Verify a decision

{"actor":"system:backfill","investigation_id":"9f9d6d19-7c3a-4682-a5ce-262a2e611be0","kind":"publish","page_slug":"zcash-orchard-pool-counterfeiting-vulnerability-2026","published_at":"2026-06-29T12:18:59.312Z","sequence_num":1,"snapshot":{"content_type":"investigation","entity_name":"Zcash Orchard Pool Counterfeiting Vulnerability 2026","sections":[{"content":"The vulnerability was a soundness flaw in the Orchard circuit, the zero-knowledge proof component that governs Zcash's most advanced shielded pool. Specifically, the bug resided in the halo2_gadgets component handling variable-base scalar operations. According to a technical analysis by BlockSec, the flaw was located in incomplete.rs lines 309-310 of the halo2 repository, where the code used assign_advice() to populate base point coordinates without creating a constraint linking them to the actual diversified base point. The correct function was copy_advice(), which adds the required equality constraint. Because the loop's base point was never anchored to the protocol-specified g_d value derived from each address's diversifier, a malicious prover could substitute an arbitrary base point across all iterations without the circuit rejecting it. This broke the scalar multiplication relation enforcing pk_d = [ivk] g_d. A successful exploit would allow an attacker to forge nullifiers — by supplying different base points, distinct nullifiers could be generated from the same note, enabling double-spending and unconstrained coin minting entirely within the shielded pool. The zero-knowledge proof concealed the fraudulent inputs, making the resulting transactions indistinguishable from legitimate ones. Security researcher Taylor Hornby confirmed the exploitability of the flaw by successfully generating unlimited counterfeit ZEC in a local test environment.","heading":"Technical Description of the Vulnerability","severity":"critical","sources":[{"credibility":2,"name":"BlockSec: Zcash Orchard Soundness Bug Analysis","type":"research","url":"https://blocksec.com/blog/web3-security-zcash-orchard-soundness-bug-analysis"},{"credibility":2,"name":"CoinTelegraph: Why ZEC fell 40% even after Zcash patched a shielded pool bug","type":"news_article","url":"https://cointelegraph.com/learn/why-zec-fell-after-zcash-orchard-bug-fix"},{"credibility":2,"name":"Unchained Crypto: AI-Assisted Audit Uncovers Critical Zcash Orchard Vulnerability","type":"news_article","url":"https://unchainedcrypto.com/ai-assisted-audit-uncovers-critical-zcash-orchard-vulnerability-that-could-have-minted-unlimited-counterfeit-zec/"}]},{"content":"The vulnerability was discovered on May 29, 2026, by Taylor Hornby, an independent security engineer engaged by Shielded Labs in April 2026 to conduct a targeted protocol security audit. Hornby identified the flaw the day after Anthropic released its Claude Opus 4.8 model on May 28, 2026, using the model to assist in reviewing the Orchard circuit. According to reporting by CoinDesk and Decrypt, Hornby directed the AI model at a highly targeted code review of the circuit and confirmed the flaw's exploitability. Shielded Labs stated the bug had 'evaded years of scrutiny by experienced cryptographers.' This event has been cited as a significant example of AI-assisted security research uncovering vulnerabilities that conventional auditing missed over a multi-year period.","heading":"Discovery and AI-Assisted Audit","severity":"high","sources":[{"credibility":1,"name":"CoinDesk: Zcash plummets 38% as developer reveals a major bug that went undetected for four years","type":"news_article","url":"https://www.coindesk.com/markets/2026/06/05/zcash-plummets-30-as-developer-reveals-a-major-bug-that-went-undetected-for-four-years"},{"credibility":2,"name":"Decrypt: ZEC Crashes 38% as Zcash Discloses Critical Counterfeiting Vulnerability","type":"news_article","url":"https://decrypt.co/370105/zec-crashes-38-as-zcash-discloses-critical-counterfeiting-vulnerability"},{"credibility":2,"name":"Unchained Crypto: AI-Assisted Audit Uncovers Critical Zcash Orchard Vulnerability","type":"news_article","url":"https://unchainedcrypto.com/ai-assisted-audit-uncovers-critical-zcash-orchard-vulnerability-that-could-have-minted-unlimited-counterfeit-zec/"},{"credibility":1,"name":"Shielded Labs: The Orchard Counterfeiting Vulnerability (official disclosure by Jason McGee)","type":"official","url":"https://shieldedlabs.net/the-orchard-counterfeiting-vulnerability/"}]},{"content":"Following Taylor Hornby's disclosure to Zcash Open Development Lab (ZODL) on May 29, 2026, an ecosystem-wide emergency response was coordinated. The remediation proceeded in two phases. First, a soft fork via Zebra release 4.5.3 temporarily disabled all Orchard transactions at mainnet block height 3,363,426, taking effect at approximately 02:00 UTC on June 2, 2026. Second, the NU6.2 hard fork was activated at block height 3,364,600 via Zebra 5.0.0, re-enabling the Orchard pool with a corrected circuit on June 3, 2026. The fix introduced a copy_advice() call in the first loop iteration of the scalar multiplication component, creating an equality constraint that anchors the base point to the external input and propagates it through subsequent iterations. The zcashd v6.12.5 release also addressed the vulnerability on the alternative node implementation. The transition produced some chain instability: community member Kenbak documented a 25-block fork spanning heights 3,363,431 to 3,363,455, with 37 orphaned blocks from nodes still running older software. Wallet providers including Cake Wallet temporarily suspended all ZEC functionality during the transition.","heading":"Emergency Response and Hard Fork","severity":"high","sources":[{"credibility":2,"name":"CryptoTimes: Zcash Executes Emergency Fork After Critical Orchard Vulnerability Discovery","type":"news_article","url":"https://www.cryptotimes.io/2026/06/02/zcash-executes-emergency-fork-after-critical-orchard-vulnerability-discovery/"},{"credibility":2,"name":"CoinTelegraph: Why ZEC fell 40% even after Zcash patched a shielded pool bug","type":"news_article","url":"https://cointelegraph.com/learn/why-zec-fell-after-zcash-orchard-bug-fix"},{"credibility":2,"name":"BlockSec: Zcash Orchard Soundness Bug Analysis","type":"research","url":"https://blocksec.com/blog/web3-security-zcash-orchard-soundness-bug-analysis"}]},{"content":"The most structurally significant consequence of the vulnerability is its permanent unverifiability. Because Orchard's privacy design conceals transaction amounts and history through zero-knowledge proofs, there is no cryptographic method to retroactively determine whether the flaw was exploited at any point between May 2022 and June 2026. Shielded Labs acknowledged this directly in its disclosure, stating that 'there is no definitive way to determine using only cryptography whether such exploitation occurred.' The organization assessed prior exploitation as unlikely, citing the complexity required to identify and exploit the flaw. Craig Salm, Chief Legal Officer at Grayscale, publicly argued that pre-patch exploitation was improbable, noting an attacker would have needed superior code examination skills and would have had economic incentives to liquidate gains during bull market conditions rather than hold counterfeit coins undetected. However, these assessments are probabilistic rather than cryptographic, and the question of whether the Orchard shielded supply was inflated during the four-year window cannot be definitively answered. At the time of the emergency fork, approximately 30% of circulating ZEC — roughly 5 million coins — resided in shielded addresses.","heading":"Supply Integrity and the Unverifiability Problem","severity":"critical","sources":[{"credibility":1,"name":"CoinDesk: Zcash plummets 38% as developer reveals a major bug that went undetected for four years","type":"news_article","url":"https://www.coindesk.com/markets/2026/06/05/zcash-plummets-30-as-developer-reveals-a-major-bug-that-went-undetected-for-four-years"},{"credibility":2,"name":"Decrypt: ZEC Crashes 38% as Zcash Discloses Critical Counterfeiting Vulnerability","type":"news_article","url":"https://decrypt.co/370105/zec-crashes-38-as-zcash-discloses-critical-counterfeiting-vulnerability"},{"credibility":2,"name":"BitMEX Blog: Why Zcash Crashed Nearly 50% in 48 Hours","type":"news_article","url":"https://www.bitmex.com/blog/zec-crash-2026"},{"credibility":1,"name":"Shielded Labs: The Orchard Counterfeiting Vulnerability","type":"official","url":"https://shieldedlabs.net/the-orchard-counterfeiting-vulnerability/"}]},{"content":"Public disclosure on June 5, 2026, triggered one of the sharpest single-event price declines in Zcash's history. ZEC had reached a high of approximately $624 on June 4; by June 5 it had fallen to $309, representing a decline of approximately 50% in 48 hours. Intraday figures reported across major outlets varied: CoinDesk reported a 38% decline to $442.60 within the initial 24 hours; Decrypt reported a drop from $635 to $309 for a 37.8% daily decline; BitMEX's analysis documented the full 50% two-day move. Market capitalization loss exceeded $3 billion across the event. ZEC had appreciated significantly in the months prior to the disclosure — rising approximately 91% between May 1 and its late-May peak of $670, and up substantially from a cycle low of $35 in August 2025. The disclosure erased a large portion of those gains. ZEC had been briefly trading above $600 even after the emergency hard fork executed on June 3, before the full public disclosure on June 5 triggered the larger leg down.","heading":"Market Impact","severity":"high","sources":[{"credibility":1,"name":"CoinDesk: Zcash plummets 38% as developer reveals a major bug that went undetected for four years","type":"news_article","url":"https://www.coindesk.com/markets/2026/06/05/zcash-plummets-30-as-developer-reveals-a-major-bug-that-went-undetected-for-four-years"},{"credibility":2,"name":"Decrypt: ZEC Crashes 38% as Zcash Discloses Critical Counterfeiting Vulnerability","type":"news_article","url":"https://decrypt.co/370105/zec-crashes-38-as-zcash-discloses-critical-counterfeiting-vulnerability"},{"credibility":2,"name":"BitMEX Blog: Why Zcash Crashed Nearly 50% in 48 Hours","type":"news_article","url":"https://www.bitmex.com/blog/zec-crash-2026"},{"credibility":2,"name":"KuCoin: ZEC Price Declines by 50% due to Concerns over Zcash's Orchard Pool Bug","type":"news_article","url":"https://www.kucoin.com/blog/ZEC-Price-Declines-by-50-percent"}]},{"content":"The disclosure prompted Arthur Hayes, former CEO of BitMEX, to publicly exit his entire Zcash position. Hayes had held ZEC as the second-largest position in his Holy Trinity family fund, accumulated at a cost basis well below the $624 peak. In a public statement, Hayes said: 'I read about the exploit yesterday, and didn't appreciate how it violated my narrative mental map.' He added that while he believed exploitation was 'extremely unlikely,' it could not be 'cryptographically proven impossible' — a standard he applied as a threshold for holding a privacy coin. Hayes indicated he would be willing to reconsider purchasing ZEC at lower prices if his concerns about ongoing risks proved incorrect. Separately, Udi Wertheimer, a crypto commentator, noted that privacy coins enable 'a unique class of bugs' where exploitation may go permanently undetected. Craig Salm of Grayscale offered a counterpoint, arguing the complexity of the exploit and the economic incentives of a rational attacker made prior exploitation improbable. Reports from CoinDesk indicated that one major investor lost approximately half the value of a $174 million position during the crash.","heading":"Institutional and Notable Investor Reaction","severity":"high","sources":[{"credibility":1,"name":"CoinDesk: Arthur Hayes dumps Zcash holdings after Orchard Pool vulnerability revealed","type":"news_article","url":"https://www.coindesk.com/markets/2026/06/05/arthur-hayes-dumps-zcash-holdings-after-orchard-pool-vulnerability-revealed"},{"credibility":2,"name":"CryptoNews: Arthur Hayes Just Dumped His Entire Zcash Position","type":"news_article","url":"https://cryptonews.com/news/arthur-hayes-dumps-zcash-orchard-pool-bug/"},{"credibility":2,"name":"Decrypt: ZEC Crashes 38% as Zcash Discloses Critical Counterfeiting Vulnerability","type":"news_article","url":"https://decrypt.co/370105/zec-crashes-38-as-zcash-discloses-critical-counterfeiting-vulnerability"},{"credibility":2,"name":"BitMEX Blog: Why Zcash Crashed Nearly 50% in 48 Hours","type":"news_article","url":"https://www.bitmex.com/blog/zec-crash-2026"}]},{"content":"Shielded Labs announced a set of proposed measures following the disclosure. The primary proposal involves a network upgrade that would deploy a new shielded pool featuring turnstile accounting, a mechanism that would allow anyone to independently verify that the total ZEC supply in the shielded pool matches what was deposited through tracked inflows. This would address the fundamental unverifiability of the Orchard pool's historic supply by requiring migration through an auditable gateway. Shielded Labs also proposed a formal verification project aimed at producing mathematical proofs of security for the Orchard circuit and any successor components, and announced plans to accelerate hiring for a Head of Security and a dedicated Cryptographer. Community discussion on the Zcash Community Forum raised the question of whether a new shielded pool would force migration of existing Orchard funds; member conradoplg cited the precedent of the Sprout pool, which was deprecated without mandatory migration. Community members also raised questions about potential compensation mechanisms if counterfeiting had in fact occurred. No exploit has been confirmed as of the date of disclosure.","heading":"Proposed Remediation and Future Steps","severity":"medium","sources":[{"credibility":2,"name":"The Defiant: Shielded Labs Proposes New Zcash Upgrade to Prove ZEC Supply After Orchard Bug","type":"news_article","url":"https://thedefiant.io/news/blockchains/shielded-labs-proposes-new-zcash-upgrade-to-prove-zec-supply-after-orchard-bug"},{"credibility":3,"name":"Zcash Community Forum: The Orchard Counterfeiting Vulnerability — And Next Steps","type":"community_report","url":"https://forum.zcashcommunity.com/t/the-orchard-counterfeiting-vulnerability-and-next-steps/56015"},{"credibility":1,"name":"CoinDesk: Zcash plummets 38% as developer reveals a major bug that went undetected for four years","type":"news_article","url":"https://www.coindesk.com/markets/2026/06/05/zcash-plummets-30-as-developer-reveals-a-major-bug-that-went-undetected-for-four-years"},{"credibility":1,"name":"Shielded Labs: The Orchard Counterfeiting Vulnerability","type":"official","url":"https://shieldedlabs.net/the-orchard-counterfeiting-vulnerability/"}]},{"content":"The Orchard vulnerability has prompted wider discussion about structural security risks inherent in privacy-preserving blockchain designs. Because zero-knowledge proof circuits conceal transaction amounts and participant identities by design, any soundness flaw in the circuit — one that allows invalid proofs to be accepted as valid — creates a class of attack that cannot be detected retroactively through on-chain analysis. This contrasts with transparent-ledger cryptocurrencies, where supply inflation from a bug would be detectable by examining the public transaction graph. Commentators including Udi Wertheimer noted that privacy coins enable 'a unique class of bugs' where exploitation goes undetected. The event also demonstrated the emerging role of AI-assisted security research in identifying vulnerabilities that had resisted conventional audit for extended periods. The Orchard circuit had been reviewed by experienced cryptographers since 2022 without detection of the flaw. Taylor Hornby's use of Claude Opus 4.8, released just one day before the discovery, surfaced the vulnerability within hours of the model becoming available.","heading":"Broader Implications for Privacy Coin Security","severity":"medium","sources":[{"credibility":2,"name":"Decrypt: ZEC Crashes 38% as Zcash Discloses Critical Counterfeiting Vulnerability","type":"news_article","url":"https://decrypt.co/370105/zec-crashes-38-as-zcash-discloses-critical-counterfeiting-vulnerability"},{"credibility":2,"name":"Unchained Crypto: AI-Assisted Audit Uncovers Critical Zcash Orchard Vulnerability","type":"news_article","url":"https://unchainedcrypto.com/ai-assisted-audit-uncovers-critical-zcash-orchard-vulnerability-that-could-have-minted-unlimited-counterfeit-zec/"},{"credibility":2,"name":"BlockSec: Zcash Orchard Soundness Bug Analysis","type":"research","url":"https://blocksec.com/blog/web3-security-zcash-orchard-soundness-bug-analysis"},{"credibility":2,"name":"BeInCrypto: An Opus 4.8 Audit Uncovered Zcash's Bug","type":"news_article","url":"https://beincrypto.com/zcash-zec-orchard-counterfeiting-bug/"}]}],"sources_used":[{"credibility":1,"name":"CoinDesk: Zcash plummets 38% as developer reveals a major bug that went undetected for four years","type":"news_article","url":"https://www.coindesk.com/markets/2026/06/05/zcash-plummets-30-as-developer-reveals-a-major-bug-that-went-undetected-for-four-years"},{"credibility":1,"name":"CoinDesk: Arthur Hayes dumps Zcash holdings after Orchard Pool vulnerability revealed","type":"news_article","url":"https://www.coindesk.com/markets/2026/06/05/arthur-hayes-dumps-zcash-holdings-after-orchard-pool-vulnerability-revealed"},{"credibility":2,"name":"Decrypt: ZEC Crashes 38% as Zcash Discloses Critical Counterfeiting Vulnerability","type":"news_article","url":"https://decrypt.co/370105/zec-crashes-38-as-zcash-discloses-critical-counterfeiting-vulnerability"},{"credibility":2,"name":"Unchained Crypto: AI-Assisted Audit Uncovers Critical Zcash Orchard Vulnerability","type":"news_article","url":"https://unchainedcrypto.com/ai-assisted-audit-uncovers-critical-zcash-orchard-vulnerability-that-could-have-minted-unlimited-counterfeit-zec/"},{"credibility":1,"name":"Shielded Labs: The Orchard Counterfeiting Vulnerability (official disclosure, authored by Jason McGee, published June 4, 2026)","type":"official","url":"https://shieldedlabs.net/the-orchard-counterfeiting-vulnerability/"},{"credibility":3,"name":"Zcash Community Forum: The Orchard Counterfeiting Vulnerability — And Next Steps","type":"community_report","url":"https://forum.zcashcommunity.com/t/the-orchard-counterfeiting-vulnerability-and-next-steps/56015"},{"credibility":2,"name":"BlockSec: Zcash Orchard Soundness Bug Analysis","type":"research","url":"https://blocksec.com/blog/web3-security-zcash-orchard-soundness-bug-analysis"},{"credibility":2,"name":"CoinTelegraph: Why ZEC fell 40% even after Zcash patched a shielded pool bug","type":"news_article","url":"https://cointelegraph.com/learn/why-zec-fell-after-zcash-orchard-bug-fix"},{"credibility":2,"name":"CryptoTimes: Zcash Executes Emergency Fork After Critical Orchard Vulnerability Discovery","type":"news_article","url":"https://www.cryptotimes.io/2026/06/02/zcash-executes-emergency-fork-after-critical-orchard-vulnerability-discovery/"},{"credibility":2,"name":"BitMEX Blog: Why Zcash Crashed Nearly 50% in 48 Hours","type":"news_article","url":"https://www.bitmex.com/blog/zec-crash-2026"},{"credibility":2,"name":"BeInCrypto: An Opus 4.8 Audit Uncovered Zcash's Bug","type":"news_article","url":"https://beincrypto.com/zcash-zec-orchard-counterfeiting-bug/"},{"credibility":2,"name":"CryptoNews: Arthur Hayes Just Dumped His Entire Zcash Position After a Bug That Could Have Allowed Counterfeit ZEC for 4 Years","type":"news_article","url":"https://cryptonews.com/news/arthur-hayes-dumps-zcash-orchard-pool-bug/"},{"credibility":2,"name":"The Defiant: Shielded Labs Proposes New Zcash Upgrade to Prove ZEC Supply After Orchard Bug","type":"news_article","url":"https://thedefiant.io/news/blockchains/shielded-labs-proposes-new-zcash-upgrade-to-prove-zec-supply-after-orchard-bug"},{"credibility":2,"name":"CryptoBriefing: Zcash plunges 38% after critical counterfeiting vulnerability disclosure","type":"news_article","url":"https://cryptobriefing.com/zcash-plunges-counterfeiting-vulnerability/"},{"credibility":2,"name":"KuCoin: ZEC Price Declines by 50% due to Concerns over Zcash's Orchard Pool Bug","type":"news_article","url":"https://www.kucoin.com/blog/ZEC-Price-Declines-by-50-percent"}],"summary":"On June 5, 2026, Shielded Labs publicly disclosed a critical soundness flaw in the zero-knowledge proof circuit of Zcash's Orchard shielded pool that had existed undetected since the pool's activation in May 2022. The vulnerability, found by security engineer Taylor Hornby using Anthropic's Claude Opus 4.8 AI model, could have allowed unlimited undetectable counterfeit ZEC minting with no on-chain signature; an emergency hard fork patched the circuit by June 3, 2026. Because Orchard's privacy design conceals transaction history, no cryptographic method exists to determine whether the flaw was exploited during the four years it was present, leaving the supply integrity of shielded ZEC permanently unverifiable for that period.","timeline":[{"date":"2022-05-01","event":"Zcash Orchard shielded pool activated on mainnet, beginning the period during which the counterfeiting vulnerability was present and undetected.","source":"CoinDesk","source_url":"https://www.coindesk.com/markets/2026/06/05/zcash-plummets-30-as-developer-reveals-a-major-bug-that-went-undetected-for-four-years"},{"date":"2026-04-01","event":"Shielded Labs engages Taylor Hornby as an independent security engineer to conduct a targeted protocol security audit of Zcash.","source":"Unchained Crypto","source_url":"https://unchainedcrypto.com/ai-assisted-audit-uncovers-critical-zcash-orchard-vulnerability-that-could-have-minted-unlimited-counterfeit-zec/"},{"date":"2026-05-28","event":"Anthropic releases Claude Opus 4.8 model.","source":"Unchained Crypto","source_url":"https://unchainedcrypto.com/ai-assisted-audit-uncovers-critical-zcash-orchard-vulnerability-that-could-have-minted-unlimited-counterfeit-zec/"},{"date":"2026-05-29","event":"Taylor Hornby discovers the soundness flaw in the Orchard zero-knowledge proof circuit using Claude Opus 4.8 in an AI-assisted audit. He discloses the vulnerability to Zcash Open Development Lab (ZODL) and creates a working exploit in a local test environment.","source":"CoinDesk","source_url":"https://www.coindesk.com/markets/2026/06/05/zcash-plummets-30-as-developer-reveals-a-major-bug-that-went-undetected-for-four-years"},{"date":"2026-06-01","event":"Emergency soft fork coordination begins; Zebra 4.5.3 release prepared to disable Orchard transactions at a specific block height.","source":"CryptoTimes","source_url":"https://www.cryptotimes.io/2026/06/02/zcash-executes-emergency-fork-after-critical-orchard-vulnerability-discovery/"},{"date":"2026-06-02","event":"Emergency soft fork activates at mainnet block height 3,363,426 at approximately 02:00 UTC, temporarily disabling all Orchard transactions. A 25-block fork and 37 orphaned blocks result from nodes running outdated software.","source":"CryptoTimes","source_url":"https://www.cryptotimes.io/2026/06/02/zcash-executes-emergency-fork-after-critical-orchard-vulnerability-discovery/"},{"date":"2026-06-03","event":"NU6.2 hard fork activates at block height 3,364,600 via Zebra 5.0.0, re-enabling the Orchard pool with a corrected circuit that introduces a copy_advice() equality constraint. ZEC briefly rallies from approximately $544 to $624.","source":"CoinTelegraph","source_url":"https://cointelegraph.com/learn/why-zec-fell-after-zcash-orchard-bug-fix"},{"date":"2026-06-04","event":"ZEC reaches a local high of approximately $624 in the aftermath of the confirmed patch. Arthur Hayes holds ZEC as his second-largest fund position at this point.","source":"BitMEX Blog","source_url":"https://www.bitmex.com/blog/zec-crash-2026"},{"date":"2026-06-05","event":"Shielded Labs publishes the public disclosure of the Orchard counterfeiting vulnerability, authored by Jason McGee. ZEC crashes approximately 38-50% within 24-48 hours, falling to a low of $309. Arthur Hayes publicly announces he has liquidated his entire Zcash position, citing that the exploit's occurrence cannot be cryptographically ruled out.","source":"CoinDesk","source_url":"https://www.coindesk.com/markets/2026/06/05/zcash-plummets-30-as-developer-reveals-a-major-bug-that-went-undetected-for-four-years"},{"date":"2026-06-15","event":"Shielded Labs updates the original disclosure post, per page metadata on the official article.","source":"Shielded Labs","source_url":"https://shieldedlabs.net/the-orchard-counterfeiting-vulnerability/"}]},"v":1}