coin-img-ETHETH-11.94%coin-img-BTCBTC-5.29%coin-img-SOLSOL-8.59%coin-img-XRPXRP-6.98%coin-img-USDCUSDC-0.08%coin-img-ADAADA-14.21%coin-img-HYPEHYPE-12.20%coin-img-SUISUI-11.30%coin-img-ETHETH-11.94%coin-img-BTCBTC-5.29%coin-img-SOLSOL-8.59%coin-img-XRPXRP-6.98%coin-img-USDCUSDC-0.08%coin-img-ADAADA-14.21%coin-img-HYPEHYPE-12.20%coin-img-SUISUI-11.30%coin-img-ETHETH-11.94%coin-img-BTCBTC-5.29%coin-img-SOLSOL-8.59%coin-img-XRPXRP-6.98%coin-img-USDCUSDC-0.08%coin-img-ADAADA-14.21%coin-img-HYPEHYPE-12.20%coin-img-SUISUI-11.30%coin-img-ETHETH-11.94%coin-img-BTCBTC-5.29%coin-img-SOLSOL-8.59%coin-img-XRPXRP-6.98%coin-img-USDCUSDC-0.08%coin-img-ADAADA-14.21%coin-img-HYPEHYPE-12.20%coin-img-SUISUI-11.30%

Zcash Fixes Critical Orchard Bug With Potential for Undetectable Unlimited ZEC Minting

Zcash developers have disclosed a critical flaw in the protocol's Orchard shielded pool that, in theory, could have allowed an attacker to create an unlimited amount of ZEC without being detected. The bug was patched via an urgent fix earlier this week, but the team said cryptography alone cannot confirm whether the issue was exploited on mainnet before the patch. According to Shielded Labs, the vulnerability has been present since Orchard went live in May 2022 and remained unaddressed until June 2, 2026. The coordinated network upgrade observed publicly was tied directly to deploying the fix. Security researcher Taylor Hornby identified the problem on May 29, 2026 during a trusted security review and built a working exploit in a local test environment. The disclosure attributes the bug to insufficient constraints in the Orchard circuit, which could let malformed inputs pass elliptic-curve multiplication checks and enable forged ZEC. The use of privacy-preserving transactions makes verification more difficult. Developers said there is currently no evidence of pre-patch exploitation. Still, because Orchard transactions are shielded, outside observers cannot validate individual transactions the way they can on a fully transparent ledger. As a result, there is no definitive way to prove forged tokens never entered circulation, leaving residual uncertainty around Zcash's supply integrity even after the patch. Shielded Labs said its assessment is that historical exploitability was low, citing that the issue went unnoticed by experienced cryptographic researchers for an extended period and that once confirmed internally, the window for exploitation narrowed quickly. The team is now evaluating follow-on network upgrades. The disclosure also noted that researchers used Anthropic's Opus 4.8 model along with customized AI-assisted auditing methods during the review, and said the vulnerability was found shortly after the model's release. A preliminary proposal under consideration would introduce a new shielded pool and add "turnstile accounting" checks for tokens exiting Orchard to help validate supply completeness and address external concerns about forged ZEC. More details are expected next week. Key dates: Discovery on May 29, 2026; emergency fix completed June 2, 2026; public disclosure June 5, 2026.
Selected
Disclaimer: The content above is only the author's opinion and does not represent BingX’s stance. It shall not be construed as investment advice from BingX. For details, refer to the Terms and Conditions.