Audit log

Every state-changing event for Zcash Orchard Counterfeiting Vulnerability: moderation decisions on community submissions, plus corrections and updates from the news pipeline. URL-based decisions carry three independent witnesses — the original source, an Internet Archive snapshot taken at submission time, and a Solana memo signed by our publicly-disclosed publisher key.

1. #1publishby system:backfill

   2026-06-14 14:29:33Z
   Score: ? → ? (no score change)
   anchoranchored

   chain

   ●mainnet-betaslot 426,434,772

   sig

   3NRQev4chbuD…x9FmWsVWcopyexplorer ↗

   hash

   6DqMSA2cVq57…dLDKJ2AVcopysha256 → base58

   verifying row…full verify ↗

   canonical bytes (23543 B) ▸

   {"actor":"system:backfill","investigation_id":"34688391-76b6-41a7-9ef9-cd929d3d016d","kind":"publish","page_slug":"zcash-orchard-counterfeiting-vulnerability","published_at":"2026-06-14T14:29:33.829Z","sequence_num":1,"snapshot":{"content_type":"investigation","entity_name":"Zcash Orchard Counterfeiting Vulnerability","sections":[{"content":"The Orchard Counterfeiting Vulnerability was a soundness bug in the Orchard zero-knowledge proof circuit, implemented in the halo2_gadgets Rust crate. Specifically, the flaw resided in the variable-base scalar multiplication gadget: an under-constrained elliptic-curve check allowed an attacker to supply arbitrary false inputs to an elliptic-curve multiplication operation while still generating proofs that the network accepted as valid. In zero-knowledge proof systems, 'soundness' is the property ensuring only valid transactions and state transitions are accepted. A soundness failure means an adversary can construct a proof of a false statement — in this case, that counterfeit ZEC exists legitimately within the Orchard shielded pool. Security researcher Taylor Hornby confirmed the severity by building a complete working proof-of-concept exploit on a local regtest environment, generating unlimited undetectable counterfeit ZEC. Affected library versions included halo2_gadgets pre-v0.5.0, orchard pre-v0.14.0, zcash_primitives pre-v0.28.0, zcashd v5.0.0 through v6.12.3, and zebrad versions below v4.5.1.","heading":"Vulnerability Description","severity":"critical","sources":[{"credibility":1,"name":"Zebra 4.5.3 and 5.0.0: Emergency Soft Fork and NU6.2 Activation — Zcash Foundation","type":"official","url":"https://zfnd.org/zebra-4-5-3-and-5-0-0-emergency-soft-fork-and-nu6-2-activation/"},{"credibility":1,"name":"The Orchard Counterfeiting Vulnerability — And Next Steps — Zcash Community Forum","type":"official","url":"https://forum.zcashcommunity.com/t/the-orchard-counterfeiting-vulnerability-and-next-steps/56015"},{"credibility":2,"name":"Security researcher finds Zcash vulnerability allowing 'unlimited' counterfeit minting; ZEC drops 31% — The Block","type":"news_article","url":"https://www.theblock.co/post/403698/zcash-vulnerability-zec-drops"}]},{"content":"Taylor Hornby, a former Electric Coin Company security engineer, was contracted by Shielded Labs in April 2026 to conduct proactive vulnerability research on the Orchard protocol. On May 28, 2026 — the same day Anthropic released Claude Opus 4.8 — Hornby began deploying the model within a custom AI-assisted auditing framework. On May 29, 2026, at 11:53 PM, Hornby privately disclosed the discovered vulnerability to the Zcash Open Development Lab (ZODL). This is the second known counterfeiting-class vulnerability in Zcash's history; the first, affecting the original Sprout shielded pool (CVE-2019-7167), was present from Zcash's October 2016 launch until the Sapling upgrade in October 2018 — an eight-month window. Joe Andrews, CEO of Aztec Labs, noted that under-constrained elliptic-curve checks are among the most common weaknesses in production-grade zero-knowledge circuits, and that AI auditing tools are surfacing such bugs at an accelerating rate. Critics including analyst Udi Wertheimer noted a pattern: 'this isn't the first time a bug like this was discovered in zcash. last time it was disclosed after being a year+ in the wild, causing everyone to lose faith.' Wertheimer added that the class of bug enables attacks where 'if exploited, no one would know,' making the fix itself less reassuring.","heading":"Discovery and Disclosure","severity":"critical","sources":[{"credibility":1,"name":"Zcash plummets 38% as Shielded Labs reveals a major bug that went undetected for four years — CoinDesk","type":"news_article","url":"https://www.coindesk.com/markets/2026/06/05/zcash-plummets-30-as-developer-reveals-a-major-bug-that-went-undetected-for-four-years"},{"credibility":2,"name":"ZEC Crashes 38% as Zcash Discloses Critical Counterfeiting Vulnerability — Decrypt","type":"news_article","url":"https://decrypt.co/370105/zec-crashes-38-as-zcash-discloses-critical-counterfeiting-vulnerability"},{"credibility":2,"name":"AI-Assisted Audit Uncovers Critical Zcash Orchard Vulnerability — Unchained Crypto","type":"news_article","url":"https://unchainedcrypto.com/ai-assisted-audit-uncovers-critical-zcash-orchard-vulnerability-that-could-have-minted-unlimited-counterfeit-zec/"},{"credibility":1,"name":"Concerning the Sprout Vulnerability CVE-2019-7167 — Zcash Foundation","type":"official","url":"https://zfnd.org/concerning-the-sprout-vulnerability-cve-2019-7167/"},{"credibility":1,"name":"Zcash Counterfeiting Vulnerability Successfully Remediated — Electric Coin Company","type":"official","url":"https://electriccoin.co/blog/zcash-counterfeiting-vulnerability-successfully-remediated/"}]},{"content":"Following Hornby's private disclosure on May 29, 2026, ZODL engineers coordinated privately with miners and exchanges over the subsequent days to prevent exploitation before a fix was available. On June 2, 2026 at approximately 02:00 UTC, Zebra 4.5.3 activated an emergency soft fork at mainnet block height 3,363,426, temporarily rejecting all Orchard-containing transactions to remove exploitation surface while the circuit fix was finalized. On June 3, 2026 at 00:05 EDT, the NU6.2 hard fork activated at block height 3,364,600, introducing a corrected zero-knowledge proof circuit via Zebra 5.0.0. The fix required a full hard fork because a circuit correction necessitates a new pinned verifying key — a change that cannot be deployed as a software patch alone. The corrected Zebra routes Orchard proofs through new per-circuit verifying keys (InsecurePreNu6_2 and FixedPostNu6_2). Sapling and transparent transactions continued operating normally throughout the emergency response period. The NU6.2 upgrade represents only the second security-driven protocol upgrade in Zcash's history since its 2016 launch. Public disclosure occurred on June 5, 2026 — two days after the fix was fully deployed.","heading":"Emergency Patch and Network Upgrade","severity":"high","sources":[{"credibility":1,"name":"Zebra 4.5.3 and 5.0.0: Emergency Soft Fork and NU6.2 Activation — Zcash Foundation","type":"official","url":"https://zfnd.org/zebra-4-5-3-and-5-0-0-emergency-soft-fork-and-nu6-2-activation/"},{"credibility":2,"name":"Zcash Activates NU6.2 Hard Fork Following Double-Spend Risk Discovery — CryptoTimes","type":"news_article","url":"https://www.cryptotimes.io/2026/06/03/zcash-activates-nu6-2-hard-fork-following-double-spend-risk-discovery/"},{"credibility":2,"name":"Zcash Foundation fixes Orchard bug with Zebra emergency upgrade — crypto.news","type":"news_article","url":"https://crypto.news/zcash-foundation-fixes-orchard-bug-with-zebra-emergency-upgrade/"}]},{"content":"The Orchard vulnerability presents a class of supply-integrity risk categorically distinct from most cryptocurrency exploits. Shielded Labs acknowledged in its public disclosure that 'there is no definitive way to determine using only cryptography whether such exploitation occurred' before the fix was deployed. Because Orchard's privacy architecture hides transaction amounts and identities by design, any counterfeit ZEC minted during the four-year window would be cryptographically indistinguishable from legitimately minted coins — and would leave no forensic trail accessible to investigators or auditors. The Zcash Foundation and developers noted that Zcash's turnstile mechanism — which tracks aggregate value flow across pools — provided a constraint that protected total ZEC supply integrity at the pool boundary level: the mechanism confirms that ZEC cannot exit a shielded pool in greater amounts than entered it. However, as a CoinTelegraph analysis noted, a private-pool exploit could in theory distort internal Orchard balances while staying within the pool's public entry-and-exit limits, and the turnstile does not reveal internal shielded-pool movements. Developers stated they found no evidence of exploitation, and described exploitation as unlikely given the flaw's evasiveness and the technical sophistication required, but concede this determination rests on probabilistic inference rather than cryptographic proof.","heading":"Supply Integrity and Structural Unknowability","severity":"critical","sources":[{"credibility":1,"name":"The Orchard Counterfeiting Vulnerability — And Next Steps — Zcash Community Forum","type":"official","url":"https://forum.zcashcommunity.com/t/the-orchard-counterfeiting-vulnerability-and-next-steps/56015"},{"credibility":2,"name":"Why ZEC fell 40% even after Zcash patched a shielded pool bug — CoinTelegraph","type":"news_article","url":"https://cointelegraph.com/learn/why-zec-fell-after-zcash-orchard-bug-fix"},{"credibility":2,"name":"ZEC Crashes 38% as Zcash Discloses Critical Counterfeiting Vulnerability — Decrypt","type":"news_article","url":"https://decrypt.co/370105/zec-crashes-38-as-zcash-discloses-critical-counterfeiting-vulnerability"}]},{"content":"ZEC had been among the top-performing large-cap altcoins in the preceding months, delivering over 1,000% gains from early 2025 lows and reaching a November 2025 all-time high near $748. Following the June 5 public disclosure, ZEC crashed 37.8–38% intraday, falling from approximately $635 on June 4 to lows of $309 on June 5, with some sources citing an intraday low of $442.60. Trading volumes declined by as much as 57% as liquidity dried up, representing a loss of over $3 billion in market capitalization. Arthur Hayes, co-founder of BitMEX, publicly disclosed he had liquidated his entire ZEC position, stating the privacy thesis 'demands perfection' and that supply-integrity uncertainty was disqualifying. Hayes noted he may repurchase ZEC if his concerns prove unfounded. Craig Salm, Chief Legal Officer at Grayscale, argued that pre-patch exploitation was unlikely, reasoning that an attacker would have had to examine the codebase more thoroughly than all core developers combined. The incident prompted comparisons to the 2019 Sprout vulnerability, which also went undetected for an extended period before disclosure and caused a sustained loss of investor confidence.","heading":"Market Impact","severity":"high","sources":[{"credibility":2,"name":"Zcash plunges 38% after critical counterfeiting vulnerability disclosure — CryptoBriefing","type":"news_article","url":"https://cryptobriefing.com/zcash-plunges-counterfeiting-vulnerability/"},{"credibility":1,"name":"Arthur Hayes dumps Zcash holdings after Orchard Pool vulnerability revealed — CoinDesk","type":"news_article","url":"https://www.coindesk.com/markets/2026/06/05/arthur-hayes-dumps-zcash-holdings-after-orchard-pool-vulnerability-revealed"},{"credibility":2,"name":"Arthur Hayes Just Dumped His Entire Zcash Position After a Bug That Could Have Allowed Counterfeit ZEC for 4 Years — Yahoo Finance / CryptoNews","type":"news_article","url":"https://cryptonews.com/news/arthur-hayes-dumps-zcash-orchard-pool-bug/"},{"credibility":2,"name":"Why ZEC fell 40% even after Zcash patched a shielded pool bug — CoinTelegraph","type":"news_article","url":"https://cointelegraph.com/learn/why-zec-fell-after-zcash-orchard-bug-fix"}]},{"content":"Shielded Labs announced a network upgrade plan involving deployment of a new shielded pool with expanded turnstile accounting for Orchard coins, intended to allow supply integrity verification without relying solely on cryptographic privacy guarantees. The proposal also includes initiation of formal circuit verification efforts to provide mathematical proofs against remaining undiscovered bugs. On the personnel side, Shielded Labs announced accelerated hiring for a Head of Security and a Cryptographer role, and stated it would continue AI-assisted vulnerability research. Community skeptics noted that forcing migration to a new pool would be difficult historically: a similar migration challenge had plagued the earlier Sprout-to-Sapling transition. The discovery of the vulnerability via AI-assisted auditing sparked broader industry discussion about whether AI tools are beginning to outpace traditional human code review for cryptographic circuit security, with Joe Andrews of Aztec Labs observing that the industry is discovering such vulnerabilities at an accelerating rate as AI auditing tools become more widespread.","heading":"Proposed Remediation and Future Security Measures","severity":"medium","sources":[{"credibility":1,"name":"The Orchard Counterfeiting Vulnerability — And Next Steps — Zcash Community Forum","type":"official","url":"https://forum.zcashcommunity.com/t/the-orchard-counterfeiting-vulnerability-and-next-steps/56015"},{"credibility":2,"name":"Zcash patches critical counterfeiting bug in Orchard shielded pool — CryptoBriefing","type":"news_article","url":"https://cryptobriefing.com/zcash-orchard-bug-emergency-upgrade/"},{"credibility":2,"name":"An Opus 4.8 Audit Uncovered Zcash's Bug — ZEC Plunged — BeInCrypto","type":"news_article","url":"https://beincrypto.com/zcash-zec-orchard-counterfeiting-bug/"}]},{"content":"This is not the first counterfeiting-class vulnerability Zcash has disclosed. In February 2019, the Electric Coin Company revealed that Ariel Gabizon, a company cryptographer, had discovered a fundamental cryptographic flaw in the original Sprout shielded pool (later designated CVE-2019-7167) on March 1, 2018 — approximately eight months before it was resolved. The Sprout flaw involved surplus elements in the BCTV14 zk-SNARK construction that allowed a cheating prover to transform the proof of one valid statement into a valid-looking proof of a different statement, potentially enabling unlimited counterfeit ZEC creation in the Sprout pool. The vulnerability was silently remediated by the October 2018 Sapling upgrade, which replaced the proving system entirely, and only publicly disclosed months after the fix was deployed. Zcash stated at that time that no evidence of counterfeiting had been found. The recurrence of a structurally similar class of vulnerability in the Orchard pool — the successor to Sapling — some seven years later has amplified community skepticism about Zcash's ability to maintain circuit soundness across successive privacy pool implementations.","heading":"Historical Pattern: Sprout Vulnerability (2019)","severity":"medium","sources":[{"credibility":1,"name":"Zcash Counterfeiting Vulnerability Successfully Remediated — Electric Coin Company","type":"official","url":"https://electriccoin.co/blog/zcash-counterfeiting-vulnerability-successfully-remediated/"},{"credibility":1,"name":"Concerning the Sprout Vulnerability CVE-2019-7167 — Zcash Foundation","type":"official","url":"https://zfnd.org/concerning-the-sprout-vulnerability-cve-2019-7167/"},{"credibility":2,"name":"Zcash patches critical bug affecting the Sprout shielded pool — crypto.news","type":"news_article","url":"https://crypto.news/zcash-patches-critical-bug-affecting-the-sprout-shielded-pool/"}]}],"sources_used":[{"credibility":1,"name":"Zebra 4.5.3 and 5.0.0: Emergency Soft Fork and NU6.2 Activation — Zcash Foundation","type":"official","url":"https://zfnd.org/zebra-4-5-3-and-5-0-0-emergency-soft-fork-and-nu6-2-activation/"},{"credibility":1,"name":"The Orchard Counterfeiting Vulnerability — And Next Steps — Zcash Community Forum","type":"official","url":"https://forum.zcashcommunity.com/t/the-orchard-counterfeiting-vulnerability-and-next-steps/56015"},{"credibility":1,"name":"Zcash Counterfeiting Vulnerability Successfully Remediated — Electric Coin Company","type":"official","url":"https://electriccoin.co/blog/zcash-counterfeiting-vulnerability-successfully-remediated/"},{"credibility":1,"name":"Concerning the Sprout Vulnerability CVE-2019-7167 — Zcash Foundation","type":"official","url":"https://zfnd.org/concerning-the-sprout-vulnerability-cve-2019-7167/"},{"credibility":1,"name":"Zcash plummets 38% as Shielded Labs reveals a major bug that went undetected for four years — CoinDesk","type":"news_article","url":"https://www.coindesk.com/markets/2026/06/05/zcash-plummets-30-as-developer-reveals-a-major-bug-that-went-undetected-for-four-years"},{"credibility":1,"name":"Arthur Hayes dumps Zcash holdings after Orchard Pool vulnerability revealed — CoinDesk","type":"news_article","url":"https://www.coindesk.com/markets/2026/06/05/arthur-hayes-dumps-zcash-holdings-after-orchard-pool-vulnerability-revealed"},{"credibility":2,"name":"ZEC Crashes 38% as Zcash Discloses Critical Counterfeiting Vulnerability — Decrypt","type":"news_article","url":"https://decrypt.co/370105/zec-crashes-38-as-zcash-discloses-critical-counterfeiting-vulnerability"},{"credibility":2,"name":"Zcash plunges 38% after critical counterfeiting vulnerability disclosure — CryptoBriefing","type":"news_article","url":"https://cryptobriefing.com/zcash-plunges-counterfeiting-vulnerability/"},{"credibility":2,"name":"Zcash patches critical counterfeiting bug in Orchard shielded pool — CryptoBriefing","type":"news_article","url":"https://cryptobriefing.com/zcash-orchard-bug-emergency-upgrade/"},{"credibility":2,"name":"Security researcher finds Zcash vulnerability allowing 'unlimited' counterfeit minting; ZEC drops 31% — The Block","type":"news_article","url":"https://www.theblock.co/post/403698/zcash-vulnerability-zec-drops"},{"credibility":2,"name":"Why ZEC fell 40% even after Zcash patched a shielded pool bug — CoinTelegraph","type":"news_article","url":"https://cointelegraph.com/learn/why-zec-fell-after-zcash-orchard-bug-fix"},{"credibility":2,"name":"AI-Assisted Audit Uncovers Critical Zcash Orchard Vulnerability — Unchained Crypto","type":"news_article","url":"https://unchainedcrypto.com/ai-assisted-audit-uncovers-critical-zcash-orchard-vulnerability-that-could-have-minted-unlimited-counterfeit-zec/"},{"credibility":2,"name":"Zcash Activates NU6.2 Hard Fork Following Double-Spend Risk Discovery — CryptoTimes","type":"news_article","url":"https://www.cryptotimes.io/2026/06/03/zcash-activates-nu6-2-hard-fork-following-double-spend-risk-discovery/"},{"credibility":2,"name":"Zcash Patches Critical Counterfeit Exploit as ZEC Drops 37% — CryptoTimes","type":"news_article","url":"https://www.cryptotimes.io/2026/06/05/zcash-patches-critical-counterfeit-exploit-as-zec-drops-37/"},{"credibility":2,"name":"Zcash Foundation fixes Orchard bug with Zebra emergency upgrade — crypto.news","type":"news_article","url":"https://crypto.news/zcash-foundation-fixes-orchard-bug-with-zebra-emergency-upgrade/"},{"credibility":2,"name":"Arthur Hayes Just Dumped His Entire Zcash Position — CryptoNews","type":"news_article","url":"https://cryptonews.com/news/arthur-hayes-dumps-zcash-orchard-pool-bug/"},{"credibility":2,"name":"AI helps uncover critical 4-year-old Zcash vulnerability — SC Media","type":"news_article","url":"https://www.scworld.com/brief/ai-helps-uncover-critical-four-year-old-zcash-vulnerability"}],"summary":"On June 5, 2026, Shielded Labs publicly disclosed a critical soundness bug in the Zcash Orchard shielded pool's zero-knowledge proof circuit that had existed undetected since Orchard's activation in May 2022. The flaw — an under-constrained element in the halo2_gadgets elliptic-curve multiplication gadget — could have allowed an attacker to mint unlimited counterfeit ZEC inside the shielded pool with no on-chain trace. An emergency hard fork (NU6.2) was deployed on June 3, 2026, patching the circuit before public disclosure, though Zcash's privacy architecture structurally prevents retrospective confirmation that no exploitation occurred during the four-year exposure window.","timeline":[{"date":"2016-10-28","event":"Zcash mainnet launches with Sprout shielded pool.","source":"Electric Coin Company","source_url":"https://electriccoin.co/blog/zcash-counterfeiting-vulnerability-successfully-remediated/"},{"date":"2018-03-01","event":"Zcash cryptographer Ariel Gabizon discovers CVE-2019-7167 counterfeiting flaw in the Sprout shielded pool's BCTV14 zk-SNARK construction.","source":"Electric Coin Company","source_url":"https://electriccoin.co/blog/zcash-counterfeiting-vulnerability-successfully-remediated/"},{"date":"2018-10-28","event":"Sapling network upgrade activates, silently patching the Sprout counterfeiting vulnerability by replacing the proving system.","source":"Electric Coin Company","source_url":"https://electriccoin.co/blog/zcash-counterfeiting-vulnerability-successfully-remediated/"},{"date":"2019-02-05","event":"Electric Coin Company publicly discloses the 2018 Sprout counterfeiting vulnerability (CVE-2019-7167) months after the silent fix.","source":"Zcash Foundation","source_url":"https://zfnd.org/concerning-the-sprout-vulnerability-cve-2019-7167/"},{"date":"2022-05-01","event":"Zcash activates the Orchard shielded pool, introducing the halo2_gadgets-based zero-knowledge proof circuit containing the as-yet-undiscovered soundness vulnerability.","source":"Zcash Community Forum","source_url":"https://forum.zcashcommunity.com/t/the-orchard-counterfeiting-vulnerability-and-next-steps/56015"},{"date":"2026-04-01","event":"Shielded Labs contracts Taylor Hornby to conduct proactive protocol vulnerability research on Orchard.","source":"CoinDesk","source_url":"https://www.coindesk.com/markets/2026/06/05/zcash-plummets-30-as-developer-reveals-a-major-bug-that-went-undetected-for-four-years"},{"date":"2026-05-28","event":"Anthropic releases Claude Opus 4.8. Taylor Hornby begins deploying the model in a custom AI-assisted security auditing framework.","source":"Zcash Community Forum","source_url":"https://forum.zcashcommunity.com/t/the-orchard-counterfeiting-vulnerability-and-next-steps/56015"},{"date":"2026-05-29","event":"Taylor Hornby discovers the Orchard counterfeiting vulnerability and privately discloses it to ZODL at 11:53 PM. Hornby confirms severity via a working exploit on local regtest generating unlimited counterfeit ZEC.","source":"CoinDesk / Zcash Community Forum","source_url":"https://www.coindesk.com/markets/2026/06/05/zcash-plummets-30-as-developer-reveals-a-major-bug-that-went-undetected-for-four-years"},{"date":"2026-05-31","event":"ZODL engineers confirm the vulnerability and begin coordinating privately with miners and exchanges.","source":"crypto.news","source_url":"https://crypto.news/zcash-foundation-fixes-orchard-bug-with-zebra-emergency-upgrade/"},{"date":"2026-06-02","event":"Zebra 4.5.3 activates emergency soft fork at block height 3,363,426 (~02:00 UTC), temporarily rejecting all Orchard-containing transactions.","source":"Zcash Foundation","source_url":"https://zfnd.org/zebra-4-5-3-and-5-0-0-emergency-soft-fork-and-nu6-2-activation/"},{"date":"2026-06-03","event":"NU6.2 hard fork activates at block height 3,364,600 (00:05 EDT) via Zebra 5.0.0, re-enabling Orchard with a corrected zero-knowledge proof circuit and new pinned verifying key.","source":"Zcash Foundation","source_url":"https://zfnd.org/zebra-4-5-3-and-5-0-0-emergency-soft-fork-and-nu6-2-activation/"},{"date":"2026-06-05","event":"Shielded Labs publicly discloses the Orchard counterfeiting vulnerability. ZEC falls 37.8–38% intraday from approximately $635 to lows of $309–$442, losing over $3 billion in market cap. Arthur Hayes publicly discloses liquidating his entire ZEC position.","source":"CoinDesk / Decrypt / CryptoBriefing","source_url":"https://www.coindesk.com/markets/2026/06/05/zcash-plummets-30-as-developer-reveals-a-major-bug-that-went-undetected-for-four-years"}]},"v":1}

   Verify offline (run on your own machine)

   python -m src.verify_decision 4e1966e3-24d6-4149-8758-ab691e147793copy