A soundness bug that could have enabled double-spending within Zcash’s newest privacy layer was discovered, patched, and deployed across the network in a matter of days — with no evidence of exploitation.
Zcash’s Orchard shielded pool is back online following a coordinated emergency network upgrade that patched a critical soundness vulnerability. If exploited, the vulnerability could have allowed double-spending of funds within the pool. The fix was activated on June 3, 2026, after a days-long effort involving developers, miners, exchanges, node operators, and infrastructure providers across the ecosystem.
The vulnerability was discovered on May 29 by Taylor Hornby, an independent security researcher contracted by Shielded Labs to audit the Orchard protocol. Hornby responsibly disclosed the issue to the Zcash Open Development Lab (ZODL), whose engineers confirmed the flaw within hours and began developing a remediation plan.
What went wrong and how it was fixed
As detailed by ZODL in an X post, the bug resided in the zero-knowledge proof circuit powering Orchard, specifically in the elliptic curve multiplication gadget inside the halo2_gadgets crate. Because the loop failed to properly anchor the base point used in scalar multiplication, a malicious prover could substitute a different base, causing the gadget to produce an incorrect output. This is known as a soundness bug — the system could be made to accept a transaction it should have rejected.
Because the flaw was embedded in the proof circuit itself, a fix required updating the circuit’s verifying key, something that can only be done through a consensus-level network upgrade, not a standard software patch. This made coordinated ecosystem participation essential.
“A soundness vulnerability is a flaw that could allow the system to accept something it should reject. In this case, successful exploitation could have allowed the Orchard pool to accept invalid state transitions, potentially affecting the pool’s accounting guarantees.” — ZODL
A two-stage upgrade
Engineers deployed the fix in two stages. A soft fork was activated first to temporarily disable Orchard, blocking both new outputs and spending of existing funds, without disclosing the nature of the flaw in the code itself. This limited the window of exposure while the full fix was developed.
A subsequent hard fork updated the proof circuit and fully restored Orchard functionality. The hard fork activated at block height 3,363,426 on June 3 at 00:10 EDT, roughly two hours behind the original schedule after an initial coordination challenge during patch deployment.
User funds and privacy not affected
Zcash’s turnstile mechanism, which tracks the total ZEC balance across all value pools, provided visibility throughout the incident. Analysis conducted during the response found no evidence of unauthorized value creation and no impact to the total 21 million ZEC supply cap. The vulnerability did not affect user privacy in any pool, and ZEC held on exchanges remained tradable throughout.
Sapling and transparent Zcash transactions were unaffected and continued to operate normally during the upgrade window.
Given the time available and the number of parties involved (the devs at @zodl_app and @ZcashFoundation, miners, exchanges, others), this was the most ambitious network upgrade in Zcash’s history.
I’m especially grateful to my team, including @feministPLT, @nuttycom, @str4d,… https://t.co/C9DePWVBT2
— Josh Swihart 🛡 (@jswihart) June 3, 2026
Security in the age of AI-assisted research
ZODL noted that the timing of the discovery—one day after a new generation of AI-assisted code analysis tools became available — may be significant. The organization described the incident as a signal of what’s ahead for the broader software industry: as AI tools dramatically accelerate vulnerability discovery, the ability to respond quickly becomes a critical competitive advantage for any protocol.
“Zcash protocol security is not a single audit, a single team, or a single upgrade. It is an ongoing discipline strengthened through cooperation, rigorous review, responsible disclosure, deep expertise, and effective coordination. This incident demonstrated that those systems work,” said the ZODL team.
Fixed releases—zcashd v6.20.0 and zebrad v5.0.0—are now available, along with updated versions of the halo2_gadgets, orchard, and zcash_primitives Rust crates. In addition, new versions of the mobile wallet SDKs maintained by ZODL have been released.