Zcash Fixes Critical Vulnerability as ZEC Price Falls 31%

Zcash developers have patched a critical vulnerability that could have allowed attackers to create an unlimited amount of counterfeit ZEC within the network’s Orchard shielded transaction pool.

The issue was discovered by security engineer Taylor Hornby during an independent security review conducted for Shielded Labs, a support organization focused on the Zcash ecosystem. According to the findings, the flaw existed within the Orchard circuit, a zero-knowledge proof system responsible for validating private transactions on the network.

Researchers said the vulnerability made it possible to submit false inputs that could still pass verification checks. In testing conducted within a local environment, the flaw reportedly enabled the creation of unlimited counterfeit ZEC without detection.

Vulnerability Existed Since 2022 Activation

The Orchard pool was introduced in May 2022 to enhance privacy for Zcash users. Shielded Labs confirmed that the vulnerability had been present since the feature launched but was successfully patched on June 1 after being reported to developers.

The discovery was made on May 29 using a combination of traditional security research methods and advanced AI-assisted analysis. Researchers quickly notified engineers, who worked to address the issue before it could be exploited.

Experts Say Real-World Exploitation Appears Unlikely

Despite the seriousness of the flaw, researchers believe actual exploitation is unlikely. They noted that the vulnerability remained undiscovered for years despite extensive review by experienced cryptographers and security experts.

ZEC Price Drops Following Disclosure

News of the vulnerability triggered a sharp market reaction. ZEC fell approximately 31% within 24 hours, with much of the decline occurring shortly after the findings became public.

To strengthen confidence in the network, developers are exploring future upgrades that would allow public verification of the Zcash supply and help confirm that no counterfeit coins were created while the vulnerability existed. The proposed changes could also introduce a new shielded pool and additional accounting safeguards for private transactions.