| 24h Majors & Movers | ||||||
|
BTC $59.8k | ↘ 6% |
|
HYPE $58 | ↘ 13% | |
|
ETH $1.5k | ↘ 12% |
|
NEAR $1.9 | ↘ 20% | |
|
SOL $62 | ↘ 10% |
|
ZEC $321 | ↘ 40% | |
Sponsor: MetaMask – Trade perps with up to 50x leverage, powered by Hyperliquid.
- 🏛️ Securitize cleared a key SEC hurdle for its planned SPAC merger with Cantor Equity Partners II, putting the BlackRock-backed tokenization firm behind BUIDL closer to trading on the NYSE.
- ⚖️ Sen. Angela Alsobrooks, who was vital in moving CLARITY out of committee, said she will not support the bill on the floor unless negotiators reach a deal on ethics provisions, illicit finance language, and Agriculture Committee issues.
- 🎲 South Korean police launched the country’s first known probe into domestic
Polymarket users over alleged illegal gambling tied to June 3 local election markets, with users potentially facing fines under existing betting laws.
It's been a tough week for Zcash.
On May 29th, using Opus 4.8, security researcher Taylor Hornby found a critical vulnerability in Orchard, Zcash's newest and largest shielded pool, while researching the protocol for Shielded Labs, an independent 
Zcash support organization. He disclosed it privately to Zcash Open Development Lab (ZODL), one of the protocol's core teams, which confirmed it within hours and started coordinating a response.
Enjoying this article?
Subscribe to Bankless or sign in
Because too much public detail could've handed an attacker the blueprint, the fix came in stages.
- June 2nd: an emergency soft fork disabled Orchard transactions.
- June 3rd: the NU6.2 hard fork re-enabled the pool with a corrected circuit, the rulebook that defines a valid private transaction.
Simple, done. A serious bug, found and fixed before any known exploit… or so we thought.
Yesterday, a full post-mortem revealed the vulnerability was a counterfeiting bug that could have allowed someone to mint unlimited fake ZEC inside Orchard and that there was no way to test whether it had been exploited.
Though the teams still assess prior exploitation as unlikely, this new context twisted the story from "Zcash patched a bug" into "Zcash patched a bug that could have created counterfeit ZEC inside Orchard, with no formal way to prove whether it did."
What Orchard is, And What Broke
Orchard is Zcash's newest shielded pool, the private layer where amounts, senders, and recipients stay hidden.
Like other privacy systems, it runs on zero-knowledge proofs. Users prove a transaction followed the rules without revealing the details, and those rules live in the circuit.
The bug was in that circuit, had been since Orchard launched in May 2022, and could have allowed anyone to mint counterfeit ZEC inside Orchard that the network would treat as real. And because Orchard hides amounts and ownership, those units could sit in the pool with no obvious public trace.
In other words, as of now, because Orchard is private, there's no way to inspect its history and conclusively show no counterfeit ZEC was ever created before the fix.
The assessment that prior exploitation was "unlikely" though holds up for good reason: the flaw was buried, hard to find, and demanded specialized expertise. But the market is pricing proof, not probability. Until Zcash can confirm no counterfeit ZEC was minted, the protocol is effectively asking users to trust what it cannot yet prove.
So What Happens Next?
Zcash needs a way to prove no counterfeit ZEC remains inside Orchard, or at least force the books into a state where fake ZEC can't hide.
This fix will likely come from two processes: first auditing the supply and then making this class of bug much harder to miss again.
To address the audit, Zooko, Zcash’s founder, proposed migrating the shielded supply into a new Orchard pool. Turnstile accounting caps how much value can leave a pool at how much legitimately entered it. Force Orchard's funds through that turnstile and any fake ZEC hits a wall: more value would try to leave than the chain can prove ever entered. A detailed proposal for this path is due next week.
For the second, Josh Swihart of ZODL is pointing toward formal verification. It means writing down the rules in a machine-checkable form, then proving the circuit actually follows those rules. It doesn't replace human judgment entirely, but it moves the hardest part from "trust that the auditors caught everything" to "prove the critical constraints are actually there."
There are two ways Zcash moves forward. A formally verified version of that same new pool could be the interim step, in principle targeting the NU7 upgrade at the end of July, though nothing's committed.
The cleaner long-term answer is Tachyon, a new shielded protocol being designed around simpler foundations and formal-verification tooling. The goal is to cut the hand-coded complexity that made Orchard so hard to reason about, allowing its circuits to be checked far more rigorously. A verified Orchard pool would bridge the gap until Tachyon arrives.
Welcome to the era where AI surfaces protocol-breaking bugs.
Here’s the prompt that broke Zcash:
bro basically said "look for bugs that could exploit zcash"
— Frank (@frankdegods) June 4, 2026
that's the prompt that found an exploit in a 10 billion dollar protocol pic.twitter.com/4S7PJ2BeYZ
While we wait for updates on if any counterfeit ZEC did in fact make it into Orchard, make sure the projects behind your tokens have the kind of relationship with security researchers and engineers that Zcash does. Pray if you want, but verify the process. That relationship is why Zcash may have caught this before an attacker did, as Tayvano notes.
It may feel like I’m banging your head against a wall, but I'll say it anyway. We're in a new paradigm with both feet, and it breaks protocols securing north of $10 billion dollars.
Long or short ETH, BTC, NVIDIA, the S&P 500, oil, and 150+ assets with up to 50x leverage with 
MetaMask Perps, powered by Hyperliquid. Trade in two taps with easy funding, order limits, take profit, and stop loss. No KYC, no CEX deposit, total self-custody. Now on mobile and extension.
Bitcoin is bleeding, STRC is off peg, and Saylor’s “never sell” machine is facing its first real confidence test.
David and Haseeb unpack whether Strategy can survive without selling BTC, why Bitmine’s ETH play may be stronger but riskier, and what select token strength, U.S. perps, and Coinbase’s Ethena deal reveal about crypto’s next phase.
Don't miss the full conversation! 👇
