A security engineer armed with Anthropic’s Claude Opus 4.8 found a bug in Zcash’s privacy architecture that could have allowed someone to mint unlimited counterfeit ZEC tokens without anyone noticing. The flaw had been sitting quietly in the Orchard shielded pool since its activation in May 2022, roughly four years of silent exposure.
Taylor Hornby, the security engineer who discovered the vulnerability on May 29, 2026, used AI to review the Orchard circuit, the cryptographic plumbing that powers Zcash’s most advanced privacy features. The market’s reaction was swift and brutal: ZEC’s price cratered between 38% and 50%, wiping out more than $5B from a market cap that had peaked around $10B.
A $200 audit that uncovered a billion-dollar risk
The entire AI-assisted audit cost roughly $200 in API credits. The unsubsidized value of those same API tokens would have been around $20,000, meaning the audit ran on heavily discounted compute.
The vulnerability itself was a soundness bug. In zero-knowledge proof systems, “soundness” means that a malicious actor cannot create a proof that the system accepts as valid when it shouldn’t be. A soundness bug in a shielded pool means someone could theoretically forge transaction proofs, creating new tokens out of thin air while the network’s verification logic nods along approvingly.
