Zcash founder Zooko Wilcox disclosed on X on June 5 that security researcher Taylor Hornby found a severe forgery vulnerability in the Zcash Orchard pool on May 29 that allows unlimited minting of ZEC, with the fix completed on June 2. Due to Orchard’s privacy properties, it’s not possible to determine cryptographically whether the vulnerability had already been exploited before it was patched.
Vulnerability technical details: Opus 4.8 aided discovery of insufficient elliptic curve multiplication constraints
Shielded Labs hired Taylor Hornby in April 2026 to conduct ongoing security research on the Zcash protocol. Shortly after the Anthropic Opus 4.8 model was released, Hornby performed precise testing of the Orchard circuits using the model on May 28, and discovered the vulnerability on May 29.
Root cause: The Orchard circuits contain a constraint-deficient component that allows arbitrary incorrect values to be input during elliptic curve multiplication operations, while the multiplication check still passes. With the help of Opus 4.8, Hornby wrote a complete exploit program that successfully generated unlimited forged ZEC in a local regtest environment that could not be detected. Zooko confirmed that if the same tool is run on the Zcash mainnet, unlimited undetectable forged ZEC can be generated in mainnet wallets.
Knowns and unknowns: fundamental cryptographic limitations
Based on Zooko’s public disclosure, there is cryptographic uncertainty that cannot be overcome about whether the vulnerability has been exploited: Orchard’s privacy properties mean it’s not possible to cryptographically confirm whether forged transactions occurred on the mainnet before the fix. Zooko’s low-probability assessment is based on three supporting confirmations: the vulnerability escaped scrutiny for years by the world’s top cryptographers; Hornby used the latest AI tools that only white-hat security researchers can use, along with a complex custom AI framework and prompting system; and ZODL executed the fix quickly after the vulnerability was found, greatly shortening the window for attacks.
Next steps: network upgrade proposal and supply verification mechanism
Shielded Labs is working with other Zcash developers to explore a network upgrade方案 whose core design is deploying a new protected pool, and enforcing “turnstile accounting” for all tokens in the Orchard pool, with the goal of allowing anyone to verify Zcash supply integrity and prove that there is no forged ZEC in the Orchard pool. The detailed proposal is expected to be released next week. At the same time, Shielded Labs announced the start of a formal verification project for the Orchard circuits, aiming to write mathematical proofs to confirm that no undiscovered errors remain, and is recruiting a security lead and cryptographers.
FAQ
How does the “turnstile accounting” mechanism verify ZEC supply integrity?
According to Zooko’s disclosure, Shielded Labs plans to enable this by deploying a new protected pool and requiring that all tokens in the Orchard pool must go through this turnstile accounting process, so that external observers can verify whether the amount of ZEC in circulation matches expectations. The specific technical design and trade-offs will be explained in detail in a follow-up article next week. The proposal still needs to pass Zcash’s standard governance process before it can be officially activated.
What specific role did Anthropic Opus 4.8 play in this vulnerability discovery?
Shortly after Anthropic Opus 4.8 was released, Hornby used it for precise testing of the Orchard circuits and also used the model to help write a complete exploit program. Zooko noted that Hornby used “the latest AI tools that only white-hat security researchers can use” along with a sophisticated custom AI framework, and that this approach was the key factor in finding the vulnerability before the attackers.
What is the practical impact of this vulnerability on current ZEC holders?
According to Zooko’s disclosure, the vulnerability was fully patched on June 2, 2026, and existing ZEC holders’ assets are not directly affected at the cryptographic level. The main uncertainty is whether there has been circulating forged ZEC that went undetected before the patch; this cannot be confirmed through cryptography at present and will require waiting until Shielded Labs’ network upgrade方案 is deployed so that it can be verified via the turnstile accounting mechanism.
