Shielded Labs has disclosed a critical vulnerability in Orchard, the shielded pool at the core of Zcash’s private transaction system. Security researcher Taylor Hornby uncovered the flaw during an internal audit on May 29. The vulnerability lay within the zero-knowledge proof circuit that secures private transfers; it made it possible in theory to create undetectable counterfeit ZEC inside the pool. Hornby built a working demonstration of the exploit in a local test environment. Developers moved swiftly, first disabling Orchard on the network, then deploying a full patch with the NU 6.2 upgrade on June 3. Shielded Labs made the incident public on June 4.
The Zcash Foundation says the bug was closed before anyone is known to have abused it, but the privacy trade-off here is stark. Because shielded pools deliberately limit traceability, there is no cryptographic way to prove the vulnerability was never exploited between Orchard’s launch in May 2022 and the patch in June 2026. That uncertainty helps explain the sharp market reaction, with ZEC dropping roughly 30 to 40% after the disclosure. Traders were reacting not to proven theft, but to doubt over whether Zcash’s total supply could still be trusted.