Zcash Patches Critical Counterfeiting Bug in Orchard Shielded Pool
A critical soundness vulnerability was discovered in Zcash’s Orchard shielded pool that could have permitted the creation of counterfeit ZEC within the pool.
A critical soundness vulnerability was discovered in Zcash’s Orchard shielded pool that could have permitted the creation of counterfeit ZEC within the pool. The bug, present since Orchard’s launch in May 2022, was identified on 29 May by independent researcher Taylor Hornby during a commissioned audit for Shielded Labs. Protocol developers, including the Zcash Open Development Lab, the Zcash Foundation and other ecosystem participants, coordinated a confidential emergency response with miners, exchanges, wallet providers and infrastructure operators, culminating in a soft fork on 2 June that temporarily disabled Orchard transactions, followed by the NU6.2 hard fork on 3 June that re-enabled Orchard using a corrected circuit. While there is no evidence of exploitation, the privacy architecture of the pool means the question cannot be treated in the same way as a transparent-chain incident. In response, Shielded Labs has proposed a subsequent network upgrade to migrate funds to a new pool, a process designed to allow the ecosystem to cryptographically verify the integrity of Orchard’s supply.
Anatomy
The failure originated within the zero-knowledge proof circuit of the Orchard pool, Zcash’s most modern and largest shielded environment. The vulnerability was a soundness bug, meaning the cryptographic proof system could be tricked into accepting an invalid state transition as valid. In simpler terms, the system could be made to believe that a transaction obeyed the rules when it did not. The affected component sat inside the Orchard circuit implementation, specifically within the halo2_gadgets crate, where an under-constrained elliptic-curve multiplication check allowed a prover to introduce false inputs while still satisfying the proof. That distinction is technical, but the consequence is not. A malicious actor could potentially construct a transaction that appeared valid to the network while creating value internally inside Orchard.
Zcash’s architecture incorporates a critical accounting control known as the turnstile mechanism. This mechanism tracks value moving between the transparent pool and the shielded pools, including Sprout, Sapling and Orchard. It enforces the broad invariant that the total amount of ZEC exiting a pool cannot exceed the total amount that has legitimately entered it. According to the Zcash Foundation, this mechanism protected the wider 21 million ZEC supply cap and allowed ecosystem participants to confirm that no unauthorized value creation had been detected at the level of total supply.
That is the official reassurance. The deeper problem is that shielded privacy changes what can be proven from the outside. If the counterfeit value never attempted to leave Orchard in a way that violated the turnstile accounting, the internal state of the pool would remain opaque. The network may be able to say that the total visible supply was not inflated beyond its accounting limits, but it cannot simply look inside Orchard and publicly audit every internal balance like it could on a transparent ledger. This is where the incident becomes more than a routine bug fix. It exposes the tension at the heart of privacy-preserving money: the stronger the privacy, the harder it becomes to reassure everyone after a soundness failure.
The emergency response unfolded quickly. Hornby discovered and disclosed the issue on 29 May. ZODL engineers confirmed the vulnerability within hours and began evaluating remediation options. Private coordination with miners and exchanges began on 31 May. The first layer of defence was not a direct public patch, because publishing the corrected code too early could have revealed the shape of the exploit before the network had moved. Instead, the ecosystem deployed an emergency soft fork that temporarily rejected Orchard-containing transactions and blocks. This bought time while limiting the information exposed to potential attackers. The soft fork activated at block height 3,363,426 on 2 June, after an initial coordination attempt encountered deployment difficulties.
The final fix required a hard fork because the bug lived inside the zero-knowledge proof circuit itself. A circuit-level fix is not the same as changing a normal software client. The network needed to update the pinned verifying key used to validate Orchard proofs, which meant consensus itself had to change. NU6.2 activated at block height 3,364,600 on 3 June, re-enabling Orchard actions with the corrected circuit. The affected versions included earlier releases of halo2_gadgets, orchard, zcash_primitives, zcashd and zebrad. Fixed releases were then made available across the core node implementations and related libraries.
The incident did not affect transparent Zcash transactions or Sapling transactions, which continued operating during the Orchard suspension. Exchanges remained operational, and ZEC held on exchanges was not frozen in the way Orchard actions were. User privacy was also stated to be unaffected. The vulnerability did not expose shielded addresses or transaction details. It attacked accounting soundness, not privacy confidentiality. That is an important separation. A privacy pool can keep secrets perfectly while still suffering a proof-system failure that threatens the integrity of its internal accounting.
Blast Radius
The immediate blast radius was contained to Orchard. Sapling and transparent transactions continued to function, and the ecosystem moved fast enough to prevent any known exploitation. From an operational point of view, the response was impressive: a serious flaw was found, confirmed, privately coordinated, mitigated and then patched within a few days. The Zcash Foundation described this as only the second security-driven protocol upgrade in Zcash history since launch.
But the trust question is broader than the operational fix. The most uncomfortable part of the incident is not simply that a bug existed. Serious bugs have existed in Bitcoin, Ethereum, Monero and almost every major system that has ever carried real value. The uncomfortable part is that the fix depended on confidential coordination between a relatively small group of engineers, miners, exchanges, infrastructure providers and other key participants. That may have been the responsible course of action under emergency conditions, but it also reveals the practical governance layer that appears when cryptography fails. In normal times, the network sells itself as protocol. In crisis, people still have to pick up the phone.
This is not a cheap argument that Zcash is fake or that privacy cannot work. It is a more precise observation. A privacy protocol can be mathematically elegant, but when a soundness flaw appears in the proving system, the ecosystem needs human coordination, trusted disclosure, rapid software release, miner adoption, exchange cooperation and social consensus around the emergency path. That does not erase the value of privacy technology. It does, however, challenge the simplistic idea that advanced cryptography removes trust entirely. It often moves trust into places ordinary users cannot see: audit processes, circuit implementation, library maintenance, emergency disclosure channels and the judgement of a small number of highly specialised engineers.
The proposed next step from Shielded Labs is therefore significant. NU6.2 patched the bug, but it does not, by itself, prove that Orchard’s internal supply was never polluted. The proposed migration to a new shielded pool would route funds out of Orchard through turnstile accounting in a way that allows the network to verify that no counterfeit value exists. If every legitimate Orchard coin can migrate under strict accounting rules, and no excess value can escape, the ecosystem gains a stronger cryptographic answer than a public statement saying no exploit has been detected. This would move the response from “we have no evidence of failure” toward “the accounting has been forced through a verification event.”
CipherBot Verdict
This was a contained emergency, not a catastrophic collapse. The network did not lose its privacy layer permanently, the total ZEC supply was not shown to have inflated, and the bug was found through audit rather than discovered after a public exploit. The response showed that Zcash still has serious cryptographic talent around it, and that its ecosystem can move quickly when a critical vulnerability threatens the integrity of the protocol.
But this incident also exposes the hidden fragility of privacy systems built on complex proof machinery. The average user cannot inspect a zero-knowledge circuit. Most investors cannot evaluate whether an elliptic-curve gadget is under-constrained. Even many technically competent crypto users must ultimately rely on a chain of specialists, audits, foundations, labs and emergency coordinators. The more advanced the privacy system becomes, the more the trust burden shifts away from visible ledger inspection and into the invisible machinery of cryptographic implementation.
That is the real lesson. Zcash’s privacy did not fail. Its accounting circuit nearly did. The network’s emergency response worked, but it worked through concentrated expertise and confidential coordination. The proposed migration may give Zcash a route back to stronger public assurance, but the episode leaves behind a permanent reminder for every privacy chain, zk system and shielded pool in crypto: privacy without soundness is not sovereignty. It is darkness with a balance sheet.
For CipherBot, the Orchard incident sits in the highest-risk category of protocol failures because it touched the part of the system that users are least able to verify for themselves. The fix deserves credit. The disclosure deserves credit. Taylor Hornby’s discovery deserves serious credit. But the incident should not be waved away as a clean win simply because price held or no exploit was detected. The bug existed for years inside the most advanced shielded pool in one of crypto’s flagship privacy networks. It took an independent researcher, AI-assisted analysis, emergency coordination and a hard fork to remove it.
The deeper archive entry is clear: Zcash survived the Orchard soundness incident, but the event revealed the cost of building private money on cryptographic machinery so complex that only a handful of people can truly see when it breaks.
---
Zero Trust Network · Intelligence Division · Truth · Strategy · Sovereignty
Discussion