A critical flaw in Zcash’s Orchard privacy pool could have allowed an attacker to create unlimited counterfeit $ZEC without anyone detecting it.
The vulnerability was discovered on May 29 by security researcher Taylor Hornby during an AI-assisted audit and was patched within days through an emergency response coordinated by the Zcash ecosystem.
⚠️ The most concerning part: because Orchard is designed for privacy, there is no cryptographic way to prove whether the bug was exploited before the fix was deployed.
Researchers successfully demonstrated the exploit in a test environment, generating unlimited fake ZEC that appeared completely valid. Had it been used on the live network, counterfeit coins could have entered circulation undetected.
The flaw existed since Orchard launched in 2022, but developers believe prior exploitation is unlikely due to the complexity of the bug and the limited number of people capable of discovering it.
To restore confidence, Zcash developers are now exploring a network upgrade that would allow anyone to verify the integrity of the ZEC supply and prove that no counterfeit coins exist in the Orchard pool.
This was one of the most serious vulnerabilities ever discovered in Zcash—and a reminder that even leading privacy-focused blockchains are not immune to critical security risks.
By Adeem Jutt