Zcash plummets 30% as Shielded Labs reveals a major bug that went undetected for four years
Shielded Labs revealed that the bug could have helped an attacker print unlimited counterfeit tokens. That could have damaged trust in the token's supply and its value.
By Omkar Godbole, AI Boost Jun 5, 2026, 5:43 a.m. 3 min readMake preferred on
What to know:
- Shielded Labs disclosed a critical bug in its Zcash's Orchard privacy pool that could have allowed unlimited, undetectable counterfeit tokens.
- The vulnerability, present since Orchard’s activation in May 2022, was discovered on May 29 by security engineer Taylor Hornby using Anthropic’s Opus 4.8 AI model and was patched in an emergency fix by June 1.
- Shielded Labs says there is no cryptographic way to know whether the flaw was exploited before the fix, and is proposing a network upgrade with new accounting measures and expanded security efforts to restore confidence in ZEC’s supply integrity.
Privacy-focused zcash (ZEC) has taken a beating in the past 24 hours, falling roughly 30% to $400 amid broader market weakness. The selling accelerated after Shielded Labs, a nonprofit Zcash developer, disclosed a critical vulnerability in the blockchain's Orchard privacy pool that could have threatened the integrity of the token's supply.
Late Thursday, Shielded Labs published a detailed disclosure on X, revealing a vulnerability that, if exploited, could have allowed an attacker to create an unlimited number of counterfeit ZEC tokens, completely undetected. Think of it as someone secretly gaining access to the Federal Reserve's dollar printing press, except in this case, even the Fed wouldn't be able to tell these extra dollars were printed.
The vulnerability was discovered on May 29 by Taylor Hornby, a security engineer engaged by Shielded Labs in April 2026 specifically to identify protocol vulnerabilities before malicious actors could. Working with Anthropic's recently released Opus 4.8 AI model, Hornby conducted a highly targeted review of the Orchard circuit, which is the cryptographic system underpinning Zcash's most advanced privacy pool.
Shielded Labs said Hornby wrote a complete exploit which, when tested in a local testing environment, generated unlimited, undetectable counterfeit ZEC. Shielded Labs added that if the same tool had been run on Zcash mainnet, it would have generated unlimited, undetectable counterfeit tokens in his mainnet wallet.
Imagine an attacker quietly printing unlimited counterfeit ZEC and holding them undetected. The damage to trust in the supply and, by extension, the token's market value could have been severe.
Hornby immediately disclosed the vulnerability to the Zcash Open Development Lab (ZODL), which coordinated an emergency fix on June 1, closing it within days of discovery.
Bug undetected for four years
Still, what appears to be a proactive approach to fixing bugs has not impressed markets. That's possibly because, as Shielded Labs itself admitted, the bug had been present since Orchard's activation in May 2022. In other words, it existed, undetected, for four years.
What makes the situation even more complex for markets is Shielded Labs' acknowledgement that it cannot say for sure whether the bug was exploited before the fix.
"What makes this particularly challenging is that, due to the privacy properties of Orchard and the nature of the bug, there is no definitive way to determine using only cryptography whether such exploitation occurred before the vulnerability was discovered and fixed. We believe it is important to be transparent about that uncertainty," the firm said.
Still, it stressed that exploitation likely didn't happen for several reasons. First, the bug had evaded years of scrutiny by experienced cryptographers. It came to light only with the help of cutting-edge AI tools and highly skilled researchers working deliberately to find it. And once discovered, it was fixed quickly, leaving little time for anyone to exploit it.
"We think he probably succeeded," Shilded Labs said of Hornby's efforts to find the vulnerability before malicious actors could.
However, the organization was careful to add that users should not rely solely on their assessment and proposed a network upgrade that would allow anyone to verify the integrity of the ZEC supply independently. The proposal involves deploying a new shielded pool and enforcing turnstile accounting on all coins from the Orchard pool. The firm said it could publish a detailed post on the same next week.
It also said it is accelerating security efforts, including continued work with Hornby, a formal verification project aimed at writing a mathematical proof that there are no undiscovered bugs in the Orchard circuit, and new hires for a Head of Security and a Cryptographer.
PrivacyAI Disclaimer: Parts of this article were generated with the assistance from AI tools and reviewed by our editorial team to ensure accuracy and adherence to our standards. For more information, see CoinDesk's full AI Policy.More For You
'Dr. Doom'-backed Atlas Capital CEO says bitcoin could crash 70% before reaching $500,000
By Olivier Acuna|Edited by Aoyon Ashraf11 hours ago
Backed by economist Nouriel Roubini, a long-time anti-bitcoin advocate, and known as 'Dr. Doom,' the Atlas CEO, Reza Bundy, shot a short-term warning for bitcoin but stayed bullish in the long-term.
What to know:
- Reza Bundy, CEO of investment advisory firm Atlas Capital, warns that bitcoin could see a drawdown of up to 70% within six months, especially if equities suffer a major decline.
- Despite echoing Nouriel Roubini’s near-term bearishness, Bundy projects a long-term price range of $150,000 to $500,000 depending on global economic...
Crypto Clarity Act in spotlight for bad-actor provisions as Senate process grinds forward
10 hours ago
OCC chief says Democrats applying sole political pressure in World Liberty charter choice
11 hours ago
'Dr. Doom'-backed Atlas Capital CEO says bitcoin could crash 70% before reaching $500,000
11 hours ago
Hyperliquid pulls back from record highs as Arthur Hayes exits position shy of $150 price target
14 hours ago
Crypto for Advisors: The crypto due diligence questions you forgot to ask
15 hours ago
Why tokenization is an ETF-style market structure revolution
15 hours agoTop Stories
Bitcoin bounces, HYPE falls, NEAR gets demolished as crypto deals with a wipe out
17 hours ago
Not all Ethereum layer 2s are dying, but many general-purpose chains no longer have a reason to exist
16 hours ago
Strategy's Saylor's explanation for bitcoin's slide isn't what bears think
17 hours ago
This bitcoin metric has marked every bear market bottom, and it's just flashed again
19 hours ago
Cardano slumps under 20 cents as Hoskinson says he is 'taking a break' after warning of ecosystem failures
22 hours ago
