LONDON, June 5, 2026, 09:14 BST
Zcash’s ZEC token plunged more than 40% on Friday after Shielded Labs said a major bug in the privacy coin’s Orchard pool went unnoticed for years, potentially letting fake ZEC be generated. ZEC last traded close to $328, with CoinGecko posting it at $325.25, down 42.5% for the day. Trading volumes topped $2.2 billion.
Zcash is down and that’s a problem for its pitch. The coin trades on private transfers and tight supply. The Orchard pool is the main source of privacy. Zcash’s site listed 5.12 million shielded ZEC out of a 16.75 million total, so a big chunk of private coins is now in focus.
Shielded Labs said Taylor Hornby, a security engineer it brought on in April, found the Orchard vulnerability May 29 during a closer look at the system behind Zcash’s shielded transactions. Zooko Wilcox, Jason McGee, and Hornby wrote that the bug was “real and exploitable.” A local test generated unlimited counterfeit ZEC, they said. The team added that cryptography alone gives “no definitive way to determine” if attackers used the flaw before the fix. Zcash Community Forum
Zcash Foundation put the scope of the problem at a soundness bug in the Orchard zero-knowledge proof circuit. That’s the system for letting nodes check a private transaction without knowing what’s inside. The foundation said it saw “no evidence of unauthorized value creation.” Its turnstile mechanism, which checks value pools against each other, showed the supply was untouched. Zcash Foundation
Zcash Foundation kicked off its emergency response after the private alert. Engineers and network participants first shut down Orchard transactions with a soft fork at block 3,363,426, hitting around 0200 GMT on June 2. Then they brought Orchard back using a fixed circuit through the NU6.2 hard fork at block 3,364,600 on June 3.
Hard forks update network rules and need users to follow the new chain. After the fork, certain block explorers stopped showing Zcash data. ZODL founder Josh Swihart told CoinDesk that miners already switched to the new chain, but “many popular block explorers were still watching the old one.” CoinDesk
ZEC dropped fast, with CoinDesk saying Friday the price was already down about 30% to $400, and losses kept getting worse as sellers moved in after the supply-risk bug was disclosed. Live feeds later in the day showed traders pricing in even more risk.
ZEC fell harder than the rest of the crypto market as the space traded lower. CoinGecko showed the global crypto market off 3.17%. Bitcoin hovered around $62,700, with Monero—Zcash’s privacy rival—holding near $328.
Arthur Hayes, co-founder of BitMEX, told Cointelegraph he didn’t think ZEC was illegally minted due to the flaw but said it “cannot be formally cryptographically proved impossible.” Hayes exited his ZEC position over the Orchard problem, according to Cointelegraph, as reported by TradingView. TradingView
There’s a risk the patch isn’t the last fix. Shielded Labs is looking at another network upgrade to move coins to a new shielded pool and start turnstile accounting for Orchard exits. The group said anything big would need user backing and the full governance process.
Zcash has had similar scares in the past. Back in 2018, a bug in older Zcash cryptography could have let attackers mint unlimited coins, Gizmodo reported. The flaw got fixed before it was made public. Zcash later disclosed the issue. The episode showed how private money systems can hide major problems, even after repairs.
