Zcash fixes vulnerability that could have allowed infinite ZEC minting, but privacy pool features prevent verifying if it was exploited

Odaily reported that on May 29, 2026, Taylor Hornby discovered a critical counterfeiting vulnerability in Zcash's Orchard pool. Taylor Hornby reported the vulnerability to the Zcash Open Development Lab, and after coordinated efforts, a fix was completed on June 2. The vulnerability could have been exploited to secretly create an unlimited number of counterfeit ZEC within Zcash Orchard. Due to the privacy features of Orchard, it is cryptographically impossible to determine whether the vulnerability was exploited before the fix was deployed.

The vulnerability had existed since Orchard's activation in May 2022 until an emergency fix was deployed on June 1, 2026. Taylor Hornby, with the assistance of AI tools, wrote a complete exploit program and generated an infinite, undetectable amount of counterfeit ZEC in a local test environment. Shielded Labs is currently collaborating with other Zcash developers to explore network upgrade proposals that would allow anyone to verify the integrity of Zcash's supply.