A security researcher using an AI model discovered a critical vulnerability in Zcash’s Orchard shielded pool that had gone unnoticed for over four years. The flaw could have allowed an attacker to mint unlimited counterfeit ZEC tokens without detection.
Independent researcher Taylor Hornby identified the exploit on May 29 using Anthropic’s Claude Opus 4.8 and custom-built tools. The vulnerability existed since the Orchard pool’s activation in May 2022, surviving four years of code reviews and audits.
The exploit would have let an attacker generate undetectable counterfeit ZEC within the shielded pool. Unlike transparent blockchains, shielded pools prevent direct supply auditing. Hornby confirmed the exploit worked in a local test, but no exploitation occurred on mainnet. An emergency soft fork deployed on June 1, followed by a full hard fork on June 3.
ZEC’s price dropped 30% to 42% on the disclosure, erasing over $5 billion in market cap. Hornby plans to extend his AI-assisted auditing approach to other privacy projects, including Monero.