Infinite Minting Vulnerability Discovered in Zcash Orchard Pool, ZEC Drops 31% in Single Day
Miles Bennett
A security researcher discovered a critical flaw in Zcash's privacy pool that could mint unlimited fake tokens. ZEC plunged 31% in 24 hours to $409.64 — a bug hidden for three years is shaking confidence in privacy-coin security.
What could this bug actually do?
Zcash's Orchard pool is a privacy transaction pool — a system letting users send and receive ZEC with full zero-knowledge privacy. The flaw sat inside the pool's zero-knowledge proof circuit.
In plain terms = the proof is supposed to verify "you really own these coins." But an under-constrained element in the circuit let an attacker feed fake data into the elliptic-curve multiplication step and still pass verification.
This means → an attacker could theoretically mint unlimited counterfeit ZEC out of thin air — and because of the pool's privacy design, it would be invisible on-chain.
How was it found?
Shielded Labs, an independent Zcash support organization, commissioned security researcher Taylor Hornby in April to audit the protocol. Hornby combined AI-assisted analysis with traditional security methods.
On May 29, Hornby pinpointed the flaw using Anthropic's newly released Opus 4.8 model and wrote a full exploit — successfully generating unlimited, undetectable counterfeit ZEC in a local test environment.
The bug had existed since Orchard's activation in May 2022 — lurking for over three years, unnoticed by the world's top cryptographers.
Has anyone already exploited it?
Because of Orchard's privacy design, there is no way to confirm whether the bug was exploited before discovery.
Shielded Labs said it is "not overly concerned," reasoning that the flaw stayed under the radar for its entire lifespan.
This reflects a fundamental tension in privacy coins: the stronger the privacy, the harder the supply audit — you cannot use on-chain data to prove "nobody cheated."
Is it fixed? How did the market react?
The bug was patched on June 1 — three days from discovery to fix.
The market reaction was severe: ZEC fell 31% within 24 hours of the disclosure, dropping to $409.64, with most of the decline compressed into the first five hours after the announcement.
This means → the market is pricing not just "the bug itself" but the trust shock of "three years and nobody caught it."
What happens next?
Shielded Labs is working on a network upgrade proposal that would let anyone verify Zcash's supply integrity and prove no counterfeit ZEC exists in the Orchard pool.
The proposal also includes deploying a new privacy pool and running a "turnstile" accounting pass on all tokens in Orchard. In plain terms = a full inventory of every existing coin, confirming each one is genuine.
Whether Zcash can deliver a verifiable supply proof through technical means will be the key milestone for rebuilding market confidence.
Content is for reference only, not financial advice.