Privacy-focused zcash (ZEC) has taken a beating in the past 24 hours, falling roughly 30% to $400 amid broader market weakness. The selling accelerated after Shielded Labs, a nonprofit Zcash developer, disclosed a critical vulnerability in the blockchain’s Orchard privacy pool that could have threatened the integrity of the token’s supply.
Late Thursday, Shielded Labs published a detailed disclosure on X, revealing a vulnerability that, if exploited, could have allowed an attacker to create an unlimited number of counterfeit ZEC tokens, completely undetected. Think of it as someone secretly gaining access to the Federal Reserve’s dollar printing press, except in this case, even the Fed wouldn’t be able to tell these extra dollars were printed.
The vulnerability was discovered on May 29 by Taylor Hornby, a security engineer engaged by Shielded Labs in April 2026 specifically to identify protocol vulnerabilities before malicious actors could. Working with Anthropic’s recently released Opus 4.8 AI model, Hornby conducted a highly targeted review of the Orchard circuit, which is the cryptographic system underpinning Zcash’s most advanced privacy pool.
Shielded Labs said Hornby wrote a complete exploit which, when tested in a local testing environment, generated unlimited, undetectable counterfeit ZEC. Shielded Labs added that if the same tool had been run on Zcash mainnet, it would have generated unlimited, undetectable counterfeit tokens in his mainnet wallet.
Imagine an attacker quietly printing unlimited counterfeit ZEC and holding them undetected. The damage to trust in the supply and, by extension, the token’s market value could have been severe.
Hornby immediately disclosed the vulnerability to the Zcash Open Development Lab (ZODL), which coordinated an emergency fix on June 1, closing it within days of discovery.
Bug undetected for four years
Still, what appears to be a proactive approach to fixing bugs has not impressed markets. That’s possibly because, as Shielded Labs itself admitted, the bug had been present since Orchard’s activation in May 2022. In other words, it existed, undetected, for four years.
What makes the situation even more complex for markets is Shielded Labs’ acknowledgement that it cannot say for sure whether the bug was exploited before the fix.
“What makes this particularly challenging is that, due to the privacy properties of Orchard and the nature of the bug, there is no definitive way to determine using only cryptography whether such exploitation occurred before the vulnerability was discovered and fixed. We believe it is important to be transparent about that uncertainty,” the firm said.
Still, it stressed that exploitation likely didn’t happen for several reasons. First, the bug had evaded years of scrutiny by experienced cryptographers. It came to light only with the help of cutting-edge AI tools and highly skilled researchers working deliberately to find it. And once discovered, it was fixed quickly, leaving little time for anyone to exploit it.
“We think he probably succeeded,” Shilded Labs said of Hornby’s efforts to find the vulnerability before malicious actors could.
However, the organization was careful to add that users should not rely solely on their assessment and proposed a network upgrade that would allow anyone to verify the integrity of the ZEC supply independently. The proposal involves deploying a new shielded pool and enforcing turnstile accounting on all coins from the Orchard pool. The firm said it could publish a detailed post on the same next week.
It also said it is accelerating security efforts, including continued work with Hornby, a formal verification project aimed at writing a mathematical proof that there are no undiscovered bugs in the Orchard circuit, and new hires for a Head of Security and a Cryptographer.
