Arthur Hayes Sold Zcash After Orchard Pool Vulnerability Enabled Unlimited Counterfeit ZEC

Zcash’s Orchard shielded pool vulnerability triggered a market shock after security researcher Taylor Hornby discovered a flaw on May 29 and developers deployed an emergency response that included an upgrade activated on June 3.

“Zcash developers have revealed that a critical vulnerability in the network’s Orchard shielded pool could have allowed attackers to create unlimited counterfeit ZEC without detection”

AMBCrypto

CoinDesk reported that Arthur Hayes, chief investment officer of Maelstrom, said he sold his entire zcash position after the Orchard Pool vulnerability was disclosed, and that the token slumped more than 40%.

AMBCrypto

In a separate account, Zcash founder Zooko Wilcox said the vulnerability “could have been exploited to undetectably create an unlimited amount of counterfeit ZEC within Orchard,” while also noting that “there is no way to cryptographically prove whether the vulnerability was exploited before it was remediated.”

Blockhead described the response timeline as an emergency network upgrade between May 29 and June 3, and said ZEC fell more than 30% on June 5 following the public disclosure.

CoinDesk also said the bug was present since 2022 and that Shielded Labs disclosed it as a major issue that went undetected for four years, potentially allowing a hacker to print unlimited counterfeit tokens.

Arthur Hayes told CoinDesk that he believed it was “extremely unlikely that any minting would take place,” but said it “could not be cryptographically proven impossible,” framing his decision to liquidate as a response to supply-integrity doubts.

TradingView and Cointelegraph both tied the selloff to the same core uncertainty, saying Hayes acknowledged “it cannot be formally cryptographically proved impossible” even while calling it unlikely that ZEC was illegally minted.

Blockhead

Blockhead added technical context by saying the flaw was a soundness bug that could have allowed an attacker to forge transactions and double-spend funds within the Orchard pool, while also stating it could not inflate the total ZEC supply.

CoinDesk reported that Arkham wrote on X that one large investor lost over half the value of his $174 million ZEC stash, and quoted Arkham saying, “He hasn’t sold ZEC for 6 months. Ouch.”

Across outlets, the common thread was that the privacy properties of Orchard made it hard to prove whether exploitation occurred before remediation, even after the fix was live.

Blockhead said the Orchard pool was introduced with NU5 in May 2022 and that the bug had existed in the codebase since that launch, describing a four-year window during which it went undetected.

“Arthur Hayes dumps zcash holdings after Orchard Pool vulnerability revealed Hayes said he would reconsider his stance if his assumptions that an exploit is still possible prove to be incorrect”

CoinDesk

AMBCrypto reported that Zcash developers said there is “no definitive way to determine using only cryptography whether such exploitation occurred,” while also stating there is currently no evidence the flaw was exploited before remediation.

Shielded Labs and Zcash developers pointed toward a follow-up network upgrade, with Cointelegraph and TradingView both describing a proposed path to verify ZEC supply integrity after the emergency fix.

TradingView said the firm was working with Zcash developers on a proposed network upgrade to allow anyone to verify the integrity of the ZEC supply and to prove the nonexistence of counterfeit tokens in the Orchard pool.

CoinDesk framed the immediate stakes as trust in supply integrity and value after the Orchard Pool vulnerability disclosure, noting that the incident undermined Hayes’s confidence in ZEC’s supply integrity even as he said he may buy back if his concerns prove unfounded.