A critical vulnerability in the Orchard shielded pool of Zcash has been discovered, allowing potential counterfeit ZEC to be created undetectably.
The bug, which was present from May 2022 until June 1, 2026, when an emergency fix was deployed, could have enabled a malicious actor to create counterfeit ZEC inside the shielded pool with no on-chain signature.
Critics argue that privacy coins like Zcash enable a unique class of bugs where exploitation may never be detected, as the privacy properties of Orchard and the nature of the bug make it impossible to determine whether such exploitation occurred using only cryptography.