ZEC collapses by 38% after Zcash exposes a “serious counterfeiting security vulnerability.”

Zikash The number of cryptocurrencies dropped dramatically overnight after developers revealed a critical security vulnerability in the Orchard protocol-protected pool that could have allowed undetectable counterfeiting for more than four years.

the Privacy coin It fell from Wednesday’s local high of $635 to an intraday low of $309 on Thursday, according to CoinGecko data. It has since rebounded slightly to around $330, down 37.8% on the day.

The vulnerability was discovered on May 29 by security researcher Taylor Hornby using AI-powered auditing tools.

It was located in two lines of code within the Orchard Circuit, the cryptographic component that governs protected Zcash transactions, and allowed a malicious actor to create a fake ZEC within the protected pool without an on-chain signature. If the vulnerability had been exploited before it was discovered, there would have been no way to prove it.

“The vulnerability existed from the time Orchard was activated in May 2022 until the emergency fix was deployed on June 1, 2026,” Shielded Labs, the organization behind Zcash’s development, said. Written in the function of detection. “Given the privacy characteristics of Orchard and the nature of the error, there is no definitive way to determine whether this exploit occurred using encryption alone.”

The incident has reignited debate about a structural problem that critics say goes beyond the specific flaw. Unlike Bitcoin or EthereumWhere on-chain exploitation is immediately visible, privacy coins like Zcash create conditions where a successful attack may never be detected.

“Zcash allows for a unique class of bugs, where if it was exploited, no one would know,” crypto commentator Udi Wertheimer chirp. “This unique class still exists. The fact that they fixed this specific bug is immaterial.”

Unconstrained elliptic curve checks, the flaw class at the heart of this vulnerability, are among the most common vulnerabilities in ZK production circuits, according to Joe Andrews, CEO of Aztec Labs, a privacy-first product studio. This pattern is not new to Zcash, Andrews said, adding that AI is accelerating the rate at which such errors are detected across the industry.

Andrews said the solution is long-term Decryptionis a formal verification of the circuit combined with a second proof system, an approach Ethereum is already planning. “Both systems must agree that the state transition is valid, which greatly reduces the chances of exploiting bugs,” he said.

Mixed market reaction

Arthur Hayes, former CEO of BitMEX, revealed that he liquidated his entire position in Zcash following the revelation.

The immediate risk facing holders of these bonds is not chain-wide inflation, but rather the potential insolvency of the Orchard pool itself, meaning that protected ZEC holders could be diluted if fake claims compete with legitimate claims for a limited balance of the pool.

Not everyone shares this alarm. Craig Salem, Grayscale’s chief legal officer, said exploitation before the patch was unlikely. To believe the vulnerability had actually been exploited, someone would have had to scan the code base more thoroughly than all the core developers combined, and then resist the urge to exhaust the entire group during a historic bull run, Salem said. “It seems unlikely to me,” he said chirp.

Shielded Labs proposed an upgrade to the network by deploying a new shielded pool with revolving accounting, allowing anyone to verify the integrity of Zcash supplies.

Andrews said the structure of that upgrade, which requires all coins to be removed before entering the new pool, effectively limits risks from any previous exploitation of the existing amount of protected assets. “Formal verification of the new upgrade reduces the risk significantly,” he said.