On May 29, security researcher Taylor Hornby discovered a critical vulnerability in Zcash's Orchard privacy pool that would allow an attacker to mint unlimited counterfeit ZEC. Hornby, hired by Zcash for this purpose, used Anthropic's Claude Opus 4.8 to find the bug. The Orchard pool, active since May 2022, uses zero-knowledge proofs but had a check that didn't enforce rules, enabling false inputs to pass. Hornby wrote a working exploit, tested it locally, and disclosed it to ZODL. An emergency fix was deployed by June 1, but the bug existed for four years. Because Orchard is a privacy pool, it's impossible to determine if the vulnerability was exploited before the fix. Shielded Labs is proposing a network upgrade to enforce turnstile accounting, which would expose any counterfeit supply. This event demonstrates the power of advanced AI models in security research, as Hornby found a long-standing bug within 24 hours of Opus 4.8's release. It serves as a warning for crypto protocols to proactively test their systems against AI-assisted attacks.

Key facts

• Taylor Hornby discovered Zcash Orchard vulnerability using Claude Opus 4.8
• Bug allowed unlimited counterfeit ZEC minting, existed since May 2022
• Emergency fix deployed by June 1, but prior exploitation unknown due to privacy
• Shielded Labs proposes network upgrade with turnstile accounting
• First real-world demonstration of AI model finding critical crypto bug