Researcher Taylor Hornby used Anthropic’s Claude Opus 4.8 to find the bug.
The vulnerability was due to a poorly written rule in the protocol, the researcher explained.
The flaw that forced an emergency update in the Orchard privacy pool of the Zcash network on June 1 was a vulnerability that allowed unlimited amounts of fake coins to be created without leaving a trace, as revealed on June 4 in a report signed by Zooko Wilcox (co-founder of Zcash and product director of the Shielded Labs organization), Jason McGee (executive director of Shielded Labs) and Taylor Hornby (security consultant at Shielded Labs and member of the Zcash board of directors). Foundation).
The error in Orchard was corrected through a protocol update, as CriptoNoticias reported at the time, although it had not shared the nature of the problem. According to the report by Wilcox, McGee and Hornby, the vulnerability had been present since the activation of Orchard in May 2022undetected for four years despite multiple audits carried out by cryptography experts.
Researcher Hornby used Anthropic’s Claude Opus 4.8 model to find the faultand, according to the report, the combination of AI tools with traditional audit methods was decisive in finding a flaw that had escaped previous reviews.
After the discovery was disclosed, the price of ZEC fell from around USD 630 to a low of USD 250, a drop of 60%. At the time of writing, ZEC is trading near $308, still 51% below the pre-discovery price.
How did the bug work and what made it dangerous?
Every private transaction on Zcash includes a zero-knowledge cryptographic proof (ZK) which shows that this operation followed the rules of the protocol without revealing the amounts or identities involved. Those rules are defined in what is called the Orchard circuit, a set of mathematical instructions that act as an arbiter of which transactions are valid and which are not.
According to the Shielded Labs report, one of those rules was written vaguely enough to accept false data as if it were legitimate.
In practice, that meant that someone with the necessary technical knowledge could have constructed a transaction that will credit coins that never existedand the circuit would have considered it valid anyway.
According to the report’s authors, Hornby built a test program that, when run in a local test environment (without connection to the real network), generated unlimited fake ZECs without the protocol detecting it.
What makes the flaw especially sensitive is that Orchard was designed precisely to hide transaction amounts. That privacy, which is the reason for the pool, It also prevents checking from the outside if someone introduced coins that they should not have..
Josh Swihart, founder of ZODL (one of the most used wallets in the Zcash ecosystem), He explained it this way:
A shielded pool hides the amounts and history of the coins. It’s the point of privacy. But it also means that you can’t verify the values like you can with a public ledger. The only thing that assures you that no one forged is the mathematics that proves that each transaction followed the rules.
Josh Swihart, founder of ZODL.
The proposal to prove that the supply is complete
Given this uncertainty, Shielded Labs explores network upgrade that would create new Orchard pool and would apply a mechanism called turnstile accounting (in English, turnstile accounting) over all funds in the current pool: each coin in the old pool would have to pass through a public checkpoint before entering the new one, allowing verification that the total matches the expected supply. If there is a difference, it would be evident. The proposal has no timetable and requires community approval.
Swihart noted that the underlying solution is formal verification of the circuit, which would involve constructing a mathematical proof that the code cannot produce any invalid resultsrather than relying on human reviewers. “Instead of searching with human eyes, we prove that there is nothing to find,” he wrote. According to the ZODL founder, multiple teams are already working on that verification for Orchard, and Zcash’s upcoming privacy protocol, Tachyon, is being built from the ground up with that standard.
The severity of the failure is also given by the relevance of Orchard in Zcash. This pool concentrates 4.5 million of the 5.1 million ZEC that circulate in the network’s shielded pools, representing more than 30% of ZEC’s total supply. It has been the dominant pool since mid-2024 and the vast majority of private transfers on the network pass through it. The fault that affected Orchard was active for four years in that layer.
Finally, the supply uncertainty that may have been created in Orchard adds to another tension that Zcash drags on its ecosystem. The same ability of a limited group of developers to pause the protocol and correct it in an emergency that allowed a rapid response is, for a part of the community, a form of centralization that is difficult to reconcile with the principles of a decentralized network.