Zcash fixes critical Orchard bug after emergency network upgrade, restores shielded transactions

Zcash developers pulled off something rare in crypto this week: they found a critical bug, shut down the affected system, patched it, and brought everything back online in under a week. No exploit. No lost funds. No privacy breach.

The vulnerability, discovered on May 29 by independent researcher Taylor Hornby during an audit, affected the zero-knowledge proof circuit powering Zcash’s Orchard shielded pool. In plain English: the bug could have allowed someone to fake valid transactions within the pool, potentially enabling limited double-spending. The Zcash Foundation confirmed there was no evidence the flaw was ever exploited.

How the fix unfolded

The response came in two stages. First, an emergency soft fork deployed at block height 3,363,426, effectively disabling Orchard transactions starting around June 1-2. Then came the real fix. A hard fork dubbed NU6.2 activated on June 3 at 00:05 EDT, around block 3,364,600, deploying an updated proof circuit that patched the vulnerability and restored full Orchard functionality.

The transition wasn’t perfectly smooth. The Zcash Open Development Lab (ZODL) acknowledged that the network briefly became unstable as miners upgraded to the new software. Block production halted for over four hours on June 3 while the network’s mining infrastructure caught up.