Zcash has fixed a critical soundness vulnerability in the Orchard shielded pool through a coordinated soft fork and hard fork upgrade. The double-spending vulnerability remained without any proven exploitation, and the 21 million ZEC supply cap stayed untouched according to the developer team.
Zcash (ZEC) is a cryptocurrency that has existed since October 2016 with a focus on financial privacy. It uses zero-knowledge proofs to fully conceal the sender, recipient and amount of a transaction. Moreover, the Orchard pool is the most technically advanced of the three Zcash pools and runs on Halo 2, a ZK proof system without a trusted setup. Orchard originally went live with Network Upgrade 5 (NU5) in May 2022. Since then, the holdings kept in the pool grew from roughly 1 million to more than 4.5 million ZEC. Meanwhile, more than 30% of the circulating ZEC supply now sits in shielded pools. The vulnerability now fixed would theoretically have allowed double-spending in the Orchard pool, an attack that could have inflated the total supply.
Zcash Orchard vulnerability allowed theoretical double-spending
The flaw lay in the implementation of the zero-knowledge proof circuit in the `halo2_gadgets` crate, specifically in a faulty "incomplete double-and-add loop" in `ecc::chip::mul`. A soundness bug means the system accepts an invalid transaction as valid. As a result, an attacker could have spent ZEC in the Orchard pool multiple times without holding valid proofs. User privacy, however, was never at risk at any point, neither in Orchard nor in Sapling nor in the transparent pool.
Taylor Hornby discovered the vulnerability in late May 2026, an independent security researcher and former senior security engineer at the Electric Coin Company (ECC). He reported the finding privately that same evening at 11:53 p.m. Since April 2026, Hornby has additionally worked as a security consultant at Shielded Labs, a Swiss-based non-profit organization. The organization had previously hired him under a three-month part-time engagement and thereby funded the research work that led to the discovery.
The engagement followed explicitly from a marked rise in security-relevant activity. Earlier, in March 2026, an AI-assisted researcher had found a critical vulnerability in `zcashd` that had gone undetected for roughly six years. In addition, a new generation of AI-assisted code analysis tools appeared only one day before Hornby's finding. According to the developers, this trend accelerates the race between the discovery and the fixing of vulnerabilities considerably.
Subscribe to our newsletter
The best articles of the week, directly delivered into your mailbox.
Two-stage remediation: Orchard frozen first, then the vulnerability fixed
The fix proceeded in two stages, each activated by network-wide consensus. First, a soft fork temporarily disabled Orchard and blocked both the creation of new Orchard outputs and the spending of existing funds. This sequence was tactical, however, not solely a technical necessity, because a direct patch would have revealed too much about the nature of the flaw to a potential attacker.
The first activation attempt of the soft fork failed on the evening of June 1 due to coordination problems. Therefore, a second patch followed, after which the soft fork took effect at block 3,363,426 around 02:00 UTC on June 2. During convergence, a 25-block fork initially arose between blocks 3,363,431 and 3,363,455, amounting to 37 orphaned blocks in total. Roughly one hour later, the network stabilized again. Sapling and transparent transactions ran unhindered throughout the entire phase, and ZEC remained tradable on exchanges at all times.
Subsequently, a hard fork fixed the vulnerability completely by updating the pinned verifying key for the Orchard circuit. This step was necessary because the ZK proof circuit itself had to change. The network upgrade finally succeeded on June 3, restoring Orchard to full activity after roughly 24 hours. Thus, the cleaned software carries the versions `zcashd v6.20.0` and `zebrad v5.0.0`. A CVE number was not yet available at this point.
ZODL passes its first trial by fire after the ECC split
The Zcash Open Development Lab (ZODL) confirmed and fixed the flaw, an organization newly founded in January 2026 from the former core team of the ECC. The entire engineering and product team had resigned at the time after a governance dispute with Bootstrap, the non-profit board of the ECC. At the helm stands Josh Swihart, the former ECC CEO, who founded and leads ZODL. In March 2026, the organization additionally closed a seed round of 25 million USD, in which Paradigm, a16z crypto, Winklevoss Capital, Coinbase Ventures and Balaji Srinivasan participated.
Zcash governance today is distributed across three independent poles. ZODL handles core development, alongside the Zcash Foundation and Shielded Labs. The latter is donation-funded and receives no money from the Development Fund or from block rewards. Zcash founder Zooko Wilcox serves there as head of product, and the Winklevoss twins donated 1.2 million USD in January 2026. The ECC continues to exist under Bootstrap oversight, however, without its own engineering team.
The ZODL engineers Jack Grigg, Daira-Emma Hopwood and Kris Nuttycombe confirmed the vulnerability within hours of Hornby's report. Two of them, Grigg and Hopwood, had co-invented Halo 2, the very proof system in whose implementation the flaw now appeared.
The second security-driven protocol upgrade in Zcash history
This is only the second security-driven protocol upgrade in Zcash history. The first concerned a counterfeiting vulnerability in 2018 in the BCTV14 zk-SNARK scheme of the original Sprout pool, registered as CVE-2019-7167. Ariel Gabizon had discovered it during his work at the Zcash Company, eleven months before the public disclosure. The Sapling upgrade fixed it at block 419,200 in October 2018, likewise without a proven exploit and without supply impact. Today's incident, however, ran considerably faster, taking under five days from discovery to fix.
Structurally, the turnstile mechanism protects the supply cap even against a theoretical exploit. It treats each shielded pool as a single public balance and thus ensures that no more can flow out of a pool than previously flowed in. The current circulating supply stands at roughly 16.7 million ZEC, about 79.5% of the maximum capped at 21 million ZEC.
Furthermore, security-driven upgrades are not a phenomenon specific to Zcash. Bitcoin (2010), Ethereum (2016) and Monero (2017) went through comparable episodes, which count more toward the maturing process of complex crypto protocols than toward their structural weaknesses.
