TL;DR:
- Zcash dropped 42.2% in just 24 hours after a critical bug in its Orchard Privacy Pool was disclosed, having gone undetected for four years.
- The vulnerability allowed unlimited and undetectable minting of fake ZEC tokens; it was discovered on May 29 with the help of Anthropic’s Opus 4.8 AI model.
- Shielded Labs admitted there is no cryptographic way to confirm whether the flaw was exploited before the patch, which was applied on an emergency basis on June 1.
Zcash plunged 42.2% over the last 24 hours and is currently trading around $304, according to CoinMarketCap data. The collapse followed the public disclosure of a critical vulnerability in its Orchard privacy pool that, had it been exploited, would have allowed unlimited and undetectable minting of fake ZEC tokens. Trading volume surged 111% and exceeded $2.8 billion over the same period.
The disclosure was published by Shielded Labs, a nonprofit organization dedicated to protocol development, through its X account on Thursday night. According to the report, the flaw resided in the cryptographic circuit underpinning Orchard, Zcash’s most advanced privacy pool, and had remained active since the activation of that system in May 2022 — meaning it went four years without being detected.
— zooko🛡🦓🦓🦓 â“© (@zooko) June 4, 2026
The Zcash Bug Was Found Using AI
The discovery was made by Taylor Hornby, a security engineer hired by Shielded Labs in April 2026 with the explicit goal of identifying vulnerabilities in the protocol before malicious hackers could. Hornby worked with Opus 4.8, the recently released artificial intelligence model by Anthropic, and developed a complete exploit that, when tested in a local environment, generated fake ZEC tokens in an unlimited and undetectable manner. The vulnerability was immediately reported to the Zcash Open Development Lab (ZODL), which coordinated an emergency patch applied on June 1.
What markets could not ignore, however, was Shielded Labs’ admission regarding the impossibility of verifying whether the bug was exploited before it was patched. “There is no definitive way to determine, using cryptography alone, whether there was an exploit before the vulnerability was discovered and fixed,” the organization stated in its report. Despite those uncertainties, the firm argued that no exploit likely occurred: the flaw had evaded years of review by experienced cryptographers and was only found through state-of-the-art AI tools and a highly targeted analysis.
Shielded Labs’ Solution
In response, Shielded Labs proposed a network upgrade that would include a new shielded pool and accounting controls over all funds originating from the Orchard pool, so that any user can independently verify the integrity of Zcash’s supply.
The organization also announced it will deepen its security measures, including a formal verification project to mathematically prove the absence of bugs in the Orchard circuit and the hiring of a security director and a cryptographer.
