Privacy-focused zcash (ZEC) has taken a beating in the past 24 hours, falling around 30% to $400 amid broader market weakness. Sales accelerated after Shielded Labs, a nonprofit Zcash developer, revealed a critical vulnerability in the blockchain’s Orchard privacy pool that could have threatened the integrity of the token’s supply.
Late Thursday, Shielded Labs published a detailed disclosure on X that revealed a vulnerability that, if exploited, could have allowed an attacker to create an unlimited number of counterfeit ZEC tokens, completely undetected. Think of it like someone secretly gaining access to the Federal Reserve’s dollar printing press, except in this case even the Fed wouldn’t be able to tell that those extra dollars were being printed.
The vulnerability was discovered on May 29 by Taylor Hornby, a security engineer hired by Shielded Labs in April 2026 specifically to identify protocol vulnerabilities before malicious actors could. Working with Anthropic’s recently released Opus 4.8 AI model, Hornby performed a highly targeted review of the Orchard circuit, which is the cryptographic system that underpins Zcash’s most advanced privacy pool.
Shielded Labs said Hornby wrote a complete exploit that, when tested in a local test environment, generated unlimited, undetectable fake ZEC. Shielded Labs added that if the same tool had been run on the Zcash mainnet, it would have generated unlimited, undetectable counterfeit tokens in his mainnet wallet.
Imagine an attacker quietly printing unlimited counterfeit ZEC and keeping them undetected. The damage to confidence in the supply and by extension the token’s market value could have been severe.
Hornby immediately disclosed the vulnerability to the Zcash Open Development Lab (ZODL), which coordinated an emergency fix on June 1, and closed it within days of discovery.
Bug undetected for four years
Still, what appears to be a proactive approach to correcting mistakes has not impressed the markets. This is possibly because, as Shielded Labs itself admitted, the bug had been present since Orchard’s activation in May 2022. In other words, it had existed, undetected, for four years.
Making the situation even more complex for markets is Shielded Labs’ acknowledgment that it cannot say for sure whether the flaw was exploited before the fix.
“What makes this particularly challenging is that due to Orchard’s privacy features and the nature of the flaw, there is no definitive way to determine using cryptography alone whether such an exploit occurred before the vulnerability was discovered and fixed. We believe it is important to be transparent about this uncertainty,” the company said.
Still, it emphasized that exploitation likely did not occur for several reasons. First, the flaw had eluded years of investigation by experienced cryptographers. It only came to light with the help of cutting-edge AI tools and highly skilled researchers working deliberately to find it. And once discovered, it was fixed quickly, leaving little time for anyone to exploit it.
“We think he probably succeeded,” Shielded Labs said of Hornby’s efforts to find the vulnerability before malicious actors could.
However, the organization was careful to add that users should not rely solely on their judgment and suggested a network upgrade that would allow anyone to independently verify the integrity of the ZEC supply. The proposal involves the installation of a new screened pool and the enforcement of turnstile accounting on all coins from the Orchard pool. The firm said it may publish a detailed post on the same next week.
It also said it is accelerating security efforts, including continued work with Hornby, a formal verification project aimed at writing a mathematical proof that there are no undetected flaws in the Orchard circuit, and new hires for a security chief and a cryptographer.
