Zcash founder Zooko Wilcox addressed the question hanging over the project since its emergency upgrade earlier this month: whether anyone ever used a now-patched flaw to mint counterfeit ZEC. His answer, relayed in a June 15 update, is that prior exploitation looks unlikely, "though we cannot rule it out with certainty," per a Cointelegraph post carrying the quote.
That hedge is the whole story. The bug has already been fixed. The open question is whether the fix came in time, and the protocol's own developers concede that cryptography by itself cannot give a clean answer.
A soundness bug that sat in the shielded pool for four years
The flaw lived in the Orchard circuit, the zero-knowledge proof system that powers Zcash's newest shielded pool. According to the Zcash community's post on the vulnerability and next steps, an under-constrained element in that circuit let arbitrary false inputs pass through an elliptic-curve multiplication while still satisfying every verification check. In plain terms, the math that is supposed to guarantee each shielded note is backed by a real, single-spent coin had a gap. A crafted proof could create value out of nothing and still verify as valid.
The exposure window ran from Orchard's activation in May 2022 to the emergency fix deployed at the start of June 2026. That is roughly four years in which the bug existed in production. It was identified on May 29, 2026 by Taylor Hornby, a security engineer working with Shielded Labs, during an audit that used Anthropic's Opus 4.8 model to help review the circuit. The ecosystem pushed out an emergency response within days, closing the hole before any exploitation was confirmed on-chain.
Markets did not wait for the post-mortem. ZEC dropped steeply once the disclosure landed, reflecting how directly a counterfeiting flaw cuts at a coin's core promise: that the supply is what the protocol says it is.
Counterfeit coins would have left no trace
The reason this cannot be settled with a simple ledger check is the same reason Zcash exists. Orchard transactions are shielded, so amounts and parties are hidden behind zero-knowledge proofs. A counterfeit note minted through the soundness bug would have verified as legitimate and then blended into the shielded set. There is no public balance to reconcile and no obvious anomaly to grep for. As the developers put it, "there is no definitive way to determine using only cryptography whether such exploitation occurred."
This is the uncomfortable trade-off baked into strong privacy systems. The features that protect a privacy-focused user's transaction history are the same features that prevent outside observers, and even the core team, from auditing whether the supply was ever inflated. Transparency tools that work on Bitcoin or Ethereum simply do not apply inside a fully shielded pool.
The case for low prior exploitation
The argument that no counterfeiting happened rests on circumstance rather than proof. The team's reasoning: the bug evaded years of expert scrutiny and multiple prior reviews, surfacing only when an elite researcher paired with a cutting-edge AI model went looking for exactly this class of error. Finding it took deliberate, sophisticated effort. The remediation window was then closed quickly once the issue was understood.
That is a plausible case, and it is the honest version of it, because the team is not claiming certainty it does not have. It is still an inference. Anyone weighing ZEC has to accept that "probably not exploited" is the ceiling on what can be known about the pre-fix supply.
A new pool to make the supply provable going forward
Rather than try to retroactively prove the existing pool is clean, Shielded Labs proposed building forward. The plan is a new shielded pool with enforced turnstile accounting applied to all Orchard coins as they migrate into it. A turnstile, in Zcash terms, is a checkpoint that measures value moving between pools so that the total entering can be reconciled against the total leaving. Applied to the migration, it gives a way to verify supply integrity from this point on, even if the historical Orchard pool can never be fully cleared.
For holders, that turns an unanswerable question into a managed one. The legacy uncertainty does not vanish, but future supply gains an auditable boundary.
The episode also doubles as a live test of AI-assisted auditing. The same approach that surfaced a four-year-old soundness bug is now part of how Zcash plans to vet its code, a pattern likely to spread across other zero-knowledge protocols that carry similar circuit-level risk. It lands during a brutal stretch for on-chain security more broadly, with researchers already flagging a record run of exploits this quarter.
Overview
Zcash patched an Orchard circuit bug that could have minted undetectable counterfeit ZEC, and the protocol existed with that flaw for about four years before a May 29, 2026 audit caught it. Zooko Wilcox now says prior exploitation looks unlikely but cannot be ruled out with certainty, because shielded transactions leave no public trail to audit. The forward fix is a new pool with turnstile accounting to make supply verifiable from here on. The practical takeaway: treat the pre-fix supply as "probably clean, not provably clean," and watch whether the turnstile migration ships as described.
