Zcash (ZEC), a privacy-focused cryptocurrency, disclosed a critical vulnerability on June 4 that could have allowed unlimited counterfeit coin creation in its Orchard Pool privacy transaction area. Security researcher Taylor Hornby discovered the flaw on May 29 using Anthropic's Opus 4.8 AI model while auditing the Orchard Circuit code. The vulnerability stemmed from insufficient constraint conditions in the elliptic curve operation verification process, enabling validation to pass even with incorrect input values. Zcash founder Zooko Wilcox announced via X that emergency patches have been deployed across the ecosystem, citing a report from development firm Shielded Labs. The flaw existed since the Orchard Pool's activation in May 2022, remaining undetected for four years despite reviews by leading cryptographers.
Taylor Hornby Discovers Vulnerability Using Anthropic Opus 4.8 AI Model
Taylor Hornby identified the vulnerability on May 29 while examining the Orchard Circuit using Anthropic's latest Opus 4.8 AI model. The discovery occurred during a routine security audit of Zcash's privacy transaction infrastructure. Zooko Wilcox referenced Hornby's findings in a June 4 X post that included the Shielded Labs report detailing the technical nature of the flaw.
Elliptic Curve Verification Flaw Enabled Unlimited ZEC Creation
According to the Shielded Labs report, the vulnerability arose from insufficient constraint conditions in the elliptic curve operation verification process within the Orchard Circuit. This weakness allowed attackers to use incorrect input values that would still pass validation checks, theoretically enabling the creation of unlimited counterfeit ZEC tokens. The flaw specifically affected the Orchard Pool, Zcash's privacy transaction area designed to shield transaction details from public view.
Shielded Labs Completes Emergency Patch Deployment
Zooko Wilcox stated that emergency response measures corrected the vulnerability and that patches have been completed across the entire ecosystem. The vulnerability existed from May 2022, when the Orchard Pool was activated, until its discovery on May 29. Shielded Labs noted that cryptographically proving whether the vulnerability was actually exploited during this four-year period is impossible. The report stated that while no method exists to confirm whether counterfeiting occurred before the patch, the likelihood of prior exploitation is considered low given that the flaw evaded detection by world-class cryptographers for years and was only discovered through cutting-edge AI-based security research.
Shielded Labs Discusses Turnstile Accounting Implementation
Shielded Labs is discussing the introduction of a new privacy pool and the application of Turnstile Accounting to existing Orchard Pool assets. The company stated this approach would enable anyone to verify the integrity of Zcash's total supply and confirm whether counterfeit coins exist within the Orchard Pool.
ZEC Price Falls 17.04% to $447 Following Disclosure
As of June 5, ZEC traded at $447 (approximately 687,200 Korean won) according to CoinGecko data. This represented a 17.04% decline in 24 hours following the vulnerability disclosure.
FAQ
How did researchers discover the Zcash vulnerability?
Taylor Hornby discovered the vulnerability on May 29 using Anthropic's Opus 4.8 AI model while auditing the Orchard Circuit code. The AI-assisted analysis identified insufficient constraint conditions in the elliptic curve operation verification process that had evaded detection by leading cryptographers for four years.
Can anyone confirm if the vulnerability was exploited before the patch?
Shielded Labs stated that cryptographically proving whether the vulnerability was actually exploited during the four-year period from May 2022 to May 29 is impossible. The report noted that while no verification method exists, the likelihood of prior exploitation is considered low given the flaw's complexity and the advanced AI tools required for its discovery.
What measures is Zcash implementing to prevent future counterfeiting?
Shielded Labs is discussing the introduction of a new privacy pool and the application of Turnstile Accounting to existing Orchard Pool assets. The company stated this approach would enable anyone to verify the integrity of Zcash's total supply and confirm whether counterfeit coins exist within the Orchard Pool.
