Zcash fixed a critical vulnerability in its Orchard shielded transaction system that could have allowed attackers to generate counterfeit ZEC while transactions still appeared valid. Security researcher Taylor Hornby found the issue on May 29 while auditing Orchard; the bug was a failed transaction-input validation check in the zero-knowledge proof workflow, affecting the Orchard privacy pool introduced in 2022. No CVE is cited, and it is unclear whether the flaw was exploited before the fix.
Why it matters: This is the kind of bug that can undermine trust in a cryptocurrency by allowing undetectable fraudulent coin creation. Zcash users, exchanges, and infrastructure operators should confirm they are running the patched software and watch for any follow-up guidance on possible past exploitation.
Bruce Schneier
2026.06.08
100% relevant
This article establishes a new tracked story because it reports the discovery and remediation of a previously unknown, critical Zcash protocol vulnerability with potential ecosystem-wide financial impact, and no existing tracked story covers this event.
← Back to all stories