By Zooko Wilcox, Jason McGee, and Taylor Hornby

Summary

On May 29, 2026, Taylor Hornby discovered a critical counterfeiting vulnerability in Zcash’s Orchard pool.

Taylor disclosed the vulnerability to Zcash Open Development Lab (ZODL), who coordinated an ecosystem-wide emergency response to fix the vulnerability, which was completed on June 2.

After reviewing Taylor’s report and discussing the implications of the vulnerability internally, Shielded Labs believes it is important to provide additional context.

The vulnerability could have been exploited to undetectably create an unlimited amount of counterfeit ZEC within Orchard. Because of the privacy properties of Orchard, there is no way to cryptographically prove whether the vulnerability was exploited before it was remediated. However, an upgrade can be deployed to protect users and prove the integrity of the Zcash supply.

Background

In April 2026, Shielded Labs engaged Taylor Hornby to conduct ongoing security research focused on the Zcash protocol. Taylor is an experienced security engineer with a deep understanding of Zcash.

The goal of this work was simple: identify vulnerabilities before malicious actors do. Taylor immediately began evaluating Zcash using the latest AI-assisted security auditing techniques alongside traditional security research methods.

Shortly after the release of Anthropic’s Opus 4.8 model on May 28, Taylor used it as part of a highly targeted review of the Orchard circuit. On May 29, Taylor discovered the vulnerability in the Orchard circuit and immediately disclosed it to ZODL engineers. ZODL engineers and others from the Zcash ecosystem acted quickly and skillfully to close the window of vulnerability within days.

What We Know and What We Don’t Know

The vulnerability was real and exploitable. Taylor, with the help of Opus 4.8, wrote a complete exploit which, when he tested it in a local regtest environment, generated unlimited, undetectable counterfeit ZEC. If he had run the same tool on Zcash mainnet it would have generated unlimited, undetectable counterfeit ZEC in his mainnet Zcash wallet.

The vulnerability has to do with an under-constrained element of the Orchard circuit, because of which it was possible to put arbitrary false inputs into an elliptic curve multiplication and still have the multiplication check pass. See Taylor’s full report and work log for details.

The vulnerability was present from Orchard’s activation in May 2022 until the emergency fix was deployed on June 1, 2026.

What makes this particularly challenging is that, due to the privacy properties of Orchard and the nature of the bug, there is no definitive way to determine using only cryptography whether such exploitation occurred before the vulnerability was discovered and fixed. We believe it is important to be transparent about that uncertainty.

Assessment: Prior Exploitation Of This Orchard Vulnerability Seems Unlikely

There are several reasons we are not overly concerned that counterfeiting occurred before this vulnerability was remediated.

First, the vulnerability had evaded years of scrutiny by many of the world’s best cryptographers.

Second, Shielded Labs specifically engaged Taylor Hornby for this purpose. The discovery was not accidental—it was the result of a deliberate effort to identify vulnerabilities of this kind before malicious actors could. Taylor is one of the most skilled people in the world at this. He used the most recent AI tools, available only to white-hat security researchers, along with a sophisticated custom-built AI harness and prompts, and worked hard to outrace the attackers. We think he probably succeeded.

Once the vulnerability was discovered, the window of opportunity for attack was sharply limited by the speed with which ZODL and the Zcash ecosystem executed the remediation.

Taken together, these factors suggest to us that there were few people who had the capability and opportunity to discover and exploit this vulnerability prior to it being fixed.

Proving the Integrity of the Zcash Supply

Our assessment is that exploitation of this vulnerability was unlikely. However, we do not believe that users should rely on our assessment, or anyone else’s. Shielded Labs is exploring —with the help of other Zcash developers—a proposed Network Upgrade to allow anyone to verify the integrity of the Zcash supply and to prove the non-existence of counterfeit Zcash in the Orchard pool. The proposal involves deploying a new shielded pool and enforcing turnstile accounting on all coins from the Orchard pool.

We plan to publish a follow-up post next week that explains the proposal in greater detail, including how it would work and the tradeoffs involved. Like all major network upgrades, it would require support from Zcash users and need to go through the standard governance process before it could be activated.

Accelerating Our Security Research

At the same time, we are doubling down on proactive security research, including using state-of-the-art AI tools, to find problems before the bad guys do. We have already begun the next stage of that, with the help of Taylor Hornby and Anthropic, and we’ll keep you updated.

In addition, Shielded Labs is initiating a project to formally verify the Orchard circuit—an attempt to write a mathematical proof that there are no more undiscovered bugs in it.

Shielded Labs is opening a search for a Head of Security and a Cryptographer to help deepen our security efforts. If you’re interested, or know someone who may be a good fit, please reach out.

Conclusion

This was a serious vulnerability, and we believe it’s important to be transparent about what it means for Zcash users.

We hired Taylor to find any vulnerabilities before the attackers, and that’s exactly what he did. We’re grateful for his work, the quick response from ZODL and the Zcash Foundation, as well as the many ecosystem participants who helped remediate the issue.

While no one wants to discover a vulnerability like this, we’re confident that Zcash is well positioned to recover. We stand ready to continue to help the other Zcash development groups and the Zcash community as a whole in how they want to move forward.

Acknowledgements

Thanks to Sean Bowe, Dev Ohja, David Campbell, Alex Bornstein, Nate Wilcox, Kris Nuttycombe, and Vitalik Buterin for review and feedback.

Appendix A: Taylor’s work log PDF – the dramatic story of the discovery of the vuln!

So it’s even worse than I previously thought.

1. Noone can prove the integrity of Orchard pool.
2. Implementing a new shielded pool and applying turnstile on Orchard moving to the new shield pool will take a lot of time + if exploit had happened and the hacker is fast enough, they will be able to move their fake coins to the new shielded pool BEFORE real coins are moved.
3. Codes are made by humans and non-perfect AI. NOONE can be 100% sure that the any shielded pools are 100% bug-free all the time. This time maybe we are lucky that our guy with Opus 4.8 found it before a North Korean hacker with Opus 4.8, but next year what if the North Korean hacker finds another bug first with Opus 4.9 / Mythos / whatever smartest AI out there? In the age of AI, anything can happen. Unless we achieve AGI with 100% accuracy and uses that AGI to build 100% bullet-proof codes, no way ZEC or XMR or any other cryptos can become private store of value.

Thanks for the transparency.

This must happen swiftly…

Isn’t it not possible without violating privacy of coinholders or effectively proving that the “shielded” supply is actually not that shielded (i.e., there is a backdoor)?

Not sure why Zooko would claim otherwise, this sounds like something new (or maybe he had it up his sleeve for a moment like this )

It sure does matter, because right now no one can say with certainty whether counterfeit ZEC was ever minted or not. If none were created — great. But if counterfeits do exist, then several serious questions need real answers:

• Who makes the affected people whole?

• Do innocent holders lose their money?

• Should the counterfeit coins be identified and burned?

These are honest questions. They’re not meant to be rude, and no one is blaming ECC or the developers. Mistakes and exploits can happen in any complex system.The issue is that, at this point, there’s no way for the public to know for sure whether ZEC was exploited. Anyone claiming with absolute confidence that it hasn’t been is not being truthful. There needs to be a full, transparent, and verifiable count of all existing ZEC. Anything short of that will continue to erode trust and could ultimately kill the project.

I don’t think it matters. I believe there is no counterfeit ZEC. The problem is much more nuance: The THEORETICAL RISK of MORE exploitable bugs (thanks to AI) is non-zero and is now well understood by the market / zodlers. Remember when ZEC wanted to be 10% of private offshore wealth? No private offshore wealth will adopt ZK technology without 100% guarantee of no bugs.

In TradFi, if there’s a bug and the whales lose money, they can always claim the middlemen (banks / insurance / whatever). In cryptos, if you lose money because of a bug, you lose it forever.