Rotten Apples in the Orchard

It's been a tough week for Zcash.

On May 29th, using Opus 4.8, security researcher Taylor Hornby found a critical vulnerability in Orchard, Zcash's newest and largest shielded pool, while researching the protocol for Shielded Labs, an independent Zcash support organization. He disclosed it privately to Zcash Open Development Lab (ZODL), one of the protocol's core teams, which confirmed it within hours and started coordinating a response.

Because too much public detail could've handed an attacker the blueprint, the fix came in stages.

• June 2nd: an emergency soft fork disabled Orchard transactions. 
• June 3rd: the NU6.2 hard fork re-enabled the pool with a corrected circuit, the rulebook that defines a valid private transaction.

Simple, done. A serious bug, found and fixed before any known exploit… or so we thought.

Yesterday, a full post-mortem revealed the vulnerability was a counterfeiting bug that could have allowed someone to mint unlimited fake ZEC inside Orchard and that there was no way to test whether it had been exploited.

Though the teams still assess prior exploitation as unlikely, this new context twisted the story from "Zcash patched a bug" into "Zcash patched a bug that could have created counterfeit ZEC inside Orchard, with no formal way to prove whether it did."

What Orchard is, And What Broke

Orchard is Zcash's newest shielded pool, the private layer where amounts, senders, and recipients stay hidden.

Like other privacy systems, it runs on zero-knowledge proofs. Users prove a transaction followed the rules without revealing the details, and those rules live in the circuit.

The bug was in that circuit, had been since Orchard launched in May 2022, and could have allowed anyone to mint counterfeit ZEC inside Orchard that the network would treat as real. And because Orchard hides amounts and ownership, those units could sit in the pool with no obvious public trace.

In other words, as of now, because Orchard is private, there's no way to inspect its history and conclusively show no counterfeit ZEC was ever created before the fix.

The assessment that prior exploitation was "unlikely" holds up for good reason: the flaw was buried, hard to find, and demanded specialized expertise. But the market is pricing proof, not probability. Until Zcash can confirm no counterfeit ZEC was minted, the protocol is effectively asking users to trust what it cannot yet prove.

So What Happens Next?

Zcash needs a way to prove no counterfeit ZEC remains inside Orchard, or at least force the books into a state where fake ZEC can't hide.

This fix will likely come from two processes: first auditing the supply and then making this class of bug much harder to miss again.

To address the audit, Zooko, Zcash’s founder, proposed migrating the shielded supply into a new Orchard pool. Turnstile accounting caps how much value can leave a pool at how much legitimately entered it. Force Orchard's funds through that turnstile and any fake ZEC hits a wall: more value would try to leave than the chain can prove ever entered. A detailed proposal for this path is due next week.

For the second, Josh Swihart of ZODL is pointing toward formal verification. It means writing down the rules in a machine-checkable form, then proving the circuit actually follows those rules. It doesn't replace human judgment entirely, but it moves the hardest part from "trust that the auditors caught everything" to "prove the critical constraints are actually there."

There are two ways Zcash course-correct. A formally verified version of that same new pool could be the interim step, in principle targeting the NU7 upgrade at the end of July, though nothing's committed.

The cleaner long-term answer is Tachyon, a new shielded protocol being designed around simpler foundations and formal-verification tooling. The goal is to cut the hand-coded complexity that made Orchard so hard to reason about, allowing its circuits to be checked far more rigorously. A verified Orchard pool would bridge the gap until Tachyon arrives.

Welcome to the era where AI surfaces protocol-breaking bugs. 

Here’s the prompt that broke Zcash:

While we wait for updates on if any counterfeit ZEC did in fact make it into Orchard, make sure the projects behind your tokens have the kind of relationship with security researchers and engineers that Zcash does. Pray if you want, but verify the process. That relationship is why Zcash may have caught this before an attacker did, as Tayvano notes.

It may feel like I’m banging your head against a wall, but I'll say it anyway. We're standing in a new paradigm with both feet, and it can break protocols securing north of $10 billion.