Zcash’s native token, ZEC, plunged more than 30% after developers disclosed a critical vulnerability that could have allowed an attacker to create an unlimited number of counterfeit tokens without detection, according to reports published Thursday and Friday.
The flaw was discovered during a security review of Zcash’s Orchard privacy pool, a core component of the network’s shielded transaction system. Developers said the bug had existed for roughly four years before being identified and patched.
According to the reports, the vulnerability represented a “soundness” issue in the cryptographic system underpinning Orchard. In theory, it could have enabled the creation of unlimited counterfeit ZEC while remaining undetectable on-chain, raising concerns about the integrity of the cryptocurrency’s fixed supply.
The issue was reportedly uncovered by security researcher Taylor Hornby during an audit commissioned by Shielded Labs, a nonprofit organization involved in Zcash development. Shielded Labs said the researcher used Anthropic’s Opus AI model alongside custom tooling to help identify and demonstrate the flaw in a test environment.
Developers moved quickly to address the problem, deploying an emergency fix and network upgrade after the vulnerability was reported. Shielded Labs stated that it found no evidence that the flaw had been exploited on the live network before it was patched.
Despite the absence of any confirmed exploit, investors reacted sharply to the disclosure. ZEC suffered one of its steepest single-day declines in recent memory as traders reassessed the risks associated with a vulnerability that could have undermined confidence in the token’s supply.
The episode has also drawn attention to the challenges of securing advanced privacy-focused blockchain systems. Because Zcash’s shielded transactions conceal key transaction data, developers acknowledged that proving with certainty whether the flaw had ever been abused is difficult, even though they consider prior exploitation unlikely.