Zcash token ZEC dropped sharply after developers disclosed a vulnerability in the Orchard shielded pool that could have allowed undetected counterfeiting of tokens. The flaw, present since 2022, was found on May 29 using an AI model and patched by June 1. No evidence of exploitation was found, though privacy features prevent cryptographic proof.
The vulnerability existed in Zcash's Orchard pool since its activation in May 2022. Security engineer Taylor Hornby discovered it on May 29 while using Anthropic's Opus 4.8 AI model during a targeted review. The bug could have permitted unlimited creation of counterfeit ZEC without detection. Zcash executed an emergency soft fork on June 2 at block 3,363,426 and a hard fork on June 3 at block 3,364,600 to address the issue. Shielded Labs stated there is no cryptographic method to confirm prior exploitation due to the pool's privacy design, though it believes none occurred. The disclosure triggered a price decline of 38 to 50 percent within 24 hours, reducing market capitalization by more than $5 billion. Investor Arthur Hayes sold his entire ZEC position after reassessing supply integrity concerns. Developers proposed a network upgrade with a new shielded pool and turnstile accounting to allow independent verification of supply. They also accelerated formal verification efforts and security hiring.
