Zcash Tumbles 30% After Flaw Found That Could Mint Unlimited Fake Tokens

A critical security flaw has been found in Orchard, the shielded transaction pool used by privacy coin Zcash, that could have allowed unlimited counterfeit tokens to be forged. The vulnerability was identified by a white-hat hacker using the latest artificial intelligence tools. Zcash fell more than 30% after the disclosure.

Shielded Labs, an independent support organization for Zcash, said on X on June 4 that security engineer Taylor Hornby had discovered a serious vulnerability in Orchard.

Hornby, a contributor to the Zcash ecosystem, had been reviewing the protocol since April. On May 29, he found the flaw in the Orchard circuit with support from Opus 4.8, Anthropic's latest AI model.

Orchard allows users to send and receive Zcash anonymously using zero-knowledge proof technology. The review found that constraints on a specific element in the Orchard circuit had been set too loosely. As a result, the system could approve invalid transactions as legitimate even when arbitrary false inputs were inserted into elliptic-curve multiplication operations.

Shielded Labs said the vulnerability was practically exploitable. With help from Opus 4.8, Hornby wrote and verified an exploit in a local test environment that generated unlimited fake Zcash with full anonymity. The flaw was fixed in an emergency patch on June 1, but Orchard had been exposed since it was activated in May 2022.

Even so, Shielded Labs cautioned against excessive alarm. The group said it was unlikely hackers had identified the flaw first because it had gone undetected for years in a protocol monitored by some of the world's top cryptographers. It called the discovery a victory for a white-hat hacker who used advanced prompts and the latest AI tools to find the vulnerability before attackers did.

The market still reacted sharply. After Shielded Labs announced the issue, Zcash began to slide over five hours and was trading at $409.64, down 31.4% from 24 hours earlier.

Shielded Labs proposed a network upgrade that would let anyone verify the integrity of Zcash's total supply in an effort to restore market confidence.

A Shielded Labs official said the group believed it was important to disclose the issue transparently because the vulnerability was so serious. The official added that while the discovery of such a critical flaw was regrettable, the Zcash ecosystem would overcome the issue and return to normal.