ZODL's Josh Swihart praises security response to ZEC bug as a masterclass in crisis management

A bug capable of creating unlimited fake Zcash tokens was discovered, disclosed, and neutralized in less than a week. No funds were lost. No privacy was compromised.

Josh Swihart, founder and CEO of ZODL (Zcash Open Development Lab), called the response to a critical vulnerability in Zcash’s Orchard shielded pool a “masterclass” in security coordination. Given that the flaw could have let an attacker print ZEC out of thin air, the praise isn’t exactly unearned.

What happened, and how fast it got fixed

On May 29, 2026, researcher Taylor Hornby privately disclosed a vulnerability in Zcash’s Orchard shielded pool. The bug was the nightmare scenario for any cryptocurrency: it allowed for the potential creation of unlimited counterfeit ZEC tokens.

The response came in two phases. First, an emergency soft fork rolled out between June 1-2, 2026, hitting at block 3363426. This temporarily disabled Orchard transactions. Then came the hard fork. Dubbed NU6.2, it executed on June 3, 2026, at block 3364600. That’s a full patch deployed in roughly five days from initial disclosure.