Zcash says Orchard bug could have enabled undetectable counterfeit ZEC

Zcash developers have revealed that a critical vulnerability in the network's Orchard shielded pool could have allowed attackers to create unlimited counterfeit ZEC without detection. In a detailed post published June 5, Shielded Labs said the flaw existed from Orchard's activation in May 2022 until an emergency fix was deployed earlier this week. The disclosure significantly escalates the severity of what was initially described as a coordinated network upgrade affecting Orchard transactions. According to the report, the vulnerability could generate "unlimited, undetectable counterfeit ZEC" within the Orchard pool. Developers stressed that there is currently no evidence that the flaw was exploited before remediation. However, they also acknowledged there is "no definitive way to determine using only cryptography whether such exploitation occurred." Exploit reportedly worked in testing environment The vulnerability was discovered on May 29 by security researcher Taylor Hornby during an ongoing security review commissioned by Shielded Labs. According to the disclosure, Hornby successfully created a working exploit in a local testing environment that generated unlimited counterfeit ZEC. The flaw reportedly stemmed from an "under-constrained element" in the Orchard circuit that allowed arbitrary false inputs to pass elliptic-curve multiplication checks. Developers said the issue persisted for roughly four years before the emergency remediation was completed on June 2. The remediation was done through a coordinated ecosystem-wide response involving Zcash developers, infrastructure operators, and validators. Privacy protections created a verification problem One of the most serious implications of the vulnerability is that Zcash cannot cryptographically prove whether counterfeit coins entered circulation before the flaw was fixed. Because Orchard transactions are shielded by privacy-preserving cryptography, developers said there is no reliable way to independently verify whether the exploit was ever used on the live network. Shielded Labs said it believes prior exploitation was unlikely, partly because the vulnerability had eluded scrutiny by experienced cryptographers for years. It was only uncovered through a targeted security effort using advanced AI-assisted auditing tools. The company also said the exploit window narrowed significantly once the flaw was identified and disclosed internally. Still, the uncertainty surrounding supply integrity is likely to reignite long-running debates around hidden inflation risks in privacy-preserving cryptocurrency systems. AI-assisted auditing helped uncover the flaw The disclosure also highlights the growing role of artificial intelligence in advanced security research. Shielded Labs said Hornby used Anthropic's Opus 4.8 model alongside custom AI-assisted auditing techniques during the Orchard review. According to the report, the vulnerability was discovered shortly after the updated AI model was released on May 28. Zcash may pursue another network upgrade Shielded Labs said it is now exploring a follow-up network upgrade to verify the integrity of the Zcash supply and eliminate uncertainty about counterfeit ZEC. The proposal would involve deploying a new shielded pool and implementing "turnstile accounting" to verify coins moving out of Orchard. The organization said additional details on the proposal and its tradeoffs will be released next week. Concerns around hidden inflation risks in shielded systems have circulated in crypto communities for years.  In a 2025 post, Crypto Bitlord warned that compromising Zcash's shielded infrastructure could, in theory, enable unlimited undetected ZEC creation. Although the newly disclosed Orchard flaw involved a different technical mechanism. Final Summary Zcash developers revealed an Orchard vulnerability could have enabled unlimited undetectable counterfeit ZEC before an emergency fix was deployed. Developers said there is no cryptographic way to determine whether the flaw was exploited before remediation conclusively.