Image credit: Shutterstock
Zcash’s ZEC fell sharply after Shielded Labs said a recently patched Orchard vulnerability could have allowed counterfeit coins to be created inside the privacy pool.
Shielded Labs said outside observers would not be able to prove whether counterfeit coins had been created inside the pool. ZEC traded near $319, down about 42% on the day, after touching an intraday low of $261.69.
May 29 Orchard Bug Was Fixed by June 2
The selloff followed a fuller explanation from Shielded Labs, which said security researcher Taylor Hornby found the bug on May 29. The issue was fixed through an emergency Zcash response completed on June 2.
Zcash Foundation said the issue was successfully fixed, Orchard transactions were re-enabled, and there is no evidence the bug was exploited. The foundation also said user funds stayed safe and user privacy was not affected during the upgrade.
Orchard Pool Has Been Live Since May 2022
The vulnerability affected Orchard, Zcash’s newest shielded pool, which has been live since May 2022. Shielded Labs said the flaw created a risk that invalid transactions could be accepted inside the pool.
That raised concern because shielded transactions hide balances and amounts by design. Zcash Foundation said Zcash’s turnstile mechanism protects the 21 million ZEC supply cap and that no unauthorized value creation has been detected.
Supply Uncertainty Drove ZEC’s 42% Selloff
The main concern for traders was not only whether the bug had been patched. Shielded Labs said no one can independently prove the integrity of the Orchard pool because of how shielded transactions work.
That left uncertainty over whether the pool’s historical supply can be fully verified. The issue hit ZEC because the token’s value depends heavily on confidence in Zcash’s privacy and supply design.
Shielded Labs Proposes New Pool Check
Shielded Labs has proposed another network upgrade that would create a new shielded pool and apply turnstile accounting as funds move out of Orchard. The process would check value as funds leave Orchard and move into a new pool. The goal is to give users a supply-verification path beyond the emergency fix.
Shielded Labs warned that the process could take time. It also said that if an exploit happened and an attacker moved quickly enough, fake coins could move into a new pool before real funds finish migrating. The next step is whether developers move ahead with the new pool and turnstile process after the Orchard patch.
