Zcash fell 37.8% on Thursday after developers disclosed a critical vulnerability in the Orchard shielded pool that could have allowed undetectable counterfeiting for over four years. The bug, discovered on May 29 by security researcher Taylor Hornby using AI-assisted auditing tools, resided in two lines of code within the Orchard circuit. It enabled a malicious actor to create counterfeit ZEC inside the shielded pool with no on-chain signature. The vulnerability was present from Orchard's activation in May 2022 until the emergency fix on June 1, 2026. Because of Zcash's privacy properties, there is no definitive way to determine if exploitation occurred. The incident reignited debate about structural risks in privacy coins, where attacks may go unnoticed. Under-constrained elliptic curve checks are common in production ZK circuits, and AI accelerates their discovery. Arthur Hayes liquidated his Zcash position, while Grayscale's Craig Salm argued exploitation before the patch was unlikely. Shielded Labs proposed a network upgrade with turnstile accounting to allow verification of the Zcash supply.

Key facts

• Zcash dropped 37.8% after disclosure of a four-year-old Orchard pool vulnerability.
• Bug allowed undetectable counterfeit ZEC creation via two lines of code.
• Discovered by AI-assisted audit on May 29; patched on June 1, 2026.
• Privacy properties make it impossible to determine if exploitation occurred.
• Arthur Hayes liquidated his Zcash position; Grayscale says exploitation unlikely.