Privacy's Scar: ZEC Plummets Over 30%, an 'Infinite Mint' Vulnerability That Cannot Be Proven Innocent

TL;DR

• A critical vulnerability was discovered in Orchard that could generate unlimited and undetectable counterfeit ZEC. Although it has been fixed, the community still cannot prove it was never exploited in the past nearly four years.
• The essence of ZEC's drop of over 30% is that the market has begun to doubt the credibility of Zcash’s supply.
• Related assets: ZEC (Zcash), Anthropic (unlisted)

On June 5th, Zcash founder Zooko Wilcox published a rare, in-depth security postmortem.

The article disclosed that on May 29th, security researcher Taylor Hornby discovered a severe counterfeiting vulnerability in Orchard, Zcash's latest-generation privacy pool. An attacker could construct a transaction that shouldn't pass verification, generating unlimited and undetectable counterfeit ZEC within Orchard.

This was not just a theoretical risk. Taylor developed a complete exploit program in a local test environment and successfully generated counterfeit ZEC. If the same program were deployed on the mainnet, an attacker could theoretically generate an unlimited amount of counterfeit assets in their own mainnet wallet.

After the news was made public, ZEC dropped over 30% at one point. CoinMarketCap数据显示，ZEC 在 24 小时内最低跌至 408.39 美元，较同期高点 610.47 美元下跌约三分之一。 Unfortunately, this was one of the few assets in the crypto space recently with excellent wealth effects and a compelling narrative favored by many industry heavyweights – a narrative now shattered by this vulnerability.

Looking just at the outcome, it seems like another familiar crypto security incident: a vulnerability discovered, developers rushing to fix it, market panic ensuing.

However, the truly棘手 aspect of the Orchard incident is that while the vulnerability has been fixed, the Zcash community cannot directly answer another, more sensitive question:

Over the past four years, has anyone already exploited this vulnerability?

Four Days of Emergency Fix, Orchard Temporarily Halted

Orchard is a new-generation privacy payment protocol launched by Zcash in 2022 and is currently one of its primary privacy pools. It allows users to hide balances, transaction amounts, and fund flows while proving to the network via zero-knowledge proofs that transactions comply with the rules.

According to the timeline disclosed by Zooko, Shielded Labs, and the Zcash community, Taylor discovered an anomaly during a targeted security review of the Orchard circuit on May 29th and immediately privately disclosed the vulnerability to the Zcash Open Development Lab (ZODL). Shielded Labs, an independent Zcash ecosystem support organization based in Switzerland operating on donations, has been involved in Zcash's protocol development, security, and network sustainability but is not affiliated with the Zcash Foundation or ZODL.

ZODL engineers confirmed the issue was real within hours of receiving the report and began searching for a fix. To avoid publicly revealing the exploit's mechanism by immediately publishing a code patch, the team first chose to temporarily disable Orchard, preventing the creation of new Orchard outputs and the spending of funds already in Orchard.

After coordinated upgrades among developers, miners, node operators, exchanges, and infrastructure service providers, an emergency soft fork took effect on June 2nd. Subsequently, Zcash updated the Orchard circuit's verification keys via a hard fork upgrade and restored Orchard functionality on June 3rd. Transparent addresses and the Sapling privacy pool continued to operate during this period.

The entire process, from disclosure to fix, took only a few days. In terms of incident response speed, this was a fairly successful handling.

However, the market did not calm down after the fix because the resolution addressed the future, not the past.

The Market Fears Not That an Attack Will Happen, But That It May Have Already Happened

Typical security incidents usually have a relatively clear loss scale. If a smart contract is hacked, the amount stolen can be tracked on-chain. Similar for bridge exploits, fund flows and affected addresses can be tallied.

The Orchard incident is different.

According to Shielded Labs, the vulnerability could be used to generate unlimited and undetectable counterfeit ZEC within Orchard. Due to Orchard's inherent privacy properties, external parties cannot cryptographically prove whether this attack vector was exploited before the fix was applied.

This means the market is not facing a definite loss figure, but a hard-to-quantify uncertainty:

If someone discovered and exploited the vulnerability in the past, does counterfeit ZEC already exist within Orchard? If it exists, how much? Are these assets still sitting in the privacy pool? Have they gradually flowed out through normal transactions?

More importantly, this risk window didn't just start on May 29th. Shielded Labs stated that the vulnerability had existed since Orchard's launch in May 2022 until the emergency fix was completed in June 2026. In other words, the problem had been latent for nearly four years.

The market's real fear isn't what happened between May 29th and June 2nd, but whether abnormal activity that cannot be directly observed occured during the past four years.

This is the core reason behind ZEC's drop of over 30%.

The market is not just selling off due to a bug; it's repricing the credibility of Zcash's supply.

How a Missing Math Constraint Evolved into an "Unlimited Minting" Risk

Upon hearing "unlimited minting vulnerability," our first thought might be that a hacker gained admin privileges or a protocol backdoor.

The reality is more fundamental.

Orchard's security relies on a set of zero-knowledge proof circuits (Orchard circuit). Users can hide transaction details but must prove to the network that their transactions comply with protocol rules. The most important rule is asset conservation: a transaction cannot create new value out of thin air.

Simply put, a user doesn't have to disclose how much ZEC they own or how much they sent to whom, but the network must be able to confirm that spent assets indeed come from legitimate inputs.

The issue Taylor found was in an elliptic curve multiplication check within the Orchard circuit.

Shielded Labs described it as an "under-constrained element." Because the relevant mathematical relationship wasn't fully constrained, an attacker could input arbitrary incorrect data into the elliptic curve multiplication process, yet the verification could still return a pass.

In other words, the attacker doesn't need to crack cryptographic algorithms or control network nodes.

They only need to construct a set of data that shouldn't be valid, tricking the system into believing the transaction still satisfies asset conservation.

Once this false proof is accepted by the network, non-existent ZEC can be treated as legitimate assets within Orchard.

This is why Shielded Labs used such strong language:

unlimited, undetectable counterfeit ZEC

The truly dangerous aspect isn't just "unlimited," but "undetectable."

Two Statements Mask an Important Distinction

In its announcement after completing the upgrade, the Zcash Foundation stated that there is currently no evidence the vulnerability was exploited, no unauthorized value creation was detected, and user funds and privacy were not affected. The announcement also emphasized that Zcash's existing Turnstile Accounting mechanism can track value flow between different pools and protect the 21 million ZEC total supply cap.

At the same time, Shielded Labs clearly stated that it's impossible to rely solely on cryptography to prove that Orchard has never contained counterfeit ZEC.

These two statements seem contradictory but actually address two different levels of the problem.

Zcash's existing Turnstile Accounting can be understood as a "gate" between different pools. The system can count how many legitimate assets have entered Orchard and limit the amount that can flow out.

Suppose Orchard originally held only 1 million legitimate ZEC. Even if an attacker forged more assets internally, the system would not allow more than the legitimate amount to flow out. This prevents the entire Zcash network's total supply cap from being easily breached.

However, this mechanism cannot directly prove that counterfeit coins never existed within Orchard.

If the forged assets remain stuck in Orchard or gradually replace real assets within the limit of legitimate outflows, the existing accounting mechanism might not provide a definitive historical conclusion.

Regarding this project, arguably the oldest in crypto focused on privacy, all we know is that no evidence of abnormal minting has been found, yet the community cannot directly prove that forged assets never existed within Orchard.

This is the type of risk the market finds hardest to handle.

The problem isn't how many counterfeit coins were found, but that no one can definitively confirm they never existed.

How Can Zcash Prove There Are No Counterfeit Coins in Orchard?

Fixing the bug is only the first step.

Shielded Labs has stated they are working with other Zcash developers on a new network upgrade proposal. The plan involves deploying a new privacy pool and enforcing Turnstile Accounting for all assets migrated from Orchard.

This is akin to setting up a new migration gate for Orchard.

Assets in the old Orchard that want to enter the new privacy pool must be migrated according to verifiable rules. The system can re-tally the scale of legitimate outflows and determine if any extra ZEC exists that cannot be properly migrated.

If the upgrade is completed smoothly, anyone can verify the integrity of Zcash's supply and further prove that no counterfeit assets exist in Orchard.

The significance of this plan goes beyond just fixing code; it's about rebuilding market trust in Orchard.

Because in a privacy system, trust shouldn't stem from "we believe no attack occurred," but from "anyone can verify no attack occurred."

Shielded Labs itself acknowledges that the probability of malicious exploitation was low. The vulnerability was hidden for years, making it extremely difficult to discover. Taylor was actively looking for these specific issues during a dedicated security research project. After disclosure, the ecosystem quickly shut the attack window within days.

But Shielded Labs also emphasizes that users should not rely solely on developers' subjective judgment.

What the market needs is proof.

Why Was a Four-Year-Old Vulnerability Discovered Now?

There's another detail in the Orchard incident that the market might overlook.

On May 28th, Anthropic released Claude Opus 4.8.

One day later, Taylor discovered the Orchard vulnerability.

According to postmortems by Zooko and Shielded Labs, shortly after Opus 4.8's release, Taylor used it for a highly targeted review of the Orchard circuit and found the problem on May 29th. Subsequently, with the help of Opus 4.8, he wrote the complete exploit program and generated unlimited, undetectable counterfeit ZEC in a local environment.

This detail is noteworthy not because AI can now independently conduct cryptographic audits.

Public information does not support such an exaggerated conclusion.

Taylor himself is an experienced security researcher. Shielded Labs also mentioned he used a combination of traditional security research methods, customized AI tool frameworks, and specially designed prompts. Opus 4.8 was an important tool in the review process, but not the only factor.

What's truly noteworthy is that Taylor didn't use Anthropic's specially restricted Claude Mythos Preview, designed for cybersecurity scenarios, but the just-released general-purpose model Opus 4.8.

Anthropic positions Mythos Preview as a frontier model with significant vulnerability discovery and exploitation capabilities. Due to potential abuse risks, Anthropic didn't open it to the public directly but provided access through Project Glasswing to selected partners.

In contrast, Opus 4.8 is a general-purpose model accessible to ordinary developers. In its release notes, Anthropic highlighted improvements in code analysis, complex task execution, and identifying code defects.

This makes the Orchard incident send an even more important signal:

The ability to discover high-value vulnerabilities is spreading from specialized security models to general-purpose ones.

A general-purpose model released for just one day, guided by a professional researcher, was already capable of participating in reviews of complex zero-knowledge proof circuits and helping uncover a critical vulnerability hidden for nearly four years.

This doesn't mean cryptography experts are no longer important.

On the contrary, Taylor's experience, choice of review targets, and ability to validate model outputs remain core to the entire process.

But the combination of expert and AI is significantly lowering the cost of discovering complex vulnerabilities.

The Vulnerability is Closed, But the Market Awaits Answers

For Zcash, the most urgent attack window is closed.

Orchard functionality is restored, the verification circuit is updated, and there is currently no evidence the vulnerability was maliciously exploited.

But ZEC's drop of over 30% shows that the market cares about more than just whether the code is fixed.

The market is still waiting for a more definitive answer:

Over the past nearly four years, did counterfeit ZEC ever exist inside Orchard?

If the new privacy pool and Turnstile Accounting upgrade are successfully implemented, the community will eventually have an opportunity to prove supply integrity and re-establish market trust.

But until that proof is complete, the Orchard incident leaves a lingering suspense that cannot be easily dismissed:

Did those theoretically infinitely creatable counterfeit ZEC never exist, or were they hidden where no one could directly see them?