Zcash plunges 38% after critical counterfeiting vulnerability disclosure

Zcash disclosed a critical vulnerability in its Orchard shielded pool on June 5, 2026, sending the privacy coin into freefall. ZEC dropped as much as 38%, hitting lows of $442.60 as traders rushed for the exits.

The flaw, discovered on May 29 by security researcher Taylor Hornby during a Shielded Labs audit, had been sitting undetected in Zcash’s code for roughly four years. It could have allowed an attacker to mint unlimited ZEC inside the Orchard pool without anyone noticing. In English: someone could have been running an invisible money printer since May 2022, and there’s no way to definitively prove they didn’t.

The vulnerability and the emergency patch

The Orchard shielded pool launched in May 2022 as part of Zcash’s ongoing effort to strengthen transaction privacy. It was supposed to be a more secure successor to earlier shielded pools. Instead, it carried a bug that undermined the very foundation of any monetary system: the guarantee that supply is finite and verifiable.

The Zcash team moved quickly once Hornby flagged the issue. Emergency measures were completed between June 2 and June 3, involving a hard fork and temporarily disabling the Orchard functionality entirely. The patch was in place before the public disclosure on June 5.