Zcash Reveals Critical Flaw in Orchard Shielded Pool; ZEC Slides 45%

CoinMarketCap reports that Zcash has disclosed a critical vulnerability affecting Orchard, the shielded pool that powers its privacy transactions. In theory, the flaw could allow an attacker to create counterfeit ZEC that would be difficult to detect. After the disclosure, ZEC fell about 45% in a 24-hour period, with most of the drop occurring soon after the news broke as investors reassessed the security of Zcash's privacy infrastructure. The issue was found by security researcher Taylor Hornby during a commissioned audit led by Shielded Labs, an independent group that supports the Zcash ecosystem. According to the report, the weakness sits in the Orchard circuit—the zero-knowledge proof system behind shielded transactions. Investigators said the root cause was insufficient input constraints in elliptic-curve computations, allowing invalid values to pass verification and be accepted as valid proofs. In a test environment, the team demonstrated that forged ZEC could be generated without being detected. Shielded Labs said the vulnerability has been present since Orchard was activated in May 2022. It was fixed within days of discovery, and the patch was deployed on June 1. While the severity was described as high, Shielded Labs said there is no clear evidence the flaw was exploited on the live network. Because shielded transactions are private, the report noted that it is not possible to conclusively verify historical activity from outside observers. No external party has confirmed abnormal changes in ZEC supply so far, but the length of time the flaw existed may continue to weigh on market perceptions of Zcash's risk controls.