ZEC plunges more than 31% in 24 hours after Zcash reveals Orchard pool "infinite minting" bug

ME News reported that on June 5 (UTC+8), Zcash founder Zooko Wilcox said the Zcash Orchard pool previously contained a critical forgery flaw that could have allowed an attacker to create unlimited, undetectable counterfeit ZEC within the Orchard pool. The issue was found on May 29 by security researcher Taylor Hornby during a targeted audit using Anthropic's Opus 4.8 model and was reported to the Zcash Open Development Lab (ZODL). ZODL then coordinated an emergency response across the Zcash ecosystem, with a fix completed on June 2. Hornby also built a full proof-of-concept exploit with Opus 4.8 in a local regtest environment, demonstrating the ability to generate unlimited, undetectable forged ZEC in testing. If deployed on Zcash mainnet, the same approach could potentially produce unlimited, undetectable forged ZEC in mainnet Zcash wallets. According to the disclosure, the bug came from an underconstrained element in the Orchard circuit, enabling attackers to feed arbitrary falsified values into an elliptic-curve multiplication while still passing the multiplication check. The flaw dated back to Orchard's activation in May 2022 and remained until an emergency patch was deployed on June 1, 2026. Because of Orchard's privacy design and the nature of the vulnerability, cryptographic checks alone cannot currently confirm whether the flaw was exploited before it was fixed. Shielded Labs said it believes the probability of prior exploitation is low and is exploring a network upgrade to launch a new privacy pool, reconcile all tokens in the Orchard pool, and allow anyone to verify Zcash supply integrity and prove no forged ZEC exists in Orchard. Following the Orchard pool disclosure, ZEC fell more than 31% over the past 24 hours and was trading at $410.5. Source: X platform.