Zcash Patches Critical Bug Enabling Unlimited Counterfeit ZEC Minting as Price Crashes 41%

A Forgery Flaw Hidden Since 2022

Zcash founder Zooko Wilcox confirmed that security researcher Taylor Hornby had uncovered a counterfeiting vulnerability in Orchard, the network’s main privacy pool, and disclosed it privately to him on May 29. The bug could have been used to create undetectable counterfeit ZEC coins that the network would have accepted as genuine, while the fraud stayed invisible inside the shielded pool.

Hornby did not stop at theory and with the help of an artificial intelligence model, he devised a complete exploit and generated an unlimited number of counterfeit ZEC in local testing. The disclosure sent ZEC down 40% in a single day as developers subsequently revealed that the flaw had been present since the Orchard pool launched in May 2022 (sitting undetected for roughly four years and surviving repeated audits by specialists who never spotted it).

Because Orchard is a fully shielded system, the disclosure carried an unusual sting, i.e., there is no cryptographic way to prove the bug was never abused. The same privacy guarantees that make Zcash attractive to users who want confidential transactions also make it impossible to audit the shielded supply for fake coins minted before the patch landed. In a transparent ledger like Bitcoin, anyone can verify that supply matches the protocol’s rules; in a shielded pool, that certainty is precisely what is sacrificed for privacy.

How Developers Responded

Hornby reported the issue to the Zcash Open Development Lab, which coordinated an emergency response across wallets, exchanges and node operators before shipping a fix on June 2. In a detailed post on the Zcash community forum, the team walked through the vulnerability and outlined next steps, including proposals to strengthen supply verification so a similar flaw could be detected and contained far more quickly in the future.

Despite the severity, developers urged calm with Shielded Labs saying it was not “overly concerned” that counterfeiting had actually occurred, reasoning that the bug had survived years of review by some of the world’s most capable cryptographers without being found or exploited.

Regardless, the timing is awkward for a privacy sector that has spent much of 2026 in the spotlight. Bitcoin.com News reported last month that privacy tokens had been surging amid a global pushback against financial surveillance, with ZEC among the standout performers. The token had surged past $600 earlier in the cycle, at one point flipping monero by market capitalization, before the Orchard scare wiped out part of those gains.

What the Bug Means for ZEC Holders

For holders, the immediate cost was price as ZEC shed roughly a third of its value within a day, unwinding a meaningful slice of a rally that had made it one of the year’s best-performing crypto assets. The harder problem is reputational since a privacy coin’s entire pitch rests on mathematical certainty, and an assurance that reads “we are reasonably confident no one counterfeited” is softer than the airtight guarantees the category usually advertises to buyers.

The counterargument is that the disclosure process worked as designed, since an independent researcher found the flaw and reported it before any confirmed abuse. Moreover, major networks from Bitcoin to Ethereum have weathered serious bugs too in the past (all of which were caught and fixed before they could be weaponized).

The test for Zcash now is whether its planned supply-verification upgrades can turn a frightening near miss into a credibility win rather than a lasting stain.

Zcash’s privacy peers rode the same wave of demand this year, with ZEC and DASH leading a broad sector rally that pushed combined market value sharply higher. Institutional interest had also been building, with Grayscale moving toward a regulated ZEC product.

Whether the Orchard episode becomes a footnote or a turning point will hinge on what developers ship next and on whether the market treats a patched, apparently unexploited bug as a warning shot or a reason to walk away.