Zcash Orchard Vulnerability Four Questions: Was It Exploited? Can Funds Be Recovered? Can Supply Be Verified? Anything Else?

Original Author: Jason McGee, CEO of Shielded Labs & Zcash Founder Zooko Wilcox

Compiled by Odaily Qin Xiaofeng (@QinXiaofeng 888 )

Editor's Note: On June 5, Beijing time, it was revealed that the privacy project Zcash's next-generation privacy pool, Orchard, had a critical counterfeiting vulnerability. The Zcash token ZEC halved in value, dropping to around $250. After more than 10 days of fermentation, market panic has subsided somewhat, and the ZEC price has recovered, returning to $500 today. (Recommended reading: "A Vulnerability Lurking for Four Years Enables 'Unlimited Minting,' Privacy Coin ZEC Halves in a Day")

This morning, Zcash Founder Zooko Wilcox published another lengthy post addressing market concerns. He stated that it is likely the Orchard vulnerability was not exploited, and legitimate Orchard funds can be recovered. Currently, users cannot independently verify if the Zcash supply has been exceeded, but the Ironwood upgrade will seal the Orchard pool and restore this verification capability. Ongoing reviews have not found other counterfeiting vulnerabilities, but more work is needed for complete certainty.

The following is the original text from Zooko Wilcox, compiled by Odaily. Enjoy~

————————————

The recent Orchard vulnerability has raised important questions about the Zcash supply and the safety of user funds. The discussion mixes several distinct issues, making it difficult to understand the actual impact on users. This post aims to separate these questions and explain their implications for users one by one.

The Orchard vulnerability brings up four important questions:

1. Was the Orchard vulnerability ever exploited?
2. Can legitimate Orchard funds be recovered?
3. Can users verify that the Zcash supply hasn't been inflated?
4. How do we know there aren't other counterfeiting vulnerabilities?

Was the Orchard vulnerability ever exploited?

Unknown. We believe it is unlikely to have been exploited, though we cannot completely rule it out. We believe the vulnerability was probably not exploited for three reasons:

Despite continuous review by many of the world's top cryptographers and security researchers over the years, the vulnerability was previously undiscovered. Its eventual discovery was not accidental; it was found by Taylor Hornby of Shielded Labs, whose goal is to proactively identify such security flaws before a malicious attacker can exploit them. Taylor used advanced AI-assisted security research techniques and custom-built tools specifically designed to find subtle defects missed by others, which is even more difficult for those not deeply familiar with the Zcash codebase.

Once the vulnerability was discovered, Zcash developers (led by the Zcash Open Development Labs team) quickly coordinated with mining pools to temporarily freeze the Orchard pool and deploy a fix, thereby limiting any window of opportunity for attack.

Cryptocurrency exploits are common, and attackers typically try to cash out as quickly as possible, especially after the vulnerability is made public. To profit from this vulnerability, an attacker would need to exchange the forged ZEC for valuable assets, usually resulting in ZEC leaving the Orchard pool via the turnstile mechanism. If the vulnerability had been exploited before the fix, we would expect to see evidence by now. Historically, cryptocurrency exploits are typically "grab-and-go" operations rather than strategies like "4D chess" that hide for months or even years.

Can legitimate Orchard funds be recovered?

We believe so, because we believe the vulnerability was never exploited. If this assessment is correct, all legitimate Orchard funds remain fully recoverable.

On the other hand, if counterfeiting did occur in Orchard, the existing turnstile mechanism limits the total amount that can be migrated to the amount of ZEC that legitimately entered the pool. Therefore, if forged funds were migrated before legitimate funds, users would be unable to recover some or all of their legitimate Orchard funds.

We believe this scenario is unlikely. However, for more cautious users, moving their ZEC out of Orchard is still recommended. But before doing so, they should be aware of the following:

• Moving funds to a transparent pool (i.e., to a t-address) reveals both the transfer amount and time, and these funds become publicly linked to that t-address.
• Moving funds from the Orchard pool to the Sapling pool reveals the transfer amount and time, but unlike moving to a t-address, it does not link these funds to a specific address or transaction history.
• The Sapling pool relies on a trusted setup ceremony conducted in 2018. Depending on the security of this trusted setup is an additional risk users should consider.
• To our knowledge, YWallet and Zkool are currently the only widely used self-custodial Zcash wallets supporting the Sapling pool.
• Transferring funds to a new wallet or custodial service introduces additional risks, including user error, software bugs, custodian risk, or other unforeseen issues.

Overall, we consider these risks to be moderate. If your funds are currently in a shielded self-custodial wallet, keeping them there is a reasonable choice, given our assessment that prior counterfeiting is unlikely. Moving them elsewhere may also be reasonable if you have a secure way to do so. Users may reach different conclusions based on their own circumstances.

Can users verify that the Zcash supply hasn't been inflated?

Not currently. The previous existence of this vulnerability prevented users from independently verifying that the amount of ZEC circulating in shielded pools does not exceed the correct amount.

However, as we pointed out in a previous post, the Ironwood upgrade restores this capability. The diagram below explains why.

The proposed network upgrade addresses this issue by increasing the assurance that "no more unknown counterfeiting vulnerabilities exist" and by sealing the Orchard pool. New funds can no longer enter, and funds within the pool can no longer circulate. The only remaining path is to leave via the existing turnstile mechanism, which ensures that no more ZEC can leave the Orchard pool than what legitimately entered.

This change restores the ability to verify the soundness of the Zcash supply.

Currently, if counterfeit funds exist within the Orchard pool, they could continue to circulate inside it. After the upgrade, this will no longer be possible. Regardless of whether counterfeiting occurred or not, anyone running a node can verify that the amount of ZEC in circulation does not exceed the correct amount.

Users do not need to wait for funds to move out of Orchard or speculate on the potential actions of attackers or other users. The protocol itself provides a verifiable guarantee: excess ZEC cannot continue to circulate within Orchard and inflate the supply.

This is important because Zcash's long-term credibility depends on users being able to independently verify the soundness of its supply. Ironwood restores the user's ability to independently verify that the protocol's supply limit is enforced.

How do we know there aren't other counterfeiting vulnerabilities?

We cannot be completely certain yet, but we have reasons to believe no others exist. Shielded Labs and several other teams have been diligently reviewing the Zcash protocol for other counterfeiting vulnerabilities. This includes using the unreleased Mythos AI model, with assistance from Anthropic, shortly before Mythos was paused, to search for additional vulnerabilities. We plan to share more details about this review and its findings in a subsequent blog post.

So far, no other counterfeiting vulnerabilities have been discovered. The high level of expertise, effort, and advanced AI-assisted analysis involved in this search gives us greater confidence that no similar vulnerabilities remain undiscovered.

Furthermore, we are working with projects like the Tachyon Project to provide additional assurance that no more counterfeiting vulnerabilities exist in Zcash. We will elaborate on this in future blog posts as well.

Conclusion

The Orchard vulnerability raises four important questions: Was the vulnerability exploited, can legitimate Orchard funds be recovered, can users verify that the Zcash supply hasn't been inflated, and do other undiscovered counterfeiting vulnerabilities exist?

We believe prior exploitation is unlikely, so legitimate Orchard funds can be recovered, and the current Zcash supply is secure. Based on the ongoing review by multiple independent researchers and teams, we are also increasingly confident that no other undiscovered counterfeiting vulnerabilities exist. However, users currently cannot verify the safety of the Zcash supply, and they should not have to rely on our assessment—or anyone else's.

The proposed network upgrade addresses this problem. By sealing the Orchard pool, it restores users' ability to independently verify the security of the Zcash supply. Users no longer need to determine whether counterfeiting occurred to verify that the protocol's supply limit is being respected.