.

But the real test is whether this ecosystem can build a stronger line of defense and a more trustworthy verification mechanism before the next vulnerability arrives.