Zcash Patches Critical Bug Before Any Exploitation
A soundness vulnerability in Zcash's Orchard shielded pool theoretically allowed double-spending and silent supply inflation. The fix required two coordinated protocol upgrades executed within five days, with no exploitation confirmed and total ZEC supply intact throughout.
Key Takeaways
To understand the severity of what Zcash patched this week, it helps to understand what zero-knowledge proofs are supposed to guarantee. In Zcash’s shielded pools, transactions are validated cryptographically without revealing sender, receiver, or amount.
The system accepts a transaction only if its zero-knowledge proof is valid, meaning the underlying math confirms the transaction is legitimate without exposing any of its contents. Soundness is the property that makes this work: a sound system only accepts proofs for true statements. A soundness bug breaks that guarantee.
The vulnerability discovered by independent security researcher Taylor Hornby on May 29 was precisely this kind of flaw, located in the Orchard Action circuit, the cryptographic component at the core of Zcash’s newest and most advanced shielded pool.
In practical terms, a successful exploit could have allowed an attacker to submit transactions that the network would accept as valid despite containing invalid state transitions. That opens two attack vectors: double-spending funds within the Orchard pool, and silently minting unauthorized ZEC out of thin air within the shielded environment.
Zebra 4.5.3 and 5.0.0: Emergency Soft Fork and NU6.2 Activation
🚨 Zebra 5.0.0 is out – all node operators should upgrade now.
⚡ NU6.2 activated, re-enabling Orchard with a corrected circuit.
🔒 Total ZEC supply confirmed intact throughout.
Read the full update:…
— Zcash Foundation 🛡️ (@ZcashFoundation) June 3, 2026
The second vector is particularly significant for a privacy coin. Because Orchard transactions are encrypted by design, inflated balances created through a soundness exploit would be invisible to external observers. There would be no on-chain footprint to detect. The attack could theoretically run unnoticed until the counterfeit ZEC attempted to cross into a transparent pool, at which point Zcash’s turnstile mechanism, which tracks total value across all pools and enforces supply invariants, would flag the discrepancy. That backstop existed, but it would have caught the damage after the fact rather than preventing it.
The Response: Two Upgrades, Five Days
Hornby disclosed the vulnerability to ZODL engineers on the evening of May 29. Within hours, engineers Daira-Emma Hopwood, Kris Nuttycombe, and Jack Grigg confirmed the issue and began coordinating a response. The challenge was significant: fixing a zero-knowledge proof circuit requires updating the verifying key, a change that cannot be deployed through a standard software patch. A full protocol upgrade was unavoidable.
The response came in two stages. The first priority was containing the vulnerability before the fix was ready. On June 2, Zebra 4.5.3 executed an emergency soft fork at mainnet block height 3,363,426, rejecting any block containing Orchard actions. This effectively froze the vulnerable pool, removing the attack surface while the circuit fix was finalized. Nodes running 4.5.3 were configured not to penalize peers still relaying Orchard-containing data, preserving network connectivity during the transition window.
The permanent fix followed on June 3. Zebra 5.0.0 activated the NU6.2 hard fork at block height 3,364,600, deploying the corrected Orchard Action circuit and re-enabling the pool. The hard fork routed Orchard proofs to a per-circuit verifying key structure, permanently closing the vulnerability the soft fork had temporarily contained. NU6.2 activated at 00:05 EDT on June 3, marking only the second security-driven protocol upgrade in Zcash’s history since its 2016 launch.
The Outcome: Supply Intact, Privacy Preserved
Zcash’s turnstile mechanism confirmed throughout the incident that total ZEC supply remained unchanged and no unauthorized value was created. User privacy was not compromised at any point. Sapling transactions and transparent addresses continued operating normally while Orchard was frozen, meaning the practical impact on users was limited to a temporary suspension of Orchard-specific functionality.
ZEC is trading at $607 at the time of writing, up 7% on the day, in a session where BTC fell 2% and ETH fell 3%. A vulnerability discovered, contained, and permanently patched within five days, with no exploitation and no supply impact, is a materially different outcome than the same flaw going undetected or being exploited before disclosure.
The coordinated response between an independent researcher, protocol engineers, miners, exchanges, and node operators is what made that outcome possible.
The information provided in this article is for educational purposes only and does not constitute financial, investment, or trading advice. Coindoo.com does not endorse or recommend any specific investment strategy or cryptocurrency. Always conduct your own research and consult with a licensed financial advisor before making any investment decisions.
Alexander Zdravkov is a market analyst and crypto journalist with interests in economics, broader financial markets and digital assets. His journey into crypto began more than four years ago, driven by a fascination with the rapid evolution of blockchain technology and the transformative potential of decentralized finance. He began analyzing market cycles and identifying emerging trends before they reach the mainstream. He holds a degree in International Relations - a background that helped shape his broader perspective on global economics, geopolitics, and the interconnected nature of modern financial markets. Whether covering the latest developments in the crypto sector or exploring broader macroeconomic themes, Alexander focuses on giving readers context rather than simply repeating headlines. During his career, he has authored more than 10,000 articles covering cryptocurrencies, traditional finance, and global market developments. His work spans everything from Bitcoin and altcoins to macroeconomic trends influencing risk assets worldwide.
