AI Audit Finds Zcash Orchard Soundness Bug, Triggers Emergency Soft Fork and Market Selloff

Zcash’s Orchard shielded pool suffered a critical soundness bug that Shielded Labs said “has been remediated,” after an AI-assisted audit found the vulnerability and triggered a sharp market selloff.

“AI exposed a massive flaw in top crypto network and experts warn banks could be next After an AI model helped uncover a four-year-old flaw in Zcash, security researchers warn that similar bugs may be hiding across crypto and traditional financial systems”

@coindesk

The Orchard flaw was discovered on May 29, 2026 by Taylor Hornby, who used Anthropic’s Opus 4.8 model and a custom AI auditing framework to produce a working exploit in a local test environment.

@coindesk

Zcash’s emergency response included an emergency soft fork that temporarily disabled Orchard transactions on June 2 and a hard fork (NU6.2) that reactivated the pool with a corrected circuit on June 3.

The price reaction described across outlets was severe, with CoinMarketCap data showing ZEC trading near $333 after dropping roughly 40% within 24 hours, while another account said ZEC fell from a Wednesday high near $635 to an intraday low around $309 and shed close to 48% in roughly 48 hours.

In a separate framing of the same episode, Blockhead reported that ZEC fell more than 30% on June 5 following the public disclosure, trading at approximately $40 against a prior close of $457.

CoinDesk quoted Dragonfly managing partner Haseeb Qureshi arguing that AI finding vulnerabilities is a good thing, saying, "While AI found this bug, AI will also deliver the fix for the whole category: formal verification."

In the same CoinDesk report, SingularityNET CEO Ben Goertzel told CoinDesk that similar vulnerabilities are likely hiding beyond crypto, saying, “Other cryptocurrencies are not vulnerable to this specific bug, which was a simple logic error in the Zcash implementation,” and adding that banking systems are also likely affected.

Blockhead

CoinDesk described the proposed defense as a shift toward formal verification, explaining that it involves “writing proofs of mathematical theorems in such a way that these theorems can be checked automatically,” as Ethereum co-founder Vitalik Buterin explained.

CoinDesk also included CertiK CEO and co-founder Ronghui Gu warning that security firms face an “AI token consumption war” in which hackers can “burn a massive number of AI tokens on a single target.”

The same CoinDesk account tied the Zcash case to a broader question about whether increasingly capable AI systems are making security harder, even as it highlighted formal verification as the “only path forward for mission-critical software.”

Zcash founder Zooko Wilcox publicly disclosed details of the Orchard vulnerability on X, writing that “The vulnerability could have been exploited to undetectably create an unlimited amount of counterfeit ZEC within Orchard.”

“Table of Contents Zcash founder Zooko Wilcox has publicly disclosed the details of a critical forgery vulnerability in the Orchard shielded pool that was discovered, patched, and resolved through an emergency network upgrade between May 29 and June 3”

Blockhead

Blockhead said the response unfolded in two stages, with a soft fork at block height 3,363,426 temporarily disabling all Orchard-containing transactions on June 2 at approximately 02:00 UTC, followed by re-enabling on June 3 at 00:05 EDT when the NU6.2 hard fork activated at block height 3,364,600.

Gizmodo reported that the Zcash Foundation said there is “no evidence of unauthorized value creation,” while also noting that because of Zcash’s privacy design, confirming the absence of hidden inflation remains difficult for outside observers.

The stakes were described in terms of how privacy complicates assurance, with CryptoRank saying the incident could have enabled counterfeit ZEC “without easy detection,” and that Zcash developers proposed a migration with turnstile accounting and formal verification to reconcile supply.

Even as some outlets emphasized the fix and the lack of evidence of exploitation, Gizmodo included criticism of the coordination process, quoting Seth for Privacy calling ZODL “secretly coordinated an entire soft and hard fork of a network” and Josh Swihart responding, “It doesn’t sound like you know how responsible disclosure works.”