A security researcher armed with an AI model just found a vulnerability in Zcash that had been hiding in plain sight for over four years. The flaw, buried in the protocol’s Orchard shielded pool, could have allowed someone to mint unlimited counterfeit ZEC tokens without anyone noticing.
Independent researcher Taylor Hornby discovered the exploit on May 29 using Anthropic’s Claude Opus 4.8 alongside custom-built tools. The vulnerability had existed since the Orchard pool’s activation in May 2022, meaning it sat undetected through four years of code reviews, audits, and community scrutiny.
What the vulnerability actually did
The flaw Hornby identified would have allowed an attacker to generate unlimited counterfeit ZEC tokens that were completely undetectable within the shielded pool. In a transparent blockchain like Bitcoin, you can audit the total supply by simply adding up all the outputs. In a shielded pool, that kind of accounting is, by design, impossible to do directly.
Hornby confirmed the exploit worked in a local test environment. No confirmed exploitation occurred on the Zcash mainnet, and the protocol’s 21 million token supply cap remained intact. An emergency soft fork went live on June 1, just three days after the disclosure. A full hard fork followed on June 3.
