Zcash fixes critical bug allowing unlimited ZEC minting; unable to verify if exploited due to privacy pool features

Odaily reported that Taylor Hornby discovered a critical counterfeiting vulnerability in Zcash's Orchard pool on May 29, 2026. Taylor Hornby reported the vulnerability to the Zcash Open Development Lab, and the parties worked together to complete the fix on June 2. The vulnerability could potentially be exploited to secretly create an unlimited number of counterfeit ZEC within Zcash's Orchard. Due to the privacy features of Orchard, it is cryptographically impossible to prove whether the vulnerability was exploited before the fix.

The vulnerability existed since the activation of Orchard in May 2022 until an emergency fix was deployed on June 1, 2026. Taylor Hornby, with the assistance of AI tools, wrote a complete exploit program and generated unlimited, undetectable counterfeit ZEC in a local test environment. Currently, Shielded Labs is collaborating with other Zcash developers to explore network upgrade proposals that would allow anyone to verify the integrity of Zcash's supply.