Someone just pulled approximately 202,000 ZEC out of Zcash’s Orchard shielded pool in a single transaction. That’s about 1% of the pool’s total holdings, which currently sit at roughly 3.88 million ZEC after the withdrawal.
The bug that nobody caught for four years
On May 29, 2026, security researcher Taylor Hornby disclosed a critical counterfeiting vulnerability in the Orchard protocol. The flaw could theoretically have allowed someone to create fake ZEC within the shielded pool, essentially minting coins out of thin air without anyone being able to detect it.
The bug had been sitting there, undetected, since the NU5 network upgrade in 2022. Zcash developers responded with emergency measures. They halted transactions in the Orchard pool, deployed a patch, and announced there was no evidence the vulnerability had actually been exploited.
Market reaction was brutal
