Zcash faces governance concerns after emergency hard fork over critical vulnerability

A critical vulnerability in Zcash’s Orchard shielded transaction pool forced an emergency hard fork in early June, patching a bug that could have allowed undetectable counterfeiting of ZEC tokens. The fix worked. No funds were lost, no exploitation was detected. But the way it happened has the community asking uncomfortable questions.

Three developers coordinated directly with three major mining pools to execute the fork, with no advance public notice and no broader community input.

What happened, and how fast it happened

The vulnerability was identified on May 29, 2026. It traced back to flaws in the zero-knowledge proof circuit underpinning Orchard, the shielded transaction system that launched in 2022. That hole had existed for four years.

On June 2, 2026, an emergency soft fork deactivated Orchard’s functionality at block height 3,363,426. One day later, on June 3, the hard fork dubbed NU6.2 went live at block height 3,364,600. It patched the bug and restored full system operations. At the time of the soft fork, more than 4.5 million ZEC sat inside the Orchard pool, temporarily frozen while the fix was deployed.