Zcash plummets 30% as Shielded Labs reveals a major bug that went undetected for four years
Shielded Labs revealed that the bug could have helped an attacker print unlimited counterfeit tokens. That could have damaged trust in the token's supply and its value.
Zcash plummets 30% as Shielded Labs reveals a major bug that went undetected for four years
Shielded Labs revealed that the bug could have helped an attacker print unlimited counterfeit tokens. That could have damaged trust in the token’s supply and its value.
Shielded Labs disclosed a critical bug in its Zcash’s Orchard privacy pool that could have allowed unlimited, undetectable counterfeit tokens.
The vulnerability, present since Orchard’s activation in May 2022, was discovered on May 29 by security engineer Taylor Hornby using Anthropic’s Opus 4.8 AI model and was patched in an emergency fix by June 1.
Shielded Labs says there is no cryptographic way to know whether the flaw was exploited before the fix, and is proposing a network upgrade with new accounting measures and expanded security efforts to restore confidence in ZEC’s supply integrity.
The vulnerability was discovered on May 29 by Taylor Hornby, a security engineer engaged by Shielded Labs in April 2026 specifically to identify protocol vulnerabilities before malicious actors could. Working with Anthropic’s recently released Opus 4.8 AI model, Hornby conducted a highly targeted review of the Orchard circuit, which is the cryptographic system underpinning Zcash’s most advanced privacy pool.
Shielded Labs said Hornby wrote a complete exploit which, when tested in a local testing environment, generated unlimited, undetectable counterfeit ZEC. Shielded Labs added that if the same tool had been run on Zcash mainnet, it would have generated unlimited, undetectable counterfeit tokens in his mainnet wallet.
Imagine an attacker quietly printing unlimited counterfeit ZEC and holding them undetected. The damage to trust in the supply and, by extension, the token’s market value could have been severe.
Hornby immediately disclosed the vulnerability to the Zcash Open Development Lab (ZODL), which coordinated an emergency fix on June 1, closing it within days of discovery.
Bug undetected for four years
Still, what appears to be a proactive approach to fixing bugs has not impressed markets. That’s possibly because, as Shielded Labs itself admitted, the bug had been present since Orchard’s activation in May 2022. In other words, it existed, undetected, for four years.
What makes the situation even more complex for markets is Shielded Labs’ acknowledgement that it cannot say for sure whether the bug was exploited before the fix.
“What makes this particularly challenging is that, due to the privacy properties of Orchard and the nature of the bug, there is no definitive way to determine using only cryptography whether such exploitation occurred before the vulnerability was discovered and fixed. We believe it is important to be transparent about that uncertainty,” the firm said.
Still, it stressed that exploitation likely didn’t happen for several reasons. First, the bug had evaded years of scrutiny by experienced cryptographers. It came to light only with the help of cutting-edge AI tools and highly skilled researchers working deliberately to find it. And once discovered, it was fixed quickly, leaving little time for anyone to exploit it.
“We think he probably succeeded,” Shilded Labs said of Hornby’s efforts to find the vulnerability before malicious actors could.
However, the organization was careful to add that users should not rely solely on their assessment and proposed a network upgrade that would allow anyone to verify the integrity of the ZEC supply independently. The proposal involves deploying a new shielded pool and enforcing turnstile accounting on all coins from the Orchard pool. The firm said it could publish a detailed post on the same next week.
It also said it is accelerating security efforts, including continued work with Hornby, a formal verification project aimed at writing a mathematical proof that there are no undiscovered bugs in the Orchard circuit, and new hires for a Head of Security and a Cryptographer.
AI Disclaimer: Parts of this article were generated with the assistance from AI tools and reviewed by our editorial team to ensure accuracy and adherence to our standards. For more information, see CoinDesk’s full AI Policy.
Backed by economist Nouriel Roubini, a long-time anti-bitcoin advocate, and known as ‘Dr. Doom,’ the Atlas CEO, Reza Bundy, shot a short-term warning for bitcoin but stayed bullish in the long-term.
What to know:
Reza Bundy, CEO of investment advisory firm Atlas Capital, warns that bitcoin could see a drawdown of up to 70% within six months, especially if equities suffer a major decline.
Despite echoing Nouriel Roubini’s near-term bearishness, Bundy projects a long-term price range of $150,000 to $500,000 depending on global economic…
