TechFlow News: On June 5, Zooko, co-founder of Zcash, revealed in a post that on May 29, 2026, security researcher Taylor Hornby discovered a critical forgery vulnerability in Zcash’s Orchard pool circuit using Anthropic’s latest AI model, Opus 4.8. The vulnerability stems from insufficient constraints on elliptic-curve multiplication and could be exploited to mint ZEC tokens infinitely and undetectably out of thin air. It has remained undetected for over four years since the Orchard upgrade activated in May 2022. Upon learning of the issue, the Zcash Open Development Lab (ZODL) swiftly coordinated with ecosystem stakeholders and completed an emergency fix on June 1.
Due to Orchard’s privacy features, it is currently impossible to cryptographically prove whether the vulnerability was exploited prior to the fix. However, Shielded Labs assesses the likelihood of prior malicious exploitation as low. Moving forward, Shielded Labs plans to roll out a network upgrade that will enforce gatekeeping audits on all transfers involving the Orchard pool, enabling public verification of ZEC supply integrity.
