Zcash says Orchard funds remain recoverable after a patched counterfeiting bug, while Ironwood aims to restore supply verifiability.
Author: Akshat Thakur
15th June 2026 – Zcash developers say legitimate funds in the Orchard pool remain fully recoverable after a serious counterfeiting bug. The team shared that verdict on June 15, 2026.
High Signal Summary For A Quick Glance
icefrog.◎ 🇻🇳
@icefrog_sol
@BSCNews @Zcash @zooko moving kills shielded privacy
Zcash Founder Says Orchard Funds Remain Recoverable Zcash (@Zcash) $ZEC founder, Zooko (@zooko), says legitimate Orchard funds should remain fully recoverable despite concerns surrounding the recent vulnerability. He added that the team believes the flaw was never exploited. https://t.co/k96szw1fKh
03:48 AM·Jun 15, 2026
Macro Bombastic
@MacroBombastic
@BSCNews @Zcash @zooko Seems reasonable, if Zooko says it's fine I'd trust the guy who built it
Zcash Founder Says Orchard Funds Remain Recoverable Zcash (@Zcash) $ZEC founder, Zooko (@zooko), says legitimate Orchard funds should remain fully recoverable despite concerns surrounding the recent vulnerability. He added that the team believes the flaw was never exploited. https://t.co/k96szw1fKh
03:42 AM·Jun 15, 2026
Parody
@BluebrainP
@BSCNews @Zcash @zooko $zec to the moon https://t.co/0LfYf7rMPi
Zcash Founder Says Orchard Funds Remain Recoverable Zcash (@Zcash) $ZEC founder, Zooko (@zooko), says legitimate Orchard funds should remain fully recoverable despite concerns surrounding the recent vulnerability. He added that the team believes the flaw was never exploited. https://t.co/k96szw1fKh
03:38 AM·Jun 15, 2026
High attention and emotional sentiment detected.
The Zcash Orchard vulnerability let an attacker mint unlimited fake ZEC inside the shielded pool. Yet the team believes nobody exploited it before the fix. So real holdings should stay safe.
The Zcash Orchard vulnerability was a soundness bug in the Orchard circuit. In plain terms, it let false data pass a check that should have rejected it.
Orchard hides senders, receivers, and amounts using zero-knowledge proofs. The bug let someone craft an invalid proof that the network still accepted.
According to the disclosure, the problem sat in an under-constrained part of the circuit. As a result, arbitrary false inputs could enter an elliptic curve multiplication and still pass the check.
The team was blunt about the stakes. The disclosure said the bug “could have been exploited to undetectably create an unlimited amount of counterfeit ZEC within Orchard.”
The flaw had existed since Orchard launched in May 2022 through Network Upgrade 5. So it sat in live code for roughly four years.
Independent security researcher Taylor Hornby discovered the Zcash Orchard vulnerability on May 29, 2026. Shielded Labs had engaged him for a targeted review in April.
Hornby leaned on Anthropic’s Claude Opus 4.8 model during that review. The AI model had launched only the day before, on May 28.
He reported the finding straight to the Zcash Open Development Lab. Then the team moved fast.
His method drew attention beyond Zcash. An AI-assisted human review had caught a flaw that survived four years of scrutiny.
The Zcash Open Development Lab coordinated an emergency response. First, a temporary soft fork disabled Orchard operations to block any abuse.
Next came Network Upgrade 6.2, a hard fork that patched the circuit. It also re-enabled Orchard once the fix went live.
The team deployed the fix on June 1, 2026. Remediation finished a day later, on June 2.
The group then went public on June 4. Zooko Wilcox, Jason McGee of Shielded Labs, and Hornby published a joint disclosure and a community forum thread.
Timeline of the Zcash Orchard Vulnerability and Remediation
Security researcher Taylor Hornby identifies a critical soundness vulnerability in Zcash’s Orchard shielded pool circuit using AI-assisted auditing techniques. The issue is immediately disclosed privately to the Zcash Open Development Lab (ZODL) for coordinated remediation.
Zcash developers deploy an emergency soft fork that temporarily disables Orchard transactions across the network. The action is taken as a precaution to prevent potential abuse while a permanent fix is prepared.
Network Upgrade NU6.2 is activated, introducing the corrected Orchard circuit and safely re-enabling Orchard functionality. The upgrade serves as the permanent fix for the vulnerability.
The emergency response concludes successfully. The patched Orchard pool is operational, and network participants complete the coordinated remediation process without any confirmed exploitation.
Zooko Wilcox, Jason McGee, and Taylor Hornby publish the full vulnerability disclosure through public channels, including X and the Zcash Community Forum. The advisory explains the nature of the bug, the potential impact, and the remediation steps already taken.
Zooko Wilcox and Jason McGee release “Four Questions About the Orchard Vulnerability”, addressing community concerns. They state that prior exploitation appears unlikely and reaffirm that legitimate Orchard funds remain fully recoverable.
The planned Ironwood upgrade will introduce a new shielded pool and permanently seal the original Orchard pool. The change is designed to restore users’ ability to independently verify that the overall Zcash supply has not been inflated while preserving access to legitimate funds.
Here the turnstile matters. Zcash uses a turnstile that publicly tracks value entering and leaving each shielded pool.
That mechanism caps total outflow at what legitimately entered. So even a flood of fake notes cannot leave the pool beyond the real total.
Zooko also addressed the on-chain figures. He referenced roughly 100 million ZEC tracked inside Orchard, against about 4.5 million that legitimately entered.
That gap sounds alarming at first. Yet the turnstile means only the legitimate total can ever leave the pool.
The team also believes no attacker touched the bug. In the June 15 post, Zooko and McGee wrote plainly about the odds.
“We believe prior exploitation is unlikely and therefore that legitimate Orchard funds are recoverable and the current supply of Zcash is sound,” they wrote.
Still, the team admitted a hard limit. Because Orchard hides activity, nobody can cryptographically prove the bug was never used.
Investors reacted sharply. ZEC fell from roughly $600 toward the $300 range within two days, according to CoinDesk.
The token then rebounded. By June 15, reports put ZEC near $485 with a market cap above $8 billion.
This is not the first counterfeiting scare for Zcash. Back in 2018, a similar soundness bug hid in the older Sprout pool.
Electric Coin Company quietly fixed that flaw before disclosing it. The secret approach later sparked debate about transparency.
This time the team chose speed and openness instead. Hornby even published his full work log alongside the disclosure.
Reaction across X and the Zcash forums leaned supportive. Many users praised the team for fast, open disclosure.
Some still pushed back on the “unlikely” framing. Without cryptographic proof, a few holders prefer to move funds out of caution.
Analysts also noted the irony of timing. The flaw surfaced just as ZEC traded near yearly highs around $600.
Secondary coverage echoed the same timeline. CoinDesk, The Block, and Cointelegraph all reported the May 29 discovery and the early-June patch.
The team is not stopping at the patch. Developers proposed the Ironwood upgrade around June 6.
Ironwood introduces a new shielded pool and seals the old Orchard pool. After that, no new funds enter Orchard and nothing circulates inside it.
That design forces every remaining outflow through the existing turnstile. So the network can rebuild a fully verifiable supply.
Ironwood targets activation in late July 2026. Users can move funds now if they prefer, though leaving them shielded is also reasonable.
For now, the Zcash Orchard vulnerability looks contained rather than catastrophic. The coming weeks will test that view as Ironwood goes live. This article is informational only and not financial advice.
Our Crypto Talk is committed to unbiased, transparent, and true reporting to the best of our knowledge. This news article aims to provide accurate information in a timely manner. However, we advise the readers to verify facts independently and consult a professional before making any decisions based on the content since our sources could be wrong too. Check our Terms and conditions for more info.
Zcash Orchard Vulnerability: Funds Recoverable, Team Says
Bittensor TAO Surges 24% as US Disables Claude
Aztec Connect Exploit Drains $2.19M From Legacy Contract
MAX Hyperliquid Airdrop Crashes 90% After $250M Volume
Zcash Orchard Vulnerability: Funds Recoverable, Team Says
Bittensor TAO Surges 24% as US Disables Claude
Aztec Connect Exploit Drains $2.19M From Legacy Contract
MAX Hyperliquid Airdrop Crashes 90% After $250M Volume
Zcash
