Zcash drops – Zcash’s price fell about 30% to around $400 after Shielded Labs disclosed a critical, four-year-old vulnerability in the Orchard privacy pool that could have enabled undetectable creation of unlimited counterfeit ZEC. The nonprofit says an emergency fix was co
By late Thursday, Zcash had already started to slide—then the acceleration came. Within roughly 24 hours. the privacy-focused token fell about 30% to around $400. with the selloff tied directly to a warning from Shielded Labs: a critical vulnerability in Zcash’s Orchard privacy pool that had remained undetected for years.
In a detailed disclosure posted on X. Shielded Labs said the weakness—if exploited—could have allowed an attacker to generate an unlimited number of counterfeit ZEC tokens without detection. The nonprofit framed the risk in stark terms: the attacker wouldn’t just make fake coins. they could do it in a way that wouldn’t be visible through cryptography using only the privacy properties of Orchard.
The vulnerability was found on May 29 by Taylor Hornby. a security engineer Shielded Labs engaged in April 2026 specifically to hunt for protocol vulnerabilities before malicious actors could. Hornby’s work centered on the Orchard circuit. described by Shielded Labs as the cryptographic system underpinning Zcash’s most advanced privacy pool. Shielded Labs said Hornby wrote a complete exploit and, in a local testing environment, it generated unlimited undetectable counterfeit ZEC.
Shielded Labs added that the same tool—if run on Zcash mainnet—would have produced unlimited undetectable counterfeit tokens in Hornby’s mainnet wallet. In other words, the problem wasn’t theoretical. It was something that could be made to work.
The emergency response came quickly after disclosure. Hornby immediately reported the issue to the Zcash Open Development Lab (ZODL), which coordinated an emergency fix on June 1. Shielded Labs said the vulnerability was closed within days of discovery.
Still, the market reaction suggests trust can’t be measured only by how fast something gets patched. Shielded Labs acknowledged that the bug had been present since Orchard’s activation in May 2022. That means it existed—undetected—for roughly four years.
Adding to the uncertainty. Shielded Labs also said it cannot say for sure whether the vulnerability was exploited before it was fixed. The nonprofit wrote that Orchard’s privacy properties and the nature of the bug leave no definitive cryptographic method to determine whether exploitation occurred prior to the discovery and the patch.
“ What makes this particularly challenging is that. due to the privacy properties of Orchard and the nature of the bug. there is no definitive way to determine using only cryptography whether such exploitation occurred before the vulnerability was discovered and fixed. We believe it is important to be transparent about that uncertainty,” Shielded Labs said.
Even while acknowledging that uncertainty, the organization argued exploitation likely did not happen. It pointed to the fact that the bug evaded years of scrutiny by experienced cryptographers. and that it only surfaced through what Shielded Labs described as cutting-edge AI tools and highly skilled researchers deliberately searching for it. It also said that once discovered, it was fixed quickly—leaving less time for someone to exploit it.
Shielded Labs said: “We think he probably succeeded,” referring to Hornby’s efforts to find the vulnerability before malicious actors could.
The organization is urging users not to rely solely on its assessment. It proposed a network upgrade designed to let anyone verify the integrity of the ZEC supply independently. Shielded Labs said the plan involves deploying a new shielded pool and enforcing turnstile accounting on all coins from the Orchard pool. It also said it could publish a detailed post on the same next week.
Shielded Labs said it is also accelerating its security efforts beyond the emergency fix. That includes continued work with Hornby. a formal verification project intended to write a mathematical proof that there are no undiscovered bugs in the Orchard circuit. and new hires for a Head of Security and a Cryptographer.
For investors watching the price move, the story is now about more than a single patch. Orchard went live in May 2022. The vulnerability persisted through years of scrutiny. Then it surfaced through a targeted effort that Shielded Labs says used advanced AI—followed by an emergency closure in days. But with Shielded Labs unable to confirm whether anyone exploited it before the fix. the market is left with the same uncomfortable question most people can’t shake after a supply-risk scare: if the system can’t prove what happened in the dark. how do you price what you can’t rule out?.
Zcash ZEC Shielded Labs Orchard privacy pool ZODL Taylor Hornby blockchain vulnerability privacy pools counterfeit tokens token supply
So basically they found a bug and people panic-sold? Crypto always does this lol. If it was fixed that fast why did it crash that hard?
I don’t even understand Zcash but “unlimited counterfeit” sounds like fraud. Like how was nobody catching this for 4 years?? Feels like everyone just looked away.
Wait, Orchard is the “privacy pool” right? So if someone could make unlimited fake ZEC… isn’t that like the same thing as Bitcoin being hacked? Also why did it take them so long to admit it, just to get a better headline.
I saw this on X and thought it was already over, but then it dropped like 30% in a day?? That Taylor Hornby person found it May 29 and they fixed it June 1… okay so it’s fine? Except the damage is already done, right.