Zcash Plunges 30% to $400 After 4-Year Orchard Bug Exposes Unlimited Counterfeit-Token Risk
Updated
Updated · CoinDesk · Jun 5
Zcash Plunges 30% to $400 After 4-Year Orchard Bug Exposes Unlimited Counterfeit-Token Risk
3 articles · Updated · CoinDesk · Jun 5
Summary
ZEC fell about 30% in 24 hours to roughly $400 after Shielded Labs disclosed a critical flaw in Zcash’s Orchard privacy pool that could have enabled unlimited, undetectable counterfeit tokens.
May 29 marked the bug’s discovery by security engineer Taylor Hornby, who used Anthropic’s Opus 4.8 AI model to build a working exploit; Zcash developers pushed an emergency fix by June 1.
Four years after Orchard went live in May 2022, the disclosure rattled markets because Shielded Labs said cryptography alone cannot determine whether the flaw was exploited before it was patched.
Shielded Labs said exploitation was likely unlikely given the bug’s complexity and short post-discovery window, but it is proposing a network upgrade, new accounting checks and expanded security work to restore confidence in ZEC supply integrity.
An AI found Zcash's 'infinite money' bug. What catastrophic flaws are hiding in other top cryptocurrencies?
If Zcash can't prove its supply is legitimate, can investors ever truly trust privacy-focused cryptocurrencies?
AI found a flaw humans missed for four years. Is human auditing of complex code now obsolete?
Zcash’s Four-Year Orchard Bug: Unlimited Counterfeiting Threat, Market Fallout, and the Battle Between Privacy and Auditability
Overview
In May 2026, a critical vulnerability was discovered in Zcash’s Orchard privacy pool, which had been active since May 2022 and was notable for operating without a trusted setup. The bug, present for four years and found during an independent audit funded by Shielded Labs, could have allowed an attacker to mint unlimited ZEC, threatening the integrity of the cryptocurrency’s supply. Shielded Labs responded quickly and transparently, but the incident shook market confidence and highlighted the ongoing challenge of balancing privacy with auditability in privacy-focused cryptocurrencies.