Zcash Orchard pool bug just surfaced. Founder Zooko Wilcox disclosed more details about the critical issue on May 29.
Security researcher Taylor Hornby found the bug. It sat inside Zcash’s Orchard shielded pool, which handles private transactions.
What the Zcash Orchard pool bug means
The Zcash Open Development Lab led an emergency response. The team fixed the issue by June 2. They paused Orchard activity, then restored it with corrected code.
Shielded Labs confirmed that the bug was real and exploitable. In a local test, Hornby created unlimited counterfeit ZEC inside Orchard without detection. The same tool could have worked on mainnet before the fix.
However, because Orchard protects transaction privacy, cryptography alone cannot prove whether anyone used the bug before the repair. Shielded Labs said prior use looked unlikely, but they cannot formally rule it out.
Arthur Hayes sells ZEC after disclosure
BitMEX co‑founder Arthur Hayes added market pressure. He said he sold his entire ZEC position. The Orchard disclosure broke his privacy thesis for the asset.
Hayes wrote that minting looked “extremely unlikely” but could not be formally ruled out. He added that the privacy narrative against AI, governments, and big tech needs “perfection not improbability.”
ZEC dropped about 30% after the news. Hayes said he could buy again if his assumptions prove wrong. His exit mattered because he had recently framed ZEC as part of his “Holy Trinity” trade.
Network upgrade planned to prove supply
Shielded Labs is now exploring a network upgrade. The goal is to let anyone verify the Zcash supply.
The proposal would create a new shielded pool. It would also use turnstile accounting for coins leaving Orchard. This would prove that counterfeit ZEC does not remain inside the affected pool.
The plan still needs community support. Shielded Labs will publish a follow‑up post next week.
Meanwhile, the Zcash Foundation had already released Zebra 5.0.0 through the NU6.2 hard fork. That upgrade re‑enabled Orchard with a corrected circuit. No evidence of unauthorized value creation has been found.
