Last updated: July 5, 2026 at 9:01 AM UTC
All 557 Vulnerability 199 Breach 106 Threat 245 Defense 7
Tag: zero-knowledge (1 article)Clear

AI-assisted audit finds 4-year Zcash flaw enabling unlimited counterfeit coins

A critical flaw in Zcash's Orchard privacy pool, the system that lets people send the ZEC cryptocurrency while hiding amounts and parties, could have let an attacker mint unlimited counterfeit coins without detection. Security researcher Taylor Hornby, hired by developer Shielded Labs to probe the code, found it on May 29 using Anthropic's Claude Opus 4.8 model paired with a custom auditing tool, and wrote a working exploit within a day. The bug had survived four years and multiple expert reviews. An emergency fix shipped by June 1. Because the pool hides balances, there is no way to prove whether anyone exploited it earlier.

Check
If you run a Zcash node, operate an exchange listing ZEC, or hold funds in the Orchard shielded pool, confirm your software version against the June 2026 emergency release.
Affected
Zcash Orchard shielded pool, active since May 2022. Node operators, exchanges, and wallets running pre-fix software exposed to undetectable double-spend and counterfeiting of ZEC.
Fix
Upgrade to the emergency-patched Zcash node release published by June 1, 2026, and follow Shielded Labs guidance on the proposed network upgrade adding supply-accounting checks.