Shielded Labs, a nonprofit developer on the Zcash privacy token system, disclosed a critical vulnerability in the blockchain's Orchard privacy pool that could have allowed an attacker to create an unlimited number of counterfeit ZEC tokens undetected. The bug, discovered on May 29 by security engineer Taylor Hornby using Anthropic's Opus 4.8 AI model, was present since Orchard's activation in May 2022 — four years ago. Hornby developed a complete exploit that generated unlimited counterfeit ZEC in a local test environment. The vulnerability was patched on June 1 after disclosure to the Zcash Open Development Lab (ZODL). However, Shielded Labs admitted it cannot definitively determine if the bug was exploited before the fix, though it believes exploitation likely did not occur due to the bug's complexity and rapid response. The disclosure caused ZEC to slump 38% over 24 hours, dropping to $442.6 before recovering to around $458. Shielded Labs proposed a network upgrade for independent supply verification and is accelerating security efforts including formal verification and new hires.

Key facts

• Critical bug in Zcash's Orchard pool could have allowed unlimited counterfeit ZEC minting.
• Bug discovered May 29 by Taylor Hornby using Anthropic's Opus 4.8 AI model.
• Vulnerability existed undetected for four years since Orchard's May 2022 activation.
• ZEC price dropped 38% in 24 hours to $442.6 after disclosure.
• Shielded Labs cannot confirm if bug was exploited before June 1 patch.