MarketPR
A critical soundness bug in Zcash's Orchard shielded pool — one that could have allowed silent, undetectable inflation of $ZEC supply — was discovered by security researcher Taylor Hornby of Shielded Labs on May 29, 2026, triggering a sell-off that erased more than $4 billion in market capitalization and sent the token down roughly 60%.
The flaw had been live since Orchard launched in May 2022, leaving roughly four years of exposure before a patch was deployed.
What the Bug Actually Did The vulnerability was a missing constraint in Zcash's Orchard circuit, the cryptographic component underpinning private transactions in the protocol.
Without that constraint, a malicious prover could spend the same shielded note more than once while generating a different nullifier each time — effectively counterfeiting ZEC inside the Orchard pool with no on-chain fingerprint to trace.
Keep reading