Verify a decision

{"actor":"system:backfill","investigation_id":"1d7658b7-0313-4731-ba92-f248c161629d","kind":"publish","page_slug":"zcash-orchard-pool-counterfeiting-bug","published_at":"2026-06-09T20:49:59.615Z","sequence_num":1,"snapshot":{"content_type":"investigation","entity_name":"Zcash Orchard Pool Counterfeiting Bug","sections":[{"content":"The vulnerability was a soundness bug in the implementation of the Orchard zero-knowledge proof circuit, specifically residing in two lines of code within the halo2_gadgets crate. Technically, the flaw involved an under-constrained variable-base scalar multiplication gadget: because the elliptic-curve multiplication check was insufficiently constrained, an attacker could supply arbitrary false inputs to the check and still have it pass validation. A soundness vulnerability of this type allows the proof system to accept invalid state transitions that it should reject. In the context of Zcash's Orchard pool, a successful exploit could have allowed an attacker to create counterfeit ZEC within the shielded pool with no detectable on-chain signature, effectively double-spending within Orchard by spending ZEC that did not legitimately exist inside the pool. The bug was present in all halo2_gadgets versions prior to v0.5.0, all orchard crate versions prior to v0.14.0, zcashd v5.0.0 through v6.12.3, and all zebrad versions below v4.5.1.","heading":"Vulnerability Description","severity":"critical","sources":[{"credibility":1,"name":"Zcash Foundation: Zebra 4.5.3 and 5.0.0 Emergency Soft Fork and NU6.2 Activation","type":"official","url":"https://zfnd.org/zebra-4-5-3-and-5-0-0-emergency-soft-fork-and-nu6-2-activation/"},{"credibility":2,"name":"The Block: Security researcher finds Zcash vulnerability allowing 'unlimited' counterfeit minting","type":"news_article","url":"https://www.theblock.co/post/403698/zcash-vulnerability-zec-drops"},{"credibility":1,"name":"Zcash Community Forum: The Orchard Counterfeiting Vulnerability and Next Steps","type":"official","url":"https://forum.zcashcommunity.com/t/the-orchard-counterfeiting-vulnerability-and-next-steps/56015"}]},{"content":"The vulnerability was discovered on May 29, 2026 by Taylor Hornby, an independent security engineer engaged by Shielded Labs in April 2026 to conduct a targeted protocol audit. Hornby used Anthropic's Opus 4.8 AI model as part of an AI-assisted review of the Orchard circuit to identify potential cryptographic weaknesses. Hornby successfully wrote a complete proof-of-concept exploit which, when tested in a local environment, generated unlimited, undetectable counterfeit ZEC. Hornby responsibly disclosed the vulnerability to a select group of cryptographically skilled engineers at ZODL (Zcash Open Development Lab) on May 29. ZODL engineers Daira-Emma Hopwood, Kris Nuttycombe, and Jack Grigg (Str4d) confirmed the issue and began coordinating remediation within hours. Josh Swihart, ZODL executive, was alerted via Signal on May 30 and joined a secure video conference to coordinate the emergency response. The vulnerability had survived multiple rounds of expert human security auditing over four years since Orchard's May 2022 launch before being identified through this AI-assisted methodology.","heading":"Discovery and Disclosure","severity":"high","sources":[{"credibility":1,"name":"CoinDesk: Zcash plummets 38% as Shielded Labs reveals a major bug that went undetected for four years","type":"news_article","url":"https://www.coindesk.com/markets/2026/06/05/zcash-plummets-30-as-developer-reveals-a-major-bug-that-went-undetected-for-four-years"},{"credibility":2,"name":"Decrypt: ZEC Crashes 38% as Zcash Discloses 'Critical Counterfeiting Vulnerability'","type":"news_article","url":"https://decrypt.co/370105/zec-crashes-38-as-zcash-discloses-critical-counterfeiting-vulnerability"},{"credibility":2,"name":"Crypto Times: Inside Zcash's 50-Hour Race to Save Orchard From Exploit","type":"news_article","url":"https://www.cryptotimes.io/2026/06/08/inside-zcashs-50-hour-race-to-save-orchard-from-exploit/"},{"credibility":2,"name":"Blockhead: Claude AI Finds Critical Vulnerability in Zcash","type":"news_article","url":"https://www.blockhead.co/2026/06/05/zcash-founder-discloses-critical-orchard-forgery-flaw-fixed-by-emergency-hard-fork/"}]},{"content":"The Zcash Open Development Lab coordinated a two-phase emergency response within approximately 50 hours of internal disclosure. Phase one was a soft fork that activated on June 2, 2026 at approximately 02:00 UTC at mainnet block height 3,363,426, disabling all Orchard-containing transactions to prevent any potential exploitation while the circuit fix was finalized. The team deliberately chose not to issue a direct circuit patch in the first phase because doing so would have revealed the vulnerability's specifics before miners and node operators had time to upgrade. The initial two-hour activation window proved insufficient and was extended after coordination with major mining pools ViaBTC and Foundry. A significant 25-block chain reorganization occurred during the soft fork period but resolved in favor of the patched chain. Phase two was the NU6.2 hard fork, which activated on June 3, 2026 at 00:05 EDT at mainnet block height 3,364,600. NU6.2 re-enabled the Orchard pool with a corrected zero-knowledge proof circuit and added a consensus rule rejecting Orchard bundles with non-canonical proof sizes. Patched software versions included Zebra 5.0.0, halo2_gadgets v0.5.0, orchard v0.14.0, and zcashd v6.12.5. Sapling and transparent transactions were unaffected throughout the incident.","heading":"Emergency Response and Patch","severity":"medium","sources":[{"credibility":1,"name":"Zcash Foundation: Zebra 4.5.3 and 5.0.0 Emergency Soft Fork and NU6.2 Activation","type":"official","url":"https://zfnd.org/zebra-4-5-3-and-5-0-0-emergency-soft-fork-and-nu6-2-activation/"},{"credibility":2,"name":"Crypto Times: Zcash Activates NU6.2 Hard Fork Following Double-Spend Risk Discovery","type":"news_article","url":"https://www.cryptotimes.io/2026/06/03/zcash-activates-nu6-2-hard-fork-following-double-spend-risk-discovery/"},{"credibility":2,"name":"Crypto Times: Zcash Executes Emergency Fork After Critical Orchard Vulnerability Discovery","type":"news_article","url":"https://www.cryptotimes.io/2026/06/02/zcash-executes-emergency-fork-after-critical-orchard-vulnerability-discovery/"},{"credibility":1,"name":"Zcash Community Forum: The Orchard Counterfeiting Vulnerability and Next Steps","type":"official","url":"https://forum.zcashcommunity.com/t/the-orchard-counterfeiting-vulnerability-and-next-steps/56015"}]},{"content":"No confirmed exploitation of the vulnerability has been identified on mainnet. Zcash's turnstile mechanism, an accounting layer that tracks the total value flow across all transaction pools, confirmed that total ZEC supply remained intact and no unauthorized value creation occurred in the transparent accounting sense. The Zcash Foundation stated the vulnerability was 'caught before any known exploitation occurred' with 'no evidence of unauthorized value creation.' However, both Shielded Labs and the Zcash Foundation acknowledged a fundamental epistemic limitation: due to the privacy properties of the Orchard pool and the nature of the soundness flaw, there is no definitive cryptographic method to determine whether exploitation occurred during the four-year window (May 2022 to June 2026) before the patch. The absence of evidence of exploitation is not equivalent to confirmed non-exploitation. Zooko Wilcox stated the vulnerability 'could have been exploited to undetectably create an unlimited amount of counterfeit ZEC within Orchard' but noted there is 'no way to cryptographically prove whether the vulnerability was exploited before it was remediated.' Grayscale CLO Craig Salm publicly argued exploitation was unlikely, citing the improbability that a threat actor would discover the obscure cryptographic flaw while choosing not to drain the pool during a bull market. Shielded Labs has proposed a future network upgrade to deploy a new shielded pool with enhanced turnstile accounting for Orchard coins, requiring all coins to unshield before entering the new pool, which would allow supply integrity to be independently verified going forward.","heading":"Exploitation Status and Supply Integrity","severity":"high","sources":[{"credibility":1,"name":"Zcash Foundation: Zebra 4.5.3 and 5.0.0 Emergency Soft Fork and NU6.2 Activation","type":"official","url":"https://zfnd.org/zebra-4-5-3-and-5-0-0-emergency-soft-fork-and-nu6-2-activation/"},{"credibility":1,"name":"Zcash Community Forum: The Orchard Counterfeiting Vulnerability and Next Steps","type":"official","url":"https://forum.zcashcommunity.com/t/the-orchard-counterfeiting-vulnerability-and-next-steps/56015"},{"credibility":2,"name":"Decrypt: ZEC Crashes 38% as Zcash Discloses 'Critical Counterfeiting Vulnerability'","type":"news_article","url":"https://decrypt.co/370105/zec-crashes-38-as-zcash-discloses-critical-counterfeiting-vulnerability"},{"credibility":2,"name":"Blockhead: Claude AI Finds Critical Vulnerability in Zcash","type":"news_article","url":"https://www.blockhead.co/2026/06/05/zcash-founder-discloses-critical-orchard-forgery-flaw-fixed-by-emergency-hard-fork/"}]},{"content":"ZEC traded near a local high of approximately $635 on June 4, 2026. Following Shielded Labs' public disclosure on the evening of June 5, the price fell sharply to an intraday low of approximately $309, a decline of roughly 38%. The price partially recovered to approximately $330-$442 by end of day. Trading volume dropped approximately 57% as liquidity evaporated around the disclosure. Notable market participant Arthur Hayes, former CEO of BitMEX and a publicly known ZEC holder, liquidated his entire ZEC position in response to the disclosure. Some cryptocurrency exchanges temporarily suspended ZEC deposits and withdrawals during the soft fork window. The disclosure prompted public debate about the verifiability of privacy coin supplies and whether Orchard's privacy guarantees are compatible with supply integrity assurances. Post-patch, ZEC showed partial recovery of over 10% as the network resumed normal Orchard operations and the absence of evidence of exploitation was emphasized by ZODL and the Zcash Foundation.","heading":"Market and Ecosystem Impact","severity":"high","sources":[{"credibility":1,"name":"CoinDesk: Zcash plummets 38% as Shielded Labs reveals a major bug that went undetected for four years","type":"news_article","url":"https://www.coindesk.com/markets/2026/06/05/zcash-plummets-30-as-developer-reveals-a-major-bug-that-went-undetected-for-four-years"},{"credibility":2,"name":"CryptoBriefing: Zcash plunges 38% after critical counterfeiting vulnerability disclosure","type":"news_article","url":"https://cryptobriefing.com/zcash-plunges-counterfeiting-vulnerability/"},{"credibility":2,"name":"CoinLaw: Arthur Hayes Sells All ZEC After Shocking Zcash Bug Reveal","type":"news_article","url":"https://coinlaw.io/arthur-hayes-sells-zec-after-zcash-bug-reveal/"},{"credibility":2,"name":"CoinPaper: Zcash Price Rallied Over 10% as Orchard Bug Fix Restored Network","type":"news_article","url":"https://coinpaper.com/17461/zcash-price-rallied-over-10-as-orchard-bug-fix-restored-network/"}]},{"content":"Zcash development at the time of the incident was organized under the Zcash Open Development Lab (ZODL), with Shielded Labs leading the engagement of external security researchers. The incident represented the second security-driven emergency protocol upgrade in Zcash's history since its 2016 launch. Key remediation engineers included Daira-Emma Hopwood (ZODL protocol R&D head), Kris Nuttycombe, Jack Grigg (Str4d), and Arya Solhi (Zcash Foundation), with Josh Swihart (ZODL executive) coordinating the operational response. In the wake of the disclosure, Shielded Labs announced several forward-looking measures: deployment of a new shielded pool (referred to in some reports as Ironwood) with turnstile accounting enforced at migration, enabling independent supply verification; formal verification projects for mathematical proof systems to reduce reliance on manual auditing; and plans to hire a Head of Security and a dedicated Cryptographer. ZODL confirmed it would expand ongoing security partnerships. The incident drew significant attention to the use of AI-assisted auditing tools in cryptographic circuit review, as the vulnerability had evaded expert human review for four years before being surfaced through AI-assisted analysis.","heading":"Organizational Context and Forward Remediation","severity":"medium","sources":[{"credibility":2,"name":"Crypto Times: Inside Zcash's 50-Hour Race to Save Orchard From Exploit","type":"news_article","url":"https://www.cryptotimes.io/2026/06/08/inside-zcashs-50-hour-race-to-save-orchard-from-exploit/"},{"credibility":1,"name":"Zcash Community Forum: The Orchard Counterfeiting Vulnerability and Next Steps","type":"official","url":"https://forum.zcashcommunity.com/t/the-orchard-counterfeiting-vulnerability-and-next-steps/56015"},{"credibility":2,"name":"CryptoBriefing: Zcash fixes critical Orchard bug after emergency network upgrade","type":"news_article","url":"https://cryptobriefing.com/zcash-orchard-bug-emergency-upgrade/"}]}],"sources_used":[{"credibility":1,"name":"Zcash Foundation: Zebra 4.5.3 and 5.0.0 Emergency Soft Fork and NU6.2 Activation","type":"official","url":"https://zfnd.org/zebra-4-5-3-and-5-0-0-emergency-soft-fork-and-nu6-2-activation/"},{"credibility":1,"name":"Zcash Community Forum: The Orchard Counterfeiting Vulnerability and Next Steps","type":"official","url":"https://forum.zcashcommunity.com/t/the-orchard-counterfeiting-vulnerability-and-next-steps/56015"},{"credibility":1,"name":"CoinDesk: Zcash plummets 38% as Shielded Labs reveals a major bug that went undetected for four years","type":"news_article","url":"https://www.coindesk.com/markets/2026/06/05/zcash-plummets-30-as-developer-reveals-a-major-bug-that-went-undetected-for-four-years"},{"credibility":2,"name":"Decrypt: ZEC Crashes 38% as Zcash Discloses 'Critical Counterfeiting Vulnerability'","type":"news_article","url":"https://decrypt.co/370105/zec-crashes-38-as-zcash-discloses-critical-counterfeiting-vulnerability"},{"credibility":2,"name":"The Block: Security researcher finds Zcash vulnerability allowing 'unlimited' counterfeit minting","type":"news_article","url":"https://www.theblock.co/post/403698/zcash-vulnerability-zec-drops"},{"credibility":2,"name":"Crypto Times: Zcash Activates NU6.2 Hard Fork Following Double-Spend Risk Discovery","type":"news_article","url":"https://www.cryptotimes.io/2026/06/03/zcash-activates-nu6-2-hard-fork-following-double-spend-risk-discovery/"},{"credibility":2,"name":"Crypto Times: Zcash Executes Emergency Fork After Critical Orchard Vulnerability Discovery","type":"news_article","url":"https://www.cryptotimes.io/2026/06/02/zcash-executes-emergency-fork-after-critical-orchard-vulnerability-discovery/"},{"credibility":2,"name":"Crypto Times: Inside Zcash's 50-Hour Race to Save Orchard From Exploit","type":"news_article","url":"https://www.cryptotimes.io/2026/06/08/inside-zcashs-50-hour-race-to-save-orchard-from-exploit/"},{"credibility":2,"name":"Blockhead: Claude AI Finds Critical Vulnerability in Zcash","type":"news_article","url":"https://www.blockhead.co/2026/06/05/zcash-founder-discloses-critical-orchard-forgery-flaw-fixed-by-emergency-hard-fork/"},{"credibility":2,"name":"CryptoBriefing: Zcash plunges 38% after critical counterfeiting vulnerability disclosure","type":"news_article","url":"https://cryptobriefing.com/zcash-plunges-counterfeiting-vulnerability/"},{"credibility":2,"name":"CryptoBriefing: Zcash fixes critical Orchard bug after emergency network upgrade","type":"news_article","url":"https://cryptobriefing.com/zcash-orchard-bug-emergency-upgrade/"},{"credibility":2,"name":"CoinLaw: Arthur Hayes Sells All ZEC After Shocking Zcash Bug Reveal","type":"news_article","url":"https://coinlaw.io/arthur-hayes-sells-zec-after-zcash-bug-reveal/"},{"credibility":2,"name":"CoinPaper: Zcash Price Rallied Over 10% as Orchard Bug Fix Restored Network","type":"news_article","url":"https://coinpaper.com/17461/zcash-price-rallied-over-10-as-orchard-bug-fix-restored-network/"},{"credibility":2,"name":"Yahoo Finance / Decrypt: ZEC Crashes 38% as Zcash Discloses 'Critical Counterfeiting Vulnerability'","type":"news_article","url":"https://finance.yahoo.com/markets/crypto/articles/zec-crashes-38-zcash-discloses-104159962.html"},{"credibility":2,"name":"TechTimes: AI-Assisted Audit Exposes Four-Year Zcash Orchard Bug","type":"news_article","url":"https://www.techtimes.com/articles/317831/20260605/why-crypto-crashing-ai-assisted-audit-exposes-four-year-zcash-orchard-bug-zec-plummets-31.htm"}],"summary":"In May 2026, independent security researcher Taylor Hornby discovered a critical soundness vulnerability in the Zcash Orchard shielded pool's zero-knowledge proof circuit that had existed since the pool's launch in May 2022. The flaw — an under-constrained elliptic-curve multiplication gadget in the halo2_gadgets crate — could theoretically have allowed unlimited undetectable counterfeit ZEC creation within the Orchard pool, though it could not inflate total ZEC supply due to the turnstile mechanism. The Zcash Open Development Lab coordinated an emergency two-phase response within 50 hours: a soft fork on June 2 disabling Orchard transactions, followed by the NU6.2 hard fork on June 3 deploying the corrected circuit. No exploitation has been confirmed, though the privacy properties of the Orchard pool make definitive confirmation impossible. ZEC fell approximately 38% on public disclosure on June 5, 2026.","timeline":[{"date":"2022-05-01","event":"Zcash Orchard shielded pool launches, introducing the Halo 2 proving system. The soundness vulnerability in the halo2_gadgets crate is present from launch.","source":"Zcash Foundation official release","source_url":"https://zfnd.org/zebra-4-5-3-and-5-0-0-emergency-soft-fork-and-nu6-2-activation/"},{"date":"2026-04-01","event":"Shielded Labs engages Taylor Hornby as an independent security engineer to conduct a targeted protocol audit of Zcash.","source":"CoinDesk","source_url":"https://www.coindesk.com/markets/2026/06/05/zcash-plummets-30-as-developer-reveals-a-major-bug-that-went-undetected-for-four-years"},{"date":"2026-05-29","event":"Taylor Hornby, using AI-assisted analysis with Anthropic's Opus 4.8 model, discovers the critical soundness vulnerability in the Orchard circuit. He writes a complete proof-of-concept exploit generating unlimited counterfeit ZEC in local testing and responsibly discloses to ZODL engineers.","source":"Crypto Times / Zcash Community Forum","source_url":"https://www.cryptotimes.io/2026/06/08/inside-zcashs-50-hour-race-to-save-orchard-from-exploit/"},{"date":"2026-05-30","event":"ZODL engineers Daira-Emma Hopwood, Kris Nuttycombe, and Jack Grigg confirm the vulnerability. ZODL executive Josh Swihart is alerted and joins secure coordination call. Emergency response planning begins.","source":"Crypto Times","source_url":"https://www.cryptotimes.io/2026/06/08/inside-zcashs-50-hour-race-to-save-orchard-from-exploit/"},{"date":"2026-06-01","event":"Emergency soft fork activation is planned but delayed due to insufficient miner deployment time. Coordination with mining pools ViaBTC and Foundry continues.","source":"Crypto Times","source_url":"https://www.cryptotimes.io/2026/06/08/inside-zcashs-50-hour-race-to-save-orchard-from-exploit/"},{"date":"2026-06-02","event":"Emergency soft fork activates at approximately 02:00 UTC at mainnet block height 3,363,426, disabling all Orchard-containing transactions. A 25-block chain reorganization occurs but resolves in favor of the patched chain.","source":"Zcash Foundation","source_url":"https://zfnd.org/zebra-4-5-3-and-5-0-0-emergency-soft-fork-and-nu6-2-activation/"},{"date":"2026-06-03","event":"NU6.2 hard fork activates at 00:05 EDT at mainnet block height 3,364,600. The corrected Orchard circuit is deployed via Zebra 5.0.0. Orchard transactions are re-enabled. Testnet NU6.2 activates at block height 4,052,000.","source":"Zcash Foundation","source_url":"https://zfnd.org/zebra-4-5-3-and-5-0-0-emergency-soft-fork-and-nu6-2-activation/"},{"date":"2026-06-05","event":"Shielded Labs publishes full public disclosure of the vulnerability. ZEC price falls approximately 38%, from roughly $635 to an intraday low of $309. Arthur Hayes liquidates his entire ZEC position. Trading volume drops approximately 57%.","source":"CoinDesk / Decrypt / CryptoBriefing","source_url":"https://www.coindesk.com/markets/2026/06/05/zcash-plummets-30-as-developer-reveals-a-major-bug-that-went-undetected-for-four-years"},{"date":"2026-06-08","event":"Detailed post-mortem published covering the 50-hour response timeline, personnel involved, technical decisions made during the emergency, and plans for Ironwood (a new shielded pool with enhanced supply verification).","source":"Crypto Times","source_url":"https://www.cryptotimes.io/2026/06/08/inside-zcashs-50-hour-race-to-save-orchard-from-exploit/"}]},"v":1}