Security firm Quantstamp has published a technical breakdown of the Zcash counterfeiting bug that lived inside the Orchard privacy pool for roughly four years, detailing how a flaw capable of minting undetectable shielded ZEC slipped past multiple audits before it was patched this month.

The bug traces to an under-constrained element of the Orchard circuit, the zero-knowledge component that validates Zcash’s shielded transactions. According to the official disclosure from Shielded Labs founder Zooko Wilcox and researcher Taylor Hornby, the missing constraint made it possible to feed arbitrary false inputs into an elliptic-curve multiplication and still have the proof check pass. That gap let a single shielded note be spent more than once, doubling its value behind a valid-looking proof and creating counterfeit ZEC that the network would accept as genuine. Quantstamp framed the disclosure as the first installment in a deeper post-mortem series.

Four-Year Window

The flaw was present from Orchard’s activation in May 2022 until the emergency fix on June 1, 2026, surviving repeated reviews by cryptographers across that span. Hornby surfaced it on May 29 while auditing the protocol for Shielded Labs, using Anthropic’s Opus 4.8 model alongside a custom AI harness to write a working exploit that generated unlimited counterfeit ZEC in a local test environment.

Quantstamp’s framing centers on why this class of bug is harder to assess than a conventional exchange breach. The vulnerability was an under-constrained element of the Orchard circuit, the kind of subtle soundness gap that does not announce itself in normal operation and only matters when an attacker deliberately constructs a malformed proof.

A circuit constraint is a rule the zero-knowledge proof enforces, and a missing one does not break valid transactions. Honest users kept transacting normally for four years because their proofs satisfied every rule that did exist. The gap only mattered to someone deliberately probing for inputs the circuit failed to reject, which is part of why standard testing and even specialist review did not catch it. Hornby has described the find as the product of a targeted look at the Orchard circuit rather than a routine pass, with the latest AI tooling steering the search toward exactly that under-constrained element.

Shielded Supply

The deeper problem is detection. In a transparent chain, an inflated supply shows up the moment balances stop adding up. Orchard is fully shielded, so the amounts and the proofs are hidden by design, and the same privacy guarantees that make Zcash attractive also make it impossible to audit the shielded supply for coins minted before the patch.

Shielded Labs stated there is no way to cryptographically prove whether the bug was ever exploited. The team’s assessment is that prior exploitation seems unlikely, citing the years the flaw evaded the world’s leading cryptographers and the speed with which the Zcash Open Development Lab closed the window once it was reported. On-chain researchers reached a similar read, finding no evidence in the public record that anyone abused the flaw before it was fixed.

After The Patch

The disclosure is the latest beat in a response that began earlier this month. On June 4, Shielded Labs proposed a network upgrade to prove the integrity of the ZEC supply, going beyond the emergency patch by deploying a new shielded pool and enforcing turnstile accounting on every coin migrating out of Orchard. That proposal still has to clear Zcash’s standard governance process before activation.

The episode lands as zero-knowledge systems take on more value across the industry. Aztec this week told V4 users to withdraw before June 25 after a V5 upgrade exposed security flaws, and privacy assets have drawn fresh scrutiny after Monero’s role in a $120M laundering run traced by ZachXBT. Quantstamp said the remaining installments of its breakdown will cover how the fix was coordinated and what the response implies for auditing shielded systems.