Zcash Plummets 30% as Shielded Labs Reveals Critical Bug Hidden for Four Years

Privacy-focused Zcash (ZEC) tumbled roughly 30% to $400 after Shielded Labs disclosed a critical vulnerability in the blockchain's Orchard privacy pool. The bug, present since Orchard's activation in May 2022, could have allowed an attacker to create unlimited, undetectable counterfeit ZEC tokens.

Shielded Labs published a disclosure on X late Thursday, revealing that security engineer Taylor Hornby discovered the vulnerability on May 29. Working with Anthropic's Opus 4.8 AI model, Hornby conducted a targeted review of the Orchard circuit and wrote a complete exploit that, tested locally, generated unlimited counterfeit ZEC. If run on mainnet, it would have done the same.

The vulnerability was immediately disclosed to the Zcash Open Development Lab (ZODL), which coordinated an emergency fix on June 1.

Shielded Labs acknowledged it cannot definitively determine whether the bug was exploited before the fix due to Orchard's privacy properties. However, it stressed exploitation was unlikely, noting the bug had evaded years of scrutiny by experienced cryptographers and was discovered only with cutting-edge AI tools and highly skilled researchers.

The organization proposed a network upgrade allowing independent verification of the ZEC supply integrity, including deploying a new shielded pool and enforcing turnstile accounting on all Orchard pool coins. It is also accelerating security efforts, including continued work with Hornby, a formal verification project, and new hires for Head of Security and Cryptographer.