ZEC plunges 30% after AI finds Zcash counterfeiting bug
ZEC fell about 30% after an engineer using Anthropic’s Claude found a Zcash Orchard bug that could allow undetectable counterfeit ZEC; a hard fork patched it on June 3.
A counterfeiting vulnerability in Zcash’s Orchard shielded pool, discovered with the help of Anthropic’s Claude model, prompted a roughly 30% drop in ZEC after researchers demonstrated the flaw could enable unlimited minting. Security engineer Taylor Hornby, engaged by Shielded Labs, identified the Orchard bug on May 29 and disclosed it to the Zcash Open Development Lab. Developers activated an emergency hard fork on June 3 to apply the patch. The flaw appears to have been present since May 2022.
Hornby used Claude Opus 4.8 to perform a targeted review of the Orchard circuit and found a way to supply false inputs to an elliptic curve multiplication check, a cryptographic verification step used in transaction validation. The researchers built and tested an exploit that produced counterfeit ZEC. They wrote, “If he had run the same tool on Zcash mainnet it would have generated unlimited, undetectable counterfeit ZEC in his mainnet Zcash wallet.”
Orchard’s privacy properties prevent a simple cryptographic proof that no counterfeit coins were created before the patch. Shielded Labs and Zcash developers are working on a proposed upgrade that would allow anyone to verify the total ZEC supply and to prove the nonexistence of counterfeit tokens in the Orchard pool. Shielded Labs wrote it was “not overly concerned” because the flaw was subtle and had escaped prior audits.
Market reaction was immediate. ZEC fell more than 30% over 24 hours to about $410, cutting the token’s market capitalization by over $3 billion. Traders reassessed exposure after the disclosure. BitMEX co-founder Arthur Hayes wrote that he finds it unlikely ZEC was minted through the bug but added, “it cannot be formally cryptographically proved impossible.” He also wrote he sold his entire ZEC position, adding, “Sadly, due to the Orchard Pool exploit, I had to dump our entire ZEC bag,” and, “The Holy Trinity is dead.”
Similar theoretical vulnerabilities have appeared in privacy-focused systems. In 2018, researchers uncovered a counterfeiting flaw in Zcash’s zero-knowledge proof implementation that was remediated by 2019. Mert Mumtaz, co-founder of Helius, noted that variants of this concern recur as new reviewers test privacy pool designs.
The material on GNcrypto is intended solely for informational use and must not be regarded as financial advice. We make every effort to keep the content accurate and current, but we cannot warrant its precision, completeness, or reliability. GNcrypto does not take responsibility for any mistakes, omissions, or financial losses resulting from reliance on this information. Any actions you take based on this content are done at your own risk. Always conduct independent research and seek guidance from a qualified specialist. For further details, please review our Terms, Privacy Policy and Disclaimers.
Articles by this author
