Zcash crashes 37% as critical Orchard flaw sparks counterfeiting fears

Zcash fell 37% to $329 after Shielded Labs disclosed a critical counterfeiting vulnerability in the privacy coin's Orchard shielded pool, sending the Winklevoss-backed token to its lowest level since March.

"There will be bugs found in the software behind any blockchain," Cameron Winklevoss said in an X post. "What's important is that there are world class researchers focused on hardening the network and staying ahead of the bad guys."

Security engineer Taylor Hornby discovered the flaw on May 29 during an audit assisted by Anthropic's Claude Opus 4.8 model, Shielded Labs said. The vulnerability, which went undetected for four years, stemmed from a soundness issue in the zero-knowledge proof circuit that validates private transactions on Zcash, potentially allowing unlimited undetectable counterfeit ZEC creation inside Orchard wallets. Developers deployed an emergency soft fork in Zebra 4.5.3 that temporarily disabled Orchard transactions, followed by a hard fork at block height 3,364,600 on June 3 that re-enabled the shielded pool with the fix in place.

The incident thrust Cypherpunk Technologies' $102 million Zcash holdings into the red. The company, which pivoted to buying Zcash late last year after a $59 million private placement led by Winklevoss Capital, purchased 314,185 ZEC at an average price of $337 apiece. Cypherpunk shares (CYPH) fell 37% to $0.59 on Nasdaq, recovering from an intraday low of $0.53. Gemini (GEMI), the Winklevoss twins' exchange, slipped 4.4% to $4.41. Last month, Cypherpunk reported a net loss of $77.2 million for the three months ended March 31, citing the swing in its Zcash holdings.

Shielded Labs said there is "no evidence of unauthorized value creation," but Orchard's privacy design makes it impossible to cryptographically prove whether the flaw was exploited before disclosure. BitMEX co-founder Arthur Hayes said on X that he dumped his entire ZEC bag, calling it "impossible" to assess whether the bug was exploited, though he thinks it is "extremely unlikely." Cypherpunk Chief Investment Officer Will McEvoy told Decrypt the firm remains "firmly committed to our 5% network accumulation target," adding that "short-term price action is noise."

The vulnerability is the second counterfeiting-related bug in Zcash's history. In 2018, the Electric Coin Company discovered a similar flaw in the cryptography underpinning its zero-knowledge proofs and remediated it without known losses. Peter Todd, a longtime Bitcoin researcher who participated in Zcash's initial trusted setup ceremony, argued on X that privacy at the consensus level creates unique dangers. "Bitcoin has never had an inflation exploit that could destroy the value of the currency," he wrote. "The privacy of Zcash makes inflation exploits far more dangerous."

ZEC traded near $390 on Thursday after briefly changing hands above $611 earlier this week, wiping more than $3 billion from its market capitalization. The next major technical support sits near the 200-day exponential moving average at $367, a region that also aligns with a historically high-volume trading zone. Below that, volume profile data indicates another active trading band between $220 and $260, where ZEC consolidated earlier this year. Daily relative strength index has dropped to roughly 37, its lowest level in several weeks, while Coinglass data shows remaining liquidation clusters concentrated between $430 and $500, with larger pockets extending toward $550.

Shielded Labs said it is working with Zcash developers on a network upgrade that would allow users to verify the integrity of the circulating ZEC supply and prove the absence of counterfeit coins in the Orchard pool, though no timeline has been provided.

This article is for informational purposes only and does not constitute investment advice.