A serious vulnerability has been discovered in the Zcash cryptocurrency, affecting the shielded pool Orchard. According to a report by Shielded Labs, this issue opened the possibility for uncontrolled issuance of ZEC tokens, potentially allowing malicious actors to issue an unlimited number of coins. Following the publication of the report and active selling, the price of ZEC sharply fell by more than 50% — from $644 to $299 per token.
This is reported by Finway
Details of the Vulnerability in the Orchard Pool
Zcash is an open decentralized cryptocurrency focused on ensuring transaction anonymity. Orchard is one of its shielded pools, where zero-knowledge proofs are used to confirm transaction facts without revealing information about the participants.
For the audit of the protocol, Shielded Labs engaged security expert Taylor Hornby, who combined classical tools with modern AI models, including Claude Opus 4.8. On May 29, 2026, he discovered the vulnerability and confirmed its exploitability. The data was promptly forwarded to the Zcash Open Development Lab, and the flaw was fixed by June 2.
According to the report, the vulnerability had existed since the launch of Orchard in May 2022. It was related to insufficient constraints on input data during the point multiplication operation on the elliptic curve in the Halo 2 scheme. As a result, the network could accept incorrect data, opening the way for the issuance of additional tokens.
Shielded Labs did not provide a full technical description but noted that due to the confidential nature of transactions, it is impossible to determine whether this vulnerability was practically exploited for ZEC issuance. At the same time, the organization assesses the risk of exploitation as low: the vulnerability remained hidden, and after its discovery, the window for abuse was short.
Among the possible steps to protect the ecosystem is the consideration of launching a new pool and conducting an audit using so-called tourniquets. This will require approval from the Zcash community.
Expert Feedback and Market Dynamics
The discovery of the vulnerability caused a serious resonance in the crypto community. One of the first to react was well-known crypto investor and former CEO of BitMEX Arthur Hayes, who openly stated his complete exit from his position regarding ZEC, although he had previously actively supported this asset.
“While I believe the likelihood of coin issuance is extremely low, it is cryptographically impossible to formally prove that it is impossible. Privacy from AI, the government, and large tech companies requires not just low probability, but absolute reliability,” he emphasized.
According to Hayes, the news of the technical flaw significantly influenced his decision to lock in profits and exit the investment. At the same time, he does not rule out returning to ZEC if the situation normalizes.
Some market participants emphasize that there was no mass panic selling. According to their observations, the majority of shielded tokens remained inactive, and only about 26,000 ZEC made it to the exchange. At the time of publication, the asset’s price is testing the $300 level, with no signs of a quick recovery.
According to CoinGecko, ZEC has been recognized as one of the most volatile crypto assets of 2025.