AI-assisted audit uncovers Zcash bug, ZEC falls 30%

Independent researcher Taylor Hornby disclosed a vulnerability in Zcash’s Orchard privacy pool after using Anthropic’s Claude Opus 4.8 to assist code review and exploit testing. The flaw could have allowed an attacker to mint unlimited ZEC, the network’s native token.

Shielded Labs, the organization behind Zcash development, said the bug was present from Orchard’s activation in May 2022 until an emergency fix was deployed on June 1, 2026. The team wrote that “due to the privacy properties of Orchard and the nature of the bug, there is no definitive way to determine, using only cryptography, whether such exploitation occurred.” Developers urged stakeholders to apply the patch and monitor the network.

The disclosure triggered a rapid sell-off. ZEC fell more than 30%, briefly trading below $300 and wiping billions from the token’s market capitalization during the decline.

Security researchers and companies have been using advanced AI models such as Anthropic’s Claude Mythos and Opus and OpenAI’s GPT-5.5 to review code, audit software and hunt for vulnerabilities. Anthropic expanded Project Glasswing to give about 150 organizations controlled access to Claude Mythos to test and remediate bugs prior to a broader release. Other firms have introduced AI systems aimed at finding software flaws at scale.

Danny Jenkins, CEO and co-founder of ThreatLocker, warned that AI is accelerating vulnerability discovery and lowering the barrier to entry for people who can find and weaponize exploits. He described current models as effective at reviewing code and finding weaknesses that humans can miss. Stanislav Fort, founder and chief scientist of a security firm and a former researcher at large AI labs, argued that restricting access to frontier models is not a solution and that defenders need the same tools to keep up.

The incident highlights security risks for crypto and decentralized finance projects, where open-source code and large amounts of capital can attract attackers. More than $840 million was stolen from DeFi projects in the first five months of 2026, with April accounting for over $600 million of that total. Security professionals note that AI can automate routine reconnaissance and exploit development tasks while human operators focus on higher-level actions.

Developers and security teams say defenders can use the same AI tools to run audits, simulate attacks and monitor systems. Critics point to uneven access: many open-source maintainers lack budget and expertise to adopt advanced models, which could leave some projects more exposed.

Zcash maintainers implemented the emergency patch on June 1 and continue to advise node operators and users to update software and check the released fixes. Because Orchard shields transaction details by design, cryptographic methods alone cannot confirm whether counterfeit ZEC was created while the bug was active.