Zcash Founder Confirms Orchard Bug Could Allow Unlimited ZEC Creation

Hours

Zcash founder Zooko Wilcox confirmed on June 4, 2026 that a critical bug in the Orchard shielded protocol could have allowed an attacker to create an unlimited amount of counterfeit ZEC, and that there is no cryptographic way to prove whether the flaw was exploited before it was patched.

The disclosure, co-authored by Wilcox, Jason McGee, and Taylor Hornby, was published on the Zcash Community Forum. It represents a significant escalation from earlier remediation messaging, which had framed the incident as resolved without evidence of exploitation.

Hornby discovered the vulnerability on May 29, 2026 while auditing Zcash for Shielded Labs. Orchard is the newest shielded pool in Zcash, designed to provide private transactions using the Halo 2 proving system. The bug resided in the circuit logic governing Orchard actions.

What the Orchard Bug Could Have Done

In Wilcox’s words: “The vulnerability could have been exploited to undetectably create an unlimited amount of counterfeit ZEC within Orchard.” That framing matters because it means any exploitation would have been invisible to outside observers, hidden by the same privacy guarantees that protect legitimate transactions.

“The vulnerability could have been exploited to undetectably create an unlimited amount of counterfeit ZEC within Orchard.”

— Zooko Wilcox, Zcash Community Forum

For any cryptocurrency, supply integrity is foundational. A fixed or predictable issuance schedule underpins scarcity assumptions and, by extension, market valuation. A flaw that permits unlimited token creation strikes at the core trust model.

ZEC was trading at $424.15 at press time, with a circulating supply of roughly 16.75 million coins and a market cap of approximately $7.17 billion.

ZEC Spot Price
$424.15
CoinGecko public market data for Zcash.

The token fell roughly 26.47% over the preceding 24 hours, with trading volume spiking to nearly $1.49 billion as markets reacted to the expanded disclosure.

ZEC 24h Change
-26.47%
CoinGecko public market data for Zcash.

The broader crypto market was already under pressure. The Fear & Greed Index sat at 12, firmly in “Extreme Fear” territory, meaning ZEC’s sell-off landed in an environment where risk appetite was already thin.

Why the Zcash Foundation’s Earlier Framing Fell Short

The Zcash Foundation’s initial remediation post on June 3 stated that “there is no evidence of unauthorized value creation.” That assessment was based on turnstile analysis, a method that checks the flow of ZEC between shielded pools and the transparent chain.

Wilcox’s June 4 follow-up made clear that turnstile checks are insufficient. Because Orchard’s privacy model prevents external observation of pool-internal activity, any counterfeit ZEC created and kept within Orchard would be invisible to turnstile-based audits. The post proposes a further network upgrade that would allow anyone to cryptographically prove supply integrity.

This gap between “no evidence of exploitation” and “exploitation cannot be ruled out” is the central tension. It echoes challenges faced by other privacy-focused protocols, where the same features that protect users can also obscure attacks. As regulators increasingly frame crypto as financial infrastructure, the ability to verify supply becomes a governance question, not just a technical one.

How the Bug Was Fixed

The response moved fast. The Zcash Foundation released Zebra 4.5.3, which temporarily disabled all Orchard actions via an emergency soft fork that activated at approximately 02:00 UTC on June 2, 2026. This effectively froze the vulnerable pool while a permanent fix was prepared.

Zebra 5.0.0 then activated NU6.2, a hard fork that re-enabled Orchard with a corrected circuit. That activation occurred on June 3, 2026 at 00:05 EDT, at block height 3,364,600. Affected software versions included halo2_gadgets prior to v0.5.0, orchard prior to v0.14.0, zcash_primitives prior to v0.28.0, zcashd v5.0.0 through v6.12.3, and zebrad below v4.5.1.

A separate Zcash Community Forum post confirmed that Orchard functionality was fully restored within days of the initial discovery.

What to Watch Next

The most consequential open question is whether the proposed follow-up network upgrade to prove supply integrity will gain traction. Wilcox’s post frames it as necessary for anyone to verify that no counterfeit ZEC exists in Orchard, which would require a new cryptographic mechanism or a shielded pool migration.

Such an upgrade would need to go through Zcash’s standard network-upgrade and ecosystem coordination process. Exchanges and wallet providers will likely monitor whether the Zcash community commits to a timeline. In an environment where policymakers are scrutinizing crypto governance, the speed and transparency of that process will shape perceptions of the project’s credibility.

For ZEC holders, the practical takeaway is straightforward: the immediate vulnerability is patched, but the question of whether it was exploited before May 29 remains formally unanswered. No action is required from users today, but the integrity proof upgrade, if it arrives, would be the definitive resolution.

Disclaimer: This article is for informational purposes only and does not constitute financial or investment advice. Cryptocurrency and digital asset markets carry significant risk. Always do your own research before making decisions.

Avatar of Diego Martinez
Bitcoin Policy & Adoption Reporter | Latin America Market Observer | Network Fundamentals Writer
Diego Martinez is a bilingual digital-assets journalist whose work focuses on Bitcoin adoption, regulation, and the real-world conditions that shape network growth across emerging markets. At BitcoinInfoNews, he covers Bitcoin policy developments, treasury and institutional adoption, regional market shifts, and practical changes in how Bitcoin is used, regulated, or integrated into financial life. His reporting style is grounded in context and is especially useful when Bitcoin stories require both market understanding and geographic nuance.
“Bitcoin adoption stories matter most when they show how policy, access, and real use actually connect.”
Profile
Gender: Male | Born: May 1991 | Based: Buenos Aires, Argentina | Company: BitcoinInfoNews | Website: https://bitcoininfonews.com/ | Coverage Focus: Bitcoin adoption, regulation, institutions, Latin American market context, Bitcoin news
Experience
Diego’s professional background combines financial reporting, crypto journalism, and blockchain research. Over the years, he has covered market developments and regulatory shifts for audiences that need clear translation rather than insider jargon. At BitcoinInfoNews, his profile is best aligned with Bitcoin news coverage that benefits from policy awareness, regional perspective, and a strong understanding of how adoption narratives differ across countries.
Background
He studied economics and built much of his editorial experience in Latin American digital-asset media and fintech research environments. That background gives him a useful angle on Bitcoin stories involving treasury strategy, public policy, regulatory tension, and access to financial infrastructure. His current editorial direction is more disciplined and Bitcoin-specific than his earlier broad crypto work.
Achievements
Diego has contributed reporting and educational pieces that help readers connect regulatory developments with practical market consequences. His strongest work tends to sit where policy, adoption, and market trust intersect. That makes him especially valuable for BitcoinInfoNews coverage involving institutional adoption, public-sector narratives, and cross-border developments in the Bitcoin economy.
Work Style
His work style is explanatory, context-heavy, and globally aware. Rather than treating adoption as a vague buzzword, Diego tends to ask what changed in the law, who is affected, what the market implication is, and whether the narrative is supported by facts. That approach is well suited to a Bitcoin-first newsroom trying to improve trust and clarity.
Skills
Diego’s core strengths include policy reporting, adoption coverage, international market context, source-based explanatory writing, and editorial synthesis for regulation-driven stories. He is particularly strong on articles where Bitcoin intersects with institutions, sovereign or corporate strategy, and emerging-market realities.
Additional Information
Within the new BitcoinInfoNews taxonomy, Diego is a strong fit for Bitcoin News, especially the regulation, adoption, and institutions branches. He gives the site broader geographic credibility without diluting the site’s Bitcoin-only editorial focus.
Diego Martinez's Social Media Platforms

Similar Posts