Summary
On the evening of Monday, June 1, the Zcash ecosystem launched a coordinated network upgrade in response to an issue affecting Orchard, Zcash’s latest shielded pool. As part of that ecosystem-wide effort, developers, infrastructure operators, miners, exchanges, and other key independent network participants coordinated to temporarily suspend the mining of Orchard-related transactions while a protocol-level upgrade was deployed.
The remediation was carried out in two stages, each activated through network-wide consensus:
- The first step was to activate a soft fork that temporarily disabled Orchard by prohibiting both the creation of new Orchard outputs and the spending of existing Orchard funds. A direct patch would have revealed too much information about the nature of the issue to anyone with access to the updated code. This initial step limited the disclosure of vulnerability details.
- The second step was to perform a hard-fork network upgrade to remediate the vulnerability and fully restore Orchard functionality. The hard fork was required to update the zero-knowledge proof circuit for a complete fix.
The upgrade has now been completed, and Orchard transactions have been re-enabled.
There is no evidence that the vulnerability was exploited. User funds remained safe throughout the rollout. The issue did not affect the privacy of funds held in any Zcash pool, and no impact to the total ZEC supply has been detected.
This was the second security-driven protocol upgrade in Zcash history since its launch in 2016. The issue was discovered, confirmed, remediated, and resolved over the course of a few days, reflecting both the depth of Zcash developers’ protocol expertise and the strength of Zcash’s established disclosure processes.
Key Points
- The Zcash Orchard shielded pool soundness vulnerability was discovered and successfully remediated.
- There is no evidence that the vulnerability was exploited. No unauthorized value creation has been detected. The total ZEC supply remains safe.
- The issue did not affect the privacy of funds held in any Zcash pool.
- Zcash researcher Taylor Hornby discovered the vulnerability as part of ongoing Zcash security audits.
- Orchard transactions were temporarily suspended for approximately 24 hours while the upgrade was deployed and activated.
- ZODL developed the remediation and led coordination with independent participants across the Zcash ecosystem.
- User funds remained safe throughout the incident response and upgrade process.
- The issue affected only Orchard, Zcash’s latest shielded pool. Sapling and transparent Zcash transactions were not affected and continued to operate during the upgrade.
- ZEC held on exchanges was unaffected and tradable throughout the rollout.
- The Zcash Foundation, miners, node operators, wallet providers, infrastructure operators, exchanges, and other ecosystem participants coordinated to deploy the upgrade.
- Because the issue required a consensus change, it could not be addressed through a routine node software patch alone.
- Information was disclosed with maintainers of other protocols that have deployed Orchard technology.
Discovery and Responsible Disclosure Timeline
The soundness vulnerability was discovered on Friday, May 29, by Taylor Hornby, an independent security researcher conducting an ongoing protocol audit on behalf of Shielded Labs.
After identifying the issue, Taylor responsibly disclosed it to the ZODL core engineers, who immediately began investigating the report.
Within hours of receiving the disclosure after midnight on Saturday, May 30, ZODL engineers Daira-Emma Hopwood, Kris Nuttycombe, and Jack Grigg confirmed the issue and began evaluating remediation options. Later that day, they had identified a path forward and disclosed the issue to ZODL CEO Josh Swihart, who then began coordinating the ecosystem response. Over the following days, engineers, infrastructure operators, miners, and other participants worked together to prepare for activation of the network upgrade.
It was a carefully coordinated effort across the ecosystem to deploy the upgrade on an accelerated timeline while minimizing disruption, preserving network integrity, and maintaining confidence in the system. The response moved quickly as the people involved understood both the urgency of the issue and the complexity of the system, building on established disclosure and coordination processes that were already in place.
Private coordination with miners and exchanges began on the evening of Sunday, May 31, to notify them of the forthcoming upgrade and allow sufficient time for review and deployment.
Patch development continued throughout Sunday night and Monday, and updated software was provided to miners and exchanges by approximately 7:30 PM EST on Monday, with soft fork activation targeted for Monday, June 1, 10:00 PM EDT.
Due to coordination challenges during patch deployment, the initial activation attempt did not succeed as planned. The ZODL engineering team then quickly produced a second patch targeting activation at block height 3,363,426, and the soft fork successfully activated at that height approximately two hours later than originally planned. The network then experienced a brief period of instability as mining power upgraded and converged on the new consensus rules. Network stability was fully restored by approximately Tuesday, June 2, 3:00 AM EST.
On Wednesday, June 3, 00:05 EDT, the network upgrade was completed successfully.
The Vulnerability
The issue was a soundness bug affecting the Zcash Orchard shielded pool.
In a protocol like Zcash, soundness means the system should only accept valid transactions and state transitions under the rules of the protocol. A soundness vulnerability is a flaw that could allow the system to accept something it should reject.
In this case, successful exploitation could have allowed the Orchard pool to accept invalid state transitions, potentially affecting the pool’s accounting guarantees.
There is no evidence that the vulnerability was exploited. Zcash’s turnstile mechanism, which provides visibility into how much value can legitimately enter and leave shielded pools, protects the integrity of the 21M supply cap.
Zcash’s turnstile mechanism tracks the total ZEC balance in each value pool (Sprout, Sapling, Orchard, transparent, and lockbox), and enforces invariants on how much value can flow between pools. These checks run during block connection and require the per-pool chain balance to be known. This allows ecosystem participants to compare expected and observed values and identify discrepancies.
Analysis conducted during the response found no evidence of unauthorized value creation and no impact to the total ZEC supply.
Technical Details
The Zcash Open Development Lab team received a report of a critical flaw in the implementation of the Orchard zero-knowledge proof circuit in the halo2_gadgets crate. This vulnerability was privately disclosed to ZODL core engineers on May 29, 2026, at 11:53 PM by Taylor Hornby, a former security engineer at the Electric Coin Company and an independent security researcher contracted by Shielded Labs to conduct vulnerability research on the Orchard protocol.
The specific problem was that the incomplete double-and-add loop in ecc::chip::mul kept the per-iteration base (x_p, y_p) constant across loop rows via q_mul_2, but never tied it to the real base: the coordinates were written with assign_advice, and the constancy chain reached neither the doubling-row nor the complete-addition base anchors. A prover could therefore run the incomplete loop against a free constant B' != base, making the gadget output [a] base + [b] B' rather than [scalar] base.
As a consequence, it was necessary to deploy an immediate network upgrade to update the pinned verifying key for the Orchard circuit. User privacy and the total supply cap of Zcash were not affected; however, exploitation of this bug could have permitted double-spending funds within the Orchard pool.
Affected Code and Versions
This vulnerability affects all versions of the halo2_gadgets crate prior to v0.5.0; all versions of the orchard crate prior to v0.14.0 and all versions of zcash_primitives prior to v0.28.0, and any dependents thereof, including zcashd v5.0.0-v6.12.3 and zebrad versions below v4.5.1.
Remediation
Fixed releases of the zcashd and zebrad consensus nodes, zcashd v6.20.0 and zebrad v5.0.0 are now available, as are new releases of the halo2_gadgets, orchard, and zcash_primitives Rust crates. In addition, new versions of the mobile wallet SDKs maintained by ZODL have been released.
CVE
A CVE for this vulnerability has not yet been assigned.
Coordinated Ecosystem Response
ZODL led the technical response and coordination effort, working closely with the Zcash Foundation and other independent participants across the ecosystem.
Because the vulnerability required a consensus change, it could not be resolved by ZODL or any other single organization acting alone. The upgrade required voluntary cooperation from miners, node operators, infrastructure operators, exchanges, and other network participants who independently chose to support the remediation.
Outcome
The upgrade worked because Zcash had the necessary ingredients in place before the vulnerability was discovered: ongoing security review, responsible disclosure procedures, experienced protocol engineers, established coordination channels, and a network of independent participants willing to act quickly when required.
The issue was discovered through security research. It was responsibly disclosed. Protocol engineers confirmed it. A remediation was developed. Independent participants reviewed and adopted the upgrade.
Unlike contentious forks sometimes experienced by major cryptocurrency networks, this upgrade was a coordinated security response designed to protect users and preserve the integrity of the protocol.
Security-driven upgrades are not unique to Zcash. Bitcoin, Ethereum, Monero, and other major cryptocurrency networks have all responded to serious protocol-level issues. What stands out here is the speed of the response. The issue was discovered and resolved in just a few days.
Acknowledgements
The Zcash community benefited from the professionalism and expertise of many individuals and organizations throughout this response.
ZODL developed the remediation and conducted the response, but the upgrade succeeded because independent participants across the Zcash ecosystem coordinated around a shared objective: protecting users and preserving the integrity of the network.
We are especially grateful to Taylor Hornby for finding and responsibly disclosing the issue.
We also want to recognize the ZODL team members who led the remediation and coordination effort. In particular, the rapid resolution of this issue was made possible by the deep protocol expertise of Jack Grigg, Daira-Emma Hopwood, and Kris Nuttycombe. Their years of work on Zcash’s cryptography, protocol design, consensus rules, and shielded protocols were critical to understanding the issue, developing a safe remediation, and guiding the network through the upgrade process.
This kind of expertise cannot be improvised in a crisis. It is built over years of designing, implementing, reviewing, and maintaining privacy-preserving protocol systems.
Worth a special mention is the work of Arya Solhi of the Zcash Foundation, who was instrumental in developing the patches that enabled zebrad to support the network upgrade.
We are also grateful to Shielded Labs for supporting independent security research and to Zcash Foundation, miners, node operators, wallet providers, infrastructure operators, exchanges, researchers, and ecosystem partners who reviewed, adopted, and supported the upgrade.
Security in the Age of AI
This incident also reflects a broader shift in software security.
The timing of this incident is notable. The vulnerability was discovered following the release of a new generation of AI-assisted coding and analysis tools on Thursday, May 28. Across the software industry, these systems are dramatically reducing the cost of vulnerability discovery.
Researchers can now review large codebases, analyze complex interactions, identify edge cases, audit smart contracts, fuzz software, analyze logs, and propose attack paths at a speed that would have been unimaginable only months ago.
Developers are using these tools to strengthen software, review code, analyze systems, identify vulnerabilities, and develop remediations.
The result is an accelerating race between vulnerability discovery and vulnerability remediation.
That is not a reason to panic. It is a reason to invest even more deeply in security processes, protocol expertise, responsible disclosure, and coordination readiness.
In the age of AI, the strongest systems will not be the ones that pretend vulnerabilities don’t exist. They will be the ones that discover, verify, remediate, coordinate, and communicate quickly when they do.
Final Takeaways
During periods of rapid growth and innovation, there is always pressure in crypto to cut corners in order to move faster. This event highlights why Zcash’s security culture and coordination processes exist. It is also a reminder that in complex protocol systems, speed certainly matters, but process matters just as much.
A vulnerability was discovered. It was responsibly disclosed. It was confirmed, remediated, coordinated, and resolved. All within a few days.
The engineers identified a solution. Independent network participants across the ecosystem reviewed, adopted, and activated it. The network continued operating. Orchard transactions were restored. User funds remained safe. Privacy was unaffected. The total ZEC supply remained intact.
Zcash protocol security is not a single audit, a single team, or a single upgrade. It is an ongoing discipline strengthened through cooperation, rigorous review, responsible disclosure, deep expertise, and effective coordination.
This incident demonstrated that those systems work.
