I posted this earlier but managed to mangle the text. It's really worth a quick read, especially if you have ever been interested in the idea of zcash-style privacy on Bitcoin. If you want a tl;dr, the Summary section is a very quick read and gets the important points across.
SummarySummary
On May 29, 2026, Taylor Hornby discovered a critical counterfeiting vulnerability in Zcash’s Orchard pool.
Taylor disclosed the vulnerability to Zcash Open Development Lab (ZODL), who coordinated an ecosystem-wide emergency response to fix the vulnerability, which was completed on June 2.
After reviewing Taylor's report and discussing the implications of the vulnerability internally, Shielded Labs believes it is important to provide additional context.
The vulnerability could have been exploited to undetectably create an unlimited amount of counterfeit ZEC within Orchard. Because of the privacy properties of Orchard, there is no way to cryptographically prove whether the vulnerability was exploited before it was remediated. However, a network upgrade can be deployed to protect users and prove the integrity of the Zcash supply.BackgroundBackground
In April 2026, Shielded Labs engaged Taylor Hornby to conduct ongoing security research focused on the Zcash protocol. Taylor is an experienced security engineer with a deep understanding of Zcash.
The goal of this work was simple: identify vulnerabilities before malicious actors do. Taylor immediately began evaluating Zcash using the latest AI-assisted security auditing techniques alongside traditional security research methods.
Shortly after the release of Anthropic's Opus 4.8 model on May 28, Taylor used it as part of a highly targeted review of the Orchard circuit. On May 29, Taylor discovered the vulnerability in the Orchard circuit and immediately disclosed it to ZODL engineers. ZODL engineers and others from the Zcash ecosystem acted quickly and skillfully to close the window of vulnerability within days.What We Know and What We Don’t KnowWhat We Know and What We Don’t Know
The vulnerability was real and exploitable. Taylor, with the help of Opus 4.8, wrote a complete exploit which, when he tested it in a local regtest environment, generated unlimited, undetectable counterfeit ZEC. If he had run the same tool on Zcash mainnet it would have generated unlimited, undetectable counterfeit ZEC in his mainnet Zcash wallet.
The vulnerability has to do with an under-constrained element of the Orchard circuit, because of which it was possible to put arbitrary false inputs into an elliptic curve multiplication and still have the multiplication check pass. See Taylor’s full report and work log for details.
The vulnerability was present from Orchard's activation in May 2022 until the emergency fix was deployed on June 1, 2026.
What makes this particularly challenging is that, due to the privacy properties of Orchard and the nature of the bug, there is no definitive way to determine using only cryptography whether such exploitation occurred before the vulnerability was discovered and fixed. We believe it is important to be transparent about that uncertainty.Assessment: Prior Exploitation Of This Orchard Vulnerability Seems UnlikelyAssessment: Prior Exploitation Of This Orchard Vulnerability Seems Unlikely
There are several reasons we are not overly concerned that counterfeiting occurred before this vulnerability was remediated.
First, the vulnerability had evaded years of scrutiny by many of the world’s best cryptographers.
Second, Shielded Labs specifically engaged Taylor Hornby for this purpose. The discovery was not accidental—it was the result of a deliberate effort to identify vulnerabilities of this kind before malicious actors could. Taylor is one of the most skilled people in the world at this. He used the most recent AI tools, available only to white-hat security researchers, along with a sophisticated custom-built AI harness and prompts, and worked hard to outrace the attackers. We think he probably succeeded.
Once the vulnerability was discovered, the window of opportunity for attack was sharply limited by the speed with which ZODL and the Zcash ecosystem executed the remediation.
Taken together, these factors suggest to us that there were few people who had the capability and opportunity to discover and exploit this vulnerability prior to it being fixed.Proving the Integrity of the Zcash SupplyProving the Integrity of the Zcash Supply
Our assessment is that exploitation of this vulnerability was unlikely. However, we do not believe that users should rely on our assessment, or anyone else’s. Shielded Labs is exploring —with the help of other Zcash developers—a proposed Network Upgrade to allow anyone to verify the integrity of the Zcash supply and to prove the non-existence of counterfeit Zcash in the Orchard pool. The proposal involves deploying a new shielded pool and enforcing turnstile accounting on all coins from the Orchard pool.
We plan to publish a follow-up post next week that explains the proposal in greater detail, including how it would work and the tradeoffs involved. Like all major network upgrades, it would require support from Zcash users and need to go through the standard governance process before it could be activated.Accelerating Our Security WorkAccelerating Our Security Work
At the same time, we are doubling down on proactive security research, including using state-of-the-art AI tools, to find problems before the bad guys do. We have already begun the next stage of that, with the help of Taylor Hornby and Anthropic, and we’ll keep you updated.
In addition, Shielded Labs is initiating a project to formally verify the Orchard circuit—an attempt to write a mathematical proof that there are no more undiscovered bugs in it.
Shielded Labs is opening a search for a Head of Security and a Cryptographer to help deepen our security efforts. If you're interested, or know someone who may be a good fit, please reach out.ConclusionConclusion
This was a serious vulnerability, and we believe it's important to be transparent about what it means for Zcash users.
We hired Taylor to find any vulnerabilities before the attackers, and that's exactly what he did. We're grateful for his work, the quick response from ZODL and the Zcash Foundation, as well as the many ecosystem participants who helped remediate the issue.
While no one wants to discover a vulnerability like this, we're confident that Zcash is well positioned to recover. We stand ready to continue to help the other Zcash development groups and the Zcash community as a whole in how they want to move forward.AcknowledgementsAcknowledgements
Thanks to Sean Bowe, Dev Ohja, David Campbell, Alex Bornstein, Nate Wilcox, Kris Nuttycombe, and Vitalik Buterin for review and feedback.
Appendix A:
Taylor’s work log PDF – the dramatic story of the discovery of the vuln!
tl;dr: don't worry about an inflation exploit. Our math is so sophisticated that only a handful of good guys in the entire world understand it well enough to exploit it!
yes, inspires confidence, doesn't it?
I haven’t used or studied Zcash, but I always wondered why the alleged North Korean hackers never used it but they used Monero instead.
Also the alleged Israel connections kept me away.
There are a couple things that are interesting to me here:
I'm impressed that they made it public. I imagine there was a lot of pressure on them and I wonder if there was a moment where they toyed with the idea of trying to hide it. I know that it would have crossed my mind -- so I'm impressed that they were honest (maybe I'm ignorant and they were cornered from the get-go).
Also in my ignorance: isn't this the big scary part of using zero knowledge proofs? If there is something wrong with your proof machine, you are completely adrift in the fog. The best they are ever going to be able to say is that "we don't think it was exploited."
It's really good that they did this.
Udi is right about this. It's inherent to the design (and not the
privacy properties.)They have to and yes, you're always cornered in FOSS. There is no way that they can ship code without post-merge scrutiny so it cannot be hidden. You have to disclose, and for a consensus bug that needs a hardfork, it means you have to coordinate. I think that they handled this bad situation well. And very quickly; it's actually impressive.
The problem with ZCash is not in the execution, I think.
Yes. But it doesn't have to be a problem.
The problem is that hyping/pumping something you cannot possibly understand (re: Vlad and Hayes in your comment thread of tweets - whom provably didn't) is dangerous; you're gambling with the money of those that listen to you. Luckily, no one listens to these guys except for entertaining casino banter, right? It's not the first time that shitcoin hype came from tweets of these guys and it won't be the last. The best advice is to ignore them.
TLDR; play with fire, get burned. But remember, there's some fire in Bitcoin too, just it gets more scrutiny and it is simpler. Do you understand the risks you're taking though, anon?
What bothers me most is the slimy pumping from Vlad and Hayes. I'd very much like to be able to dismiss them and never think about them again. Yet, I enjoy Hayes newsletter (on occasion) and Vlad does get cool guests on his podcast. It makes me sad to have to be even more cynical of the media they produce. Takes away some of the entertainment value.
Can someone please dunk on Naval for me? Thanks!
https://twiiit.com/naval/status/1973254136394293708
Here are a few interesting responses to this that I've seen:
Arthur Hayes doing Arthur Hayes things:
source
Udi is not happy:
source
https://twiiit.com/udiWertheimer/status/2062716038035194107
Vlad went pretty hard on the zcash all last fall...
source
A choice zcash shilling post from last fall:
source
Or this one:
source
https://twiiit.com/Vladcostea/status/1973884931530215551
https://twiiit.com/Vladcostea/status/1990434801816306166
https://twiiit.com/Vladcostea/status/2062681299484069922
source
https://twiiit.com/frankdegods/status/2062663346046828832
https://twiiit.com/CryptoHayes/status/2062723034369458520
I deleted an earlier version of this post because it had mangled formatting, but there was already one comment, which I'm attaching here without attribution unless the author would like to claim it:
https://twiiit.com/zooko/status/2062644925590900980
Bitcoiners have been arguing for years that supply auditability matters. Stories like this explain why.
The undetectability in your point #4 is the part worth sitting with — and it isn't a Zcash-specific failure, it's the structural cost of any shielded pool.
A counterfeiting bug is a soundness break (forging a valid proof of a false statement), which is a different and scarier class than a privacy / zero-knowledge leak. On a transparent chain a soundness break surfaces instantly as a supply-audit mismatch — you sum the outputs and the math doesn't close. In a shielded pool you've traded that auditability away for privacy, so by construction you can't prove after the fact whether anyone minted. Hidden amounts cut both ways.
Worth being precise about scope: the specific flaw won't transfer across designs — Monero's RingCT/Bulletproofs is a completely different construction from Zcash's Halo2, so this exact bug is Orchard-only. But the class risk — "you can't audit a supply you deliberately hid" — is shared by every confidential-amount system, Monero included. It's the tax you pay for the privacy, not a Zcash mistake.
The real headline is your #3: an AI-assisted review caught a soundness bug that four years of scrutiny by the world's best cryptographers missed. That's the part that generalizes.
This is exactly why supply auditability matters. Privacy is valuable, but being able to verify that 1 coin today equals 1 coin tomorrow is non-negotiable for money.
Ignore the Genocide and Be Happy :)
https://www.youtube.com/watch?v=AHPmW-XKfCM
Censorship resistance principles require that every time this comment is downzapped it will be replicated twice over.
Thank the Anonymous Zionist Downzapper bot for the ENDLESS SPAM about the Genocide.