ZEC tumbles more than 31% after critical Orchard bug raises infinite-minting risk

Martian Finance said Zcash founder Zooko Wilcox disclosed on June 5 a critical forgery flaw affecting the Zcash Orchard pool, a vulnerability that could allow the creation of an unlimited amount of undetectable, forged ZEC within Orchard. The issue was found on May 29 by security researcher Taylor Hornby during a targeted audit using Anthropic's Opus 4.8 model and was reported to the Zcash Open Development Lab (ZODL). ZODL coordinated an emergency response across the Zcash ecosystem, with a fix completed on June 2. Hornby also built a full exploit program in a local regtest environment using Opus 4.8. In testing, it could generate unlimited forged ZEC that remained undetectable. If deployed on the Zcash mainnet, the tool could have produced unlimited, undetectable forged ZEC that would appear in mainnet Zcash wallets. The root cause was an insufficiently constrained element in the Orchard circuit. Attackers could supply arbitrary false inputs to an elliptic curve multiplication step while still passing the multiplication verification check. The flaw existed from the activation of the Orchard protocol in May 2022 until an emergency patch was deployed on June 1, 2026. Because of Orchard's privacy design and the nature of the bug, cryptographic analysis alone cannot determine whether the vulnerability was exploited before the fix. Shielded Labs said it considers prior exploitation unlikely and is evaluating a network upgrade that would introduce a new privacy pool and add turnstile accounting for all tokens in the Orchard pool, allowing anyone to verify Zcash's supply integrity and demonstrate the absence of forged ZEC within Orchard. Market data show ZEC fell more than 31% over the past 24 hours, last trading at $410.50.