Zcash disclosed a previously unknown vulnerability in its Orchard privacy pool that could have allowed theoretical token forgery, prompting a brief shutdown of the pool and raising concerns about supply transparency. The issue, revealed on June 5, triggered a sharp market reaction as the price of ZEC dropped from about $621 to near $303 before stabilizing around $415 to $427 within days.
Founder Zooko Wilcox said the flaw was most likely never exploited. No irregularities have been detected in historical transaction data, which would typically reveal forged coins entering circulation.
Flaw discovered after years of review
The vulnerability had existed since Orchard launched in May 2022 and had gone unnoticed despite multiple audits. It was eventually identified by researcher Hornby using AI-assisted tools. This raised fresh questions about the limits of traditional cryptographic reviews and the growing role of AI in detecting complex issues.
Developers responded quickly by freezing the Orchard pool and deploying a coordinated patch with miners. This action closed the brief window in which any potential misuse could have occurred.
Recovery steps and user guidance
Following the fix, developers confirmed that all legitimate funds within Orchard remain secure and can be accessed normally. However, users moving funds to transparent addresses may expose transaction details such as amounts and timestamps.
Funds transferred to the Sapling pool offer partial privacy, revealing amounts but not wallet identities. This system depends on a trusted setup from 2018. Supported self-custody options currently include YWallet and Zkool, while newer wallets or custodial services may introduce additional risks.
Transparency concerns and verification limits
The incident temporarily made it impossible for node operators to independently verify Zcash’s total supply. This stands in contrast to the auditability expected from many digital assets, where supply caps can typically be confirmed in real time.
Developers acknowledged that historical shielded pools could theoretically contain undetected anomalies, although no evidence suggests this occurred.
Ironwood upgrade aims to restore trust
Attention has now shifted to the upcoming Ironwood network upgrade, expected by the end of July 2026. The update is designed to restore full supply verification and prevent similar issues in the future.
- sealing the Orchard pool to new deposits
- introducing a new shielded pool
- requiring all exiting funds to pass through a strict accounting checkpoint
This mechanism is intended to ensure that any hypothetical forged tokens cannot enter circulation.
Wilcox said the upgrade will allow anyone running a node to independently confirm that the total supply does not exceed its intended limit. He also noted that sealing Orchard prevents any hidden coins, if they existed, from moving further through the system.
Ongoing audits show no further threats
Parallel investigations by Shielded Labs, the Tachyon Project, and external specialists found no additional forgery risks. A separate review using Anthropic’s Mythos AI model also reported no major vulnerabilities.
Until Ironwood is implemented, developers will continue forensic analysis of past shielded pools to confirm that no unnoticed issuance has taken place.
Market stabilizes as upgrade approaches
Despite the initial sell-off, the market has partially recovered as confidence improves. Zcash’s total market value stood near $6.94 billion as of June 12.
The coming weeks are expected to center on the Ironwood rollout. Traders are watching closely for wallet migration guidance and are being advised to avoid unnecessary transfers during the upgrade window, as the network transitions to a new model aimed at restoring long-term integrity.
Concerned about protocol security and transparency? Learn how exchanges safeguard your funds with advanced risk control systems.
Disclaimer: The content on this page is provided for general informational purposes only and does not represent the views or financial advice of Toobit. We make no guarantees regarding the accuracy or completeness of this information and shall not be held liable for any errors, omissions, or outcomes resulting from its use. Investing in digital assets involves risk; users should independently evaluate their financial situation and the risks involved. For further details, please consult our Terms of Service and Risk Disclosure.
