Privacy-focused Zcash (ZEC) has taken a beating over the past 24 hours, falling around 30% to $400 amid broader market weakness. The sell-off accelerated after Shielded Labs, a non-profit developer of Zcash, disclosed a critical vulnerability in the blockchain’s Orchard privacy pool that could have threatened the integrity of the token supply.
On Thursday evening, Shielded Labs released a detailed disclosure on X, revealing a vulnerability that, if exploited, could have allowed an attacker to create an unlimited number of counterfeit ZEC tokens, without any detection. Think of it as someone secretly gaining access to the Federal Reserve’s printing press, except in this case even the Fed wouldn’t be able to tell that those extra dollars were printed.
The vulnerability was discovered on May 29 by Taylor Hornby, a security engineer hired by Shielded Labs in April 2026 specifically to identify protocol vulnerabilities before malicious actors could. Working with Anthropic’s recently released Opus 4.8 AI model, Hornby conducted a highly focused examination of the Orchard Circuit, which is the cryptosystem that underpins Zcash’s most advanced privacy pool.
Shielded Labs said Hornby wrote a comprehensive exploit that, when tested in a local test environment, generated an unrestricted, undetectable forgery of ZEC. Shielded Labs added that if the same tool had been run on the Zcash mainnet, it would have generated unlimited and undetectable counterfeit tokens in its mainnet wallet.
Imagine an attacker discreetly printing an unlimited number of counterfeit ZECs and storing them undetected. The damage to confidence in the supply and, by extension, the token’s market value could have been severe.
Hornby immediately disclosed the vulnerability to the Zcash Open Development Lab (ZODL), which coordinated an emergency patch on June 1, shutting it down within days of its discovery.
Bug not detected for four years
Yet what appears to be a proactive approach to fixing bugs has not impressed the markets. Perhaps that’s because, as Shielded Labs itself admitted, the bug had been present since Orchard was activated in May 2022. In other words, it had existed, undetected, for four years.
What makes the situation even more complex for the markets is the fact that Shielded Labs acknowledges that it cannot say with certainty whether the bug was exploited before the patch.
“What makes this particularly difficult is that due to Orchard’s privacy properties and the nature of the bug, there is no definitive way to determine, using cryptography alone, whether such exploitation occurred before the vulnerability was discovered and fixed. We believe it is important to be transparent about this uncertainty,” the company said.
He nevertheless points out that the exploitation probably did not take place for several reasons. First, the bug had escaped years of scrutiny by experienced cryptographers. It was only discovered with the help of cutting-edge AI tools and highly skilled researchers deliberately working to find it. And once discovered, the problem was quickly fixed, leaving little time for anyone to exploit it.
“We think he probably succeeded,” Shilded Labs said of Hornby’s efforts to find the vulnerability before bad actors could.
However, the body was careful to add that users should not rely solely on their assessment and proposed a network upgrade that would allow anyone to independently verify the integrity of the ZEC’s supply. The proposal involves deploying a new shielded pool and applying turnstile accounting to all coins in the Orchard pool. The company said it may release a detailed article about it next week.
He also said he was accelerating security efforts, including continued work with Hornby, a formal verification project to write a mathematical proof that there are no undiscovered bugs in the Orchard circuit, and new hires for a security manager and a cryptographer.
