Critical Zero‑Day in Zcash Orchard Privacy Pool Allows Undetectable Counterfeit ZEC Creation
What Happened — A critical flaw in Zcash’s Orchard privacy pool, present from its launch in May 2022, allowed an attacker to generate unlimited counterfeit ZEC while remaining cryptographically invisible. The vulnerability was uncovered on May 29 2026 by researcher Taylor Hornby using the Claude Opus 4.8 AI model and was patched in an emergency release on June 1 2026.
Why It Matters for TPRM —
- Undetectable counterfeit coins can erode confidence in blockchain‑based financial services and expose downstream vendors (exchanges, custodians, DeFi platforms) to fraud and regulatory scrutiny.
- The four‑year exposure window illustrates the danger of long‑standing, undisclosed weaknesses in third‑party cryptographic protocols.
- A 43 % drop in ZEC price after disclosure shows direct financial impact for firms holding or transacting ZEC.
Who Is Affected — Cryptocurrency exchanges, custodial wallet providers, DeFi protocols, blockchain analytics firms, and any organization that integrates Zcash as a settlement or settlement‑layer asset.
Recommended Actions —
- Confirm that all Zcash‑related services you use have applied the June 1 2026 emergency patch.
- Review contractual clauses that address undisclosed vulnerabilities in third‑party cryptographic components.
- Augment due‑diligence with a focused audit of the vendor’s code‑review and bug‑bounty processes.
Technical Notes — The bug stemmed from a missing enforcement check in Orchard’s transaction‑validation logic, allowing false inputs to satisfy zero‑knowledge proofs and create ZEC from nothing. No CVE was assigned; the issue was disclosed privately and remediated via an emergency code update. Source: Security Affairs