Audit log

Every state-changing event for Zcash Orchard Pool Counterfeiting Vulnerability: moderation decisions on community submissions, plus corrections and updates from the news pipeline. URL-based decisions carry three independent witnesses — the original source, an Internet Archive snapshot taken at submission time, and a Solana memo signed by our publicly-disclosed publisher key.

1. #1publishby system:backfill

   2026-06-30 12:15:15Z
   Score: ? → ? (no score change)
   anchoranchored

   chain

   ●mainnet-betaslot 429,876,467

   sig

   5NL6tAnL2o89…RgRa4H7ecopyexplorer ↗

   hash

   CEQifRMAqaDb…rMVuYHDRcopysha256 → base58

   verifying row…full verify ↗

   canonical bytes (23725 B) ▸

   {"actor":"system:backfill","investigation_id":"c2e1e834-593f-44ff-8d7f-fda4a68fcbc3","kind":"publish","page_slug":"zcash-orchard-pool-counterfeiting-vulnerability","published_at":"2026-06-30T12:15:15.834Z","sequence_num":1,"snapshot":{"content_type":"investigation","entity_name":"Zcash Orchard Pool Counterfeiting Vulnerability","sections":[{"content":"The Orchard counterfeiting vulnerability was a soundness bug in the Orchard zero-knowledge (ZK) proof circuit, specifically within the halo2_gadgets crate used to implement the Orchard shielded pool introduced in Zcash's NU5 network upgrade. The flaw resided in two lines of code in the circuit's variable-base scalar multiplication gadget (incomplete.rs, lines 309-310). The vulnerable code used assign_advice() to write base point coordinates without creating an equality constraint tying those coordinates to the externally supplied value. The correct implementation requires copy_advice(), which enforces that the internal base point used during computation is cryptographically bound to the protocol-specified input. Without this constraint, a malicious prover could substitute an arbitrary base point while maintaining internal algebraic consistency, breaking the uniqueness of nullifiers derived from note keys. Because different nk (nullifier key) values produce different nullifiers for the same note, an attacker could theoretically double-spend funds within the Orchard shielded pool. The exploit was described as generating unlimited, undetectable counterfeit ZEC within the Orchard pool. Crucially, however, Zcash's cross-pool turnstile mechanism — which enforces balance invariants across all value pools — meant the total ZEC supply cap remained verifiably intact; counterfeit notes could only be created and circulated within the Orchard pool itself, not inflated into the total supply.","heading":"Vulnerability Overview","severity":"critical","sources":[{"credibility":2,"name":"BlockSec: Zcash Orchard Soundness Bug Analysis","type":"research","url":"https://blocksec.com/blog/web3-security-zcash-orchard-soundness-bug-analysis"},{"credibility":1,"name":"Zcash Foundation: Zebra 4.5.3 and 5.0.0 Emergency Soft Fork and NU6.2 Activation","type":"official","url":"https://zfnd.org/zebra-4-5-3-and-5-0-0-emergency-soft-fork-and-nu6-2-activation/"},{"credibility":1,"name":"CoinDesk: Zcash plummets 38% as Shielded Labs reveals a major bug undetected for four years","type":"news_article","url":"https://www.coindesk.com/markets/2026/06/05/zcash-plummets-30-as-developer-reveals-a-major-bug-that-went-undetected-for-four-years"},{"credibility":2,"name":"Decrypt: ZEC Crashes 38% as Zcash Discloses Critical Counterfeiting Vulnerability","type":"news_article","url":"https://decrypt.co/370105/zec-crashes-38-as-zcash-discloses-critical-counterfeiting-vulnerability"}]},{"content":"The vulnerability was discovered on May 29, 2026 by Taylor Hornby, a security engineer engaged by Shielded Labs in April 2026 to conduct proactive protocol security research. Hornby employed AI-assisted auditing techniques, specifically using Anthropic's Opus 4.8 model — released publicly on May 28, 2026 — alongside a custom-built AI harness and targeted prompts designed to examine the Orchard circuit. Within approximately 24 hours of the Opus 4.8 model's public release, Hornby identified the flaw, which had survived multiple rounds of expert human review since the Orchard pool's activation in May 2022. Hornby subsequently constructed a complete, working exploit that, in a local regtest environment, successfully generated unlimited counterfeit ZEC undetectably. This incident has been widely cited as a notable early example of AI-assisted vulnerability discovery in production cryptographic systems. Following the discovery, Hornby responsibly disclosed the vulnerability to the Zcash Open Development Lab (ZODL) core engineers on the evening of May 29.","heading":"Discovery and AI-Assisted Auditing","severity":"high","sources":[{"credibility":1,"name":"CoinDesk: Zcash plummets 38% as Shielded Labs reveals major bug undetected for four years","type":"news_article","url":"https://www.coindesk.com/markets/2026/06/05/zcash-plummets-30-as-developer-reveals-a-major-bug-that-went-undetected-for-four-years"},{"credibility":1,"name":"The Block: Security researcher finds Zcash vulnerability allowing unlimited counterfeit minting","type":"news_article","url":"https://www.theblock.co/post/403698/zcash-vulnerability-zec-drops"},{"credibility":2,"name":"BeInCrypto: An Opus 4.8 Audit Uncovered Zcash's Bug","type":"news_article","url":"https://beincrypto.com/zcash-zec-orchard-counterfeiting-bug/"},{"credibility":1,"name":"Zcash Community Forum: The Orchard Counterfeiting Vulnerability and Next Steps","type":"official","url":"https://forum.zcashcommunity.com/t/the-orchard-counterfeiting-vulnerability-and-next-steps/56015"}]},{"content":"Following responsible disclosure on May 29, 2026, private coordination with miners, exchanges, and node operators began on May 31. On June 2, 2026 at approximately 02:00 UTC, an emergency soft fork activated at Mainnet block height 3,363,426 via Zebra 4.5.3, which temporarily disabled all Orchard-containing transactions and blocks to minimize the risk of exploitation while a permanent circuit fix was finalized. On June 3, 2026 at 00:05 EDT, the NU6.2 hard fork activated at Mainnet block height 3,364,600, re-enabling Orchard with a corrected circuit. The NU6.2 upgrade also added a consensus rule rejecting Orchard bundles with non-canonical proof sizes. Corresponding Testnet activation occurred at block height 4,052,000. The vulnerability affected all versions of the halo2_gadgets crate prior to the patch, as well as all versions of zebrad prior to v4.5.1. Public disclosure was made on June 5, 2026, after the fix had been deployed and activated.","heading":"Emergency Response and Fix","severity":"high","sources":[{"credibility":1,"name":"Zcash Foundation: Zebra 4.5.3 and 5.0.0 Emergency Soft Fork and NU6.2 Activation","type":"official","url":"https://zfnd.org/zebra-4-5-3-and-5-0-0-emergency-soft-fork-and-nu6-2-activation/"},{"credibility":2,"name":"CryptoTimes: Zcash Activates NU6.2 Hard Fork Following Double-Spend Risk Discovery","type":"news_article","url":"https://www.cryptotimes.io/2026/06/03/zcash-activates-nu6-2-hard-fork-following-double-spend-risk-discovery/"},{"credibility":2,"name":"CryptoBriefing: Zcash fixes critical Orchard bug after emergency network upgrade","type":"news_article","url":"https://cryptobriefing.com/zcash-orchard-bug-emergency-upgrade/"}]},{"content":"As of public disclosure on June 5, 2026, no evidence of on-chain exploitation had been identified. However, Shielded Labs and the Zcash Foundation both acknowledged that, due to the privacy properties of the Orchard pool, there is no cryptographic way to definitively determine whether the vulnerability was exploited during the approximately four-year window between Orchard's activation in May 2022 and the emergency soft fork on June 2, 2026. Shielded Labs stated it was 'not overly concerned' that counterfeiting had occurred, reasoning that the bug had evaded years of scrutiny by experienced cryptographers and was only surfaced through advanced AI-assisted techniques. Craig Salm, Chief Legal Officer of Grayscale, publicly argued that actual exploitation prior to the patch was improbable given the technical sophistication required. Arthur Hayes, BitMEX co-founder, disputed this confidence and liquidated his entire ZEC position, stating that 'the probability of unauthorized minting is extremely low, but it cannot be proven cryptographically impossible.' Shielded Labs subsequently proposed a new network upgrade involving a fresh shielded pool with turnstile accounting on all existing Orchard coins, intended to provide greater assurance of supply integrity going forward.","heading":"Exploitation Status and Supply Integrity","severity":"critical","sources":[{"credibility":2,"name":"Decrypt: ZEC Crashes 38% as Zcash Discloses Critical Counterfeiting Vulnerability","type":"news_article","url":"https://decrypt.co/370105/zec-crashes-38-as-zcash-discloses-critical-counterfeiting-vulnerability"},{"credibility":1,"name":"CoinDesk: Arthur Hayes dumps Zcash holdings after Orchard Pool vulnerability revealed","type":"news_article","url":"https://www.coindesk.com/markets/2026/06/05/arthur-hayes-dumps-zcash-holdings-after-orchard-pool-vulnerability-revealed"},{"credibility":2,"name":"The Defiant: Shielded Labs Proposes New Zcash Upgrade to Prove ZEC Supply After Orchard Bug","type":"news_article","url":"https://thedefiant.io/news/blockchains/shielded-labs-proposes-new-zcash-upgrade-to-prove-zec-supply-after-orchard-bug"},{"credibility":2,"name":"Yahoo Finance: Arthur Hayes Just Dumped His Entire Zcash Position","type":"news_article","url":"https://finance.yahoo.com/markets/crypto/articles/arthur-hayes-just-dumped-entire-092210665.html"}]},{"content":"Public disclosure on June 5, 2026 triggered severe market reaction. ZEC fell from a Wednesday high of approximately $635 to a Thursday low of approximately $309, representing a single-day decline of approximately 37.8-38%. Some reporting cited losses approaching 40-50% across a 48-hour window as selling pressure persisted. ZEC subsequently stabilized at approximately $330 in the near term. Arthur Hayes publicly disclosed the liquidation of BitMEX's entire Zcash position, which contributed to additional selling pressure. Grayscale Investments' CLO Craig Salm publicly argued that exploitation was improbable but could not be ruled out, maintaining a measured position. The Orchard shielded pool experienced a 1% withdrawal as holders moved ZEC out of the privacy pool following news of the vulnerability. The broader crypto market observed the incident given the fundamental question it raised about supply verifiability in privacy-preserving protocols.","heading":"Market Impact","severity":"high","sources":[{"credibility":1,"name":"The Block: Security researcher finds Zcash vulnerability allowing unlimited counterfeit minting; ZEC drops 31%","type":"news_article","url":"https://www.theblock.co/post/403698/zcash-vulnerability-zec-drops"},{"credibility":2,"name":"CryptoBriefing: Zcash plunges 38% after critical counterfeiting vulnerability disclosure","type":"news_article","url":"https://cryptobriefing.com/zcash-plunges-counterfeiting-vulnerability/"},{"credibility":2,"name":"CryptoBriefing: Zcash's Orchard pool sees 1% withdrawal as counterfeiting bug shakes investor confidence","type":"news_article","url":"https://cryptobriefing.com/zcash-orchard-pool-withdrawal-counterfeiting-bug/"},{"credibility":2,"name":"Crowdfund Insider: Privacy Focused Zcash Plunges Over 50% As Crypto Investor Arthur Hayes Exits","type":"news_article","url":"https://www.crowdfundinsider.com/2026/06/283931-privacy-focused-zcash-zec-plunges-over-50-as-crypto-investor-arthur-hayes-exits-position-over-unverifiable-counterfeiting-risk/"}]},{"content":"The halo2 library underlying the vulnerable Orchard circuit is used across the wider ZKP (zero-knowledge proof) ecosystem, including protocols beyond Zcash. Security researchers noted that under-constrained circuit elements represent one of the most prevalent vulnerability classes in production ZK systems, with Kudelski Security's analyses estimating that over 80% of ZK audit findings trace to the circuit layer. The incident raised structural questions about the auditability of privacy coins more broadly: because successful exploitation of Orchard's privacy properties would leave no detectable on-chain evidence, the class of attack represents a qualitatively different threat model from those applicable to transparent blockchains. Joe Andrews, CEO of Aztec Labs, publicly commented that formal circuit verification combined with a secondary proof system represents the optimal long-term mitigation for this class of flaw. The discovery also attracted attention as a demonstration of AI-assisted cryptographic auditing, with Hornby's use of Anthropic's Opus 4.8 model — within 24 hours of its public release — to identify a four-year-old flaw generating commentary about the changing economics of vulnerability discovery and the potential for AI tools to outpace traditional manual audit coverage. Shielded Labs subsequently announced plans for formal verification of the Orchard circuit and new security hires including a Head of Security and Cryptographer.","heading":"Broader Ecosystem Implications","severity":"medium","sources":[{"credibility":2,"name":"BlockSec: Zcash Orchard Soundness Bug Analysis","type":"research","url":"https://blocksec.com/blog/web3-security-zcash-orchard-soundness-bug-analysis"},{"credibility":2,"name":"CryptoISAC: The Zcash Orchard Bug and the New Economics of Vulnerability Discovery","type":"research","url":"https://www.cryptoisac.org/news-member-content/the-zcash-orchard-bug-and-the-new-economics-of-vulnerability-discovery"},{"credibility":2,"name":"Decrypt: ZEC Crashes 38% as Zcash Discloses Critical Counterfeiting Vulnerability","type":"news_article","url":"https://decrypt.co/370105/zec-crashes-38-as-zcash-discloses-critical-counterfeiting-vulnerability"},{"credibility":2,"name":"The Defiant: Shielded Labs Proposes New Zcash Upgrade to Prove ZEC Supply After Orchard Bug","type":"news_article","url":"https://thedefiant.io/news/blockchains/shielded-labs-proposes-new-zcash-upgrade-to-prove-zec-supply-after-orchard-bug"}]},{"content":"The response timeline demonstrated coordinated private disclosure: after Hornby reported the vulnerability to ZODL engineers on the evening of May 29, a period of approximately three days passed during which exchanges, miners, and node operators were privately coordinated before the emergency soft fork was activated on June 2. Public disclosure followed on June 5, two days after the NU6.2 hard fork had activated a permanent fix. This sequencing — fix first, disclose second — is consistent with responsible disclosure norms and reduced the window during which a bad actor with knowledge of the flaw could have exploited it. However, the emergency hard fork itself drew governance scrutiny, with some community members raising concerns about the speed and coordination process used to push a consensus change. Shielded Labs' post-incident proposal for a new shielded pool requiring turnstile migration of existing Orchard funds was cited as an attempt to restore provable supply integrity, though such a migration would require broad ecosystem coordination and another network upgrade.","heading":"Governance and Disclosure Process","severity":"medium","sources":[{"credibility":1,"name":"Zcash Community Forum: The Orchard Counterfeiting Vulnerability and Next Steps","type":"official","url":"https://forum.zcashcommunity.com/t/the-orchard-counterfeiting-vulnerability-and-next-steps/56015"},{"credibility":2,"name":"CryptoBriefing: Zcash faces governance concerns after emergency hard fork over critical vulnerability","type":"news_article","url":"https://cryptobriefing.com/zcash-governance-concerns-emergency-hard-fork/"},{"credibility":1,"name":"Zcash Foundation: Zebra 4.5.3 and 5.0.0 Emergency Soft Fork and NU6.2 Activation","type":"official","url":"https://zfnd.org/zebra-4-5-3-and-5-0-0-emergency-soft-fork-and-nu6-2-activation/"}]}],"sources_used":[{"credibility":1,"name":"Zcash Foundation: Zebra 4.5.3 and 5.0.0 Emergency Soft Fork and NU6.2 Activation","type":"official","url":"https://zfnd.org/zebra-4-5-3-and-5-0-0-emergency-soft-fork-and-nu6-2-activation/"},{"credibility":1,"name":"Zcash Community Forum: The Orchard Counterfeiting Vulnerability and Next Steps","type":"official","url":"https://forum.zcashcommunity.com/t/the-orchard-counterfeiting-vulnerability-and-next-steps/56015"},{"credibility":1,"name":"Shielded Labs: The Orchard Counterfeiting Vulnerability","type":"official","url":"https://shieldedlabs.net/the-orchard-counterfeiting-vulnerability/"},{"credibility":1,"name":"CoinDesk: Zcash plummets 38% as Shielded Labs reveals a major bug undetected for four years","type":"news_article","url":"https://www.coindesk.com/markets/2026/06/05/zcash-plummets-30-as-developer-reveals-a-major-bug-that-went-undetected-for-four-years"},{"credibility":1,"name":"CoinDesk: Arthur Hayes dumps Zcash holdings after Orchard Pool vulnerability revealed","type":"news_article","url":"https://www.coindesk.com/markets/2026/06/05/arthur-hayes-dumps-zcash-holdings-after-orchard-pool-vulnerability-revealed"},{"credibility":1,"name":"The Block: Security researcher finds Zcash vulnerability allowing unlimited counterfeit minting; ZEC drops 31%","type":"news_article","url":"https://www.theblock.co/post/403698/zcash-vulnerability-zec-drops"},{"credibility":2,"name":"Decrypt: ZEC Crashes 38% as Zcash Discloses Critical Counterfeiting Vulnerability","type":"news_article","url":"https://decrypt.co/370105/zec-crashes-38-as-zcash-discloses-critical-counterfeiting-vulnerability"},{"credibility":2,"name":"The Defiant: Shielded Labs Proposes New Zcash Upgrade to Prove ZEC Supply After Orchard Bug","type":"news_article","url":"https://thedefiant.io/news/blockchains/shielded-labs-proposes-new-zcash-upgrade-to-prove-zec-supply-after-orchard-bug"},{"credibility":2,"name":"BlockSec: Zcash Orchard Soundness Bug Analysis","type":"research","url":"https://blocksec.com/blog/web3-security-zcash-orchard-soundness-bug-analysis"},{"credibility":2,"name":"CryptoISAC: The Zcash Orchard Bug and the New Economics of Vulnerability Discovery","type":"research","url":"https://www.cryptoisac.org/news-member-content/the-zcash-orchard-bug-and-the-new-economics-of-vulnerability-discovery"},{"credibility":2,"name":"BeInCrypto: An Opus 4.8 Audit Uncovered Zcash's Bug","type":"news_article","url":"https://beincrypto.com/zcash-zec-orchard-counterfeiting-bug/"},{"credibility":2,"name":"CryptoBriefing: Zcash plunges 38% after critical counterfeiting vulnerability disclosure","type":"news_article","url":"https://cryptobriefing.com/zcash-plunges-counterfeiting-vulnerability/"},{"credibility":2,"name":"CryptoBriefing: Zcash's Orchard pool sees 1% withdrawal as counterfeiting bug shakes investor confidence","type":"news_article","url":"https://cryptobriefing.com/zcash-orchard-pool-withdrawal-counterfeiting-bug/"},{"credibility":2,"name":"CryptoBriefing: Zcash faces governance concerns after emergency hard fork","type":"news_article","url":"https://cryptobriefing.com/zcash-governance-concerns-emergency-hard-fork/"},{"credibility":2,"name":"CryptoTimes: Zcash Activates NU6.2 Hard Fork Following Double-Spend Risk Discovery","type":"news_article","url":"https://www.cryptotimes.io/2026/06/03/zcash-activates-nu6-2-hard-fork-following-double-spend-risk-discovery/"},{"credibility":2,"name":"Yahoo Finance: Arthur Hayes Just Dumped His Entire Zcash Position After a Bug","type":"news_article","url":"https://finance.yahoo.com/markets/crypto/articles/arthur-hayes-just-dumped-entire-092210665.html"},{"credibility":2,"name":"Gizmodo: Zcash Bug Could Have Let Attackers Print Cryptocurrency Out of Thin Air","type":"news_article","url":"https://gizmodo.com/zcash-bug-could-have-let-attackers-print-cryptocurrency-out-of-thin-air-2000767790"},{"credibility":2,"name":"Blockhead: Claude AI Finds Critical Vulnerability in Zcash","type":"news_article","url":"https://www.blockhead.co/2026/06/05/zcash-founder-discloses-critical-orchard-forgery-flaw-fixed-by-emergency-hard-fork/"},{"credibility":2,"name":"Crowdfund Insider: Privacy Focused Zcash Plunges Over 50% As Crypto Investor Arthur Hayes Exits","type":"news_article","url":"https://www.crowdfundinsider.com/2026/06/283931-privacy-focused-zcash-zec-plunges-over-50-as-crypto-investor-arthur-hayes-exits-position-over-unverifiable-counterfeiting-risk/"}],"summary":"A critical soundness vulnerability in Zcash's Orchard shielded pool was discovered on May 29, 2026 by security engineer Taylor Hornby using Anthropic's Opus 4.8 AI model. The flaw, present since the Orchard pool's activation in May 2022, could have allowed a malicious prover to generate unlimited counterfeit ZEC undetectably within the shielded pool. An emergency soft fork and subsequent NU6.2 hard fork patched the vulnerability by June 3, 2026, prior to public disclosure on June 5, 2026, after which ZEC declined approximately 38% in 24 hours.","timeline":[{"date":"2022-05-01","event":"Orchard shielded pool activated via Zcash NU5 network upgrade; vulnerability introduced in halo2_gadgets scalar multiplication gadget.","source":"Zcash Foundation / CoinDesk","source_url":"https://www.coindesk.com/markets/2026/06/05/zcash-plummets-30-as-developer-reveals-a-major-bug-that-went-undetected-for-four-years"},{"date":"2026-04-01","event":"Shielded Labs engages Taylor Hornby as a security engineer to conduct proactive protocol vulnerability research.","source":"CoinDesk","source_url":"https://www.coindesk.com/markets/2026/06/05/zcash-plummets-30-as-developer-reveals-a-major-bug-that-went-undetected-for-four-years"},{"date":"2026-05-28","event":"Anthropic publicly releases the Opus 4.8 AI model.","source":"BeInCrypto","source_url":"https://beincrypto.com/zcash-zec-orchard-counterfeiting-bug/"},{"date":"2026-05-29","event":"Taylor Hornby discovers the Orchard circuit soundness vulnerability using Anthropic's Opus 4.8 model and a custom AI auditing harness. Hornby constructs a working exploit generating unlimited counterfeit ZEC in a local regtest environment. Responsible disclosure made to ZODL core engineers the same evening.","source":"The Block / CoinDesk","source_url":"https://www.theblock.co/post/403698/zcash-vulnerability-zec-drops"},{"date":"2026-05-31","event":"Private coordination with miners, exchanges, and node operators begins in preparation for emergency network response.","source":"Zcash Foundation","source_url":"https://zfnd.org/zebra-4-5-3-and-5-0-0-emergency-soft-fork-and-nu6-2-activation/"},{"date":"2026-06-02","event":"Emergency soft fork activates at Mainnet block height 3,363,426 (approximately 02:00 UTC) via Zebra 4.5.3, disabling all Orchard-containing transactions and blocks.","source":"Zcash Foundation","source_url":"https://zfnd.org/zebra-4-5-3-and-5-0-0-emergency-soft-fork-and-nu6-2-activation/"},{"date":"2026-06-03","event":"NU6.2 hard fork activates at Mainnet block height 3,364,600 (00:05 EDT) via Zebra 5.0.0, re-enabling Orchard with corrected circuit logic and a new consensus rule rejecting non-canonical proof sizes.","source":"Zcash Foundation","source_url":"https://zfnd.org/zebra-4-5-3-and-5-0-0-emergency-soft-fork-and-nu6-2-activation/"},{"date":"2026-06-05","event":"Public disclosure of the vulnerability by Shielded Labs. ZEC declines approximately 37.8-38% in 24 hours, falling from approximately $635 to a low of approximately $309.","source":"The Block / CoinDesk / Decrypt","source_url":"https://www.theblock.co/post/403698/zcash-vulnerability-zec-drops"},{"date":"2026-06-05","event":"Arthur Hayes, BitMEX co-founder, publicly discloses he has liquidated his entire ZEC position, citing the irresolvable uncertainty about whether counterfeiting occurred prior to the fix.","source":"CoinDesk","source_url":"https://www.coindesk.com/markets/2026/06/05/arthur-hayes-dumps-zcash-holdings-after-orchard-pool-vulnerability-revealed"},{"date":"2026-06-05","event":"Shielded Labs proposes a new network upgrade to create a fresh shielded pool with turnstile accounting on all existing Orchard coins to provide provable supply integrity.","source":"The Defiant","source_url":"https://thedefiant.io/news/blockchains/shielded-labs-proposes-new-zcash-upgrade-to-prove-zec-supply-after-orchard-bug"}]},"v":1}

   Verify offline (run on your own machine)

   python -m src.verify_decision 751e7768-f6b4-438f-8ac6-428b10db25cdcopy