A critical flaw in Zcash's Orchard shielded pool, present since its activation in May 2022, involved a flawed validation check for transaction inputs that could allow attackers to generate counterfeit ZEC coins undetectably via the zero-knowledge proof system. The vulnerability was discovered using AI tooling and was addressed with an emergency fix on June 1, 2026; due to the privacy features of the pool, it is impossible to determine if it was exploited. The Zcash team is proposing a network upgrade called "turnstile accounting" to verify all existing Orchard coins and deploy a new shielded pool.
Vulnerability Management AI helps uncover critical 4-year-old Zcash vulnerability June 8, 2026 Share By SC Staff A critical flaw in Zcash's Orchard privacy pool, present for four years, was recently discovered by security researcher Taylor Hornby using Claude Opus 4.8. The vulnerability could have allowed for the undetectable creation of counterfeit Zcash coins, as reported by Security Affairs. The bug, which existed from Orchard's activation in May 2022 until an emergency fix on June 1, 2026, involved a flawed validation check for transaction inputs. This flaw could have enabled attackers to inject false inputs, generating counterfeit ZEC that would be validated as legitimate by the zero-knowledge proof system. Due to the privacy features of the Orchard pool, it is impossible to definitively determine if the vulnerability was exploited during its existence. The Zcash team believes exploitation was unlikely given the complexity of the bug and the time it remained undetected, but is proposing a network upgrade called "turnstile accounting." This upgrade would involve deploying a new shielded pool and verifying all existing Orchard coins through a checkpoint to expose any counterfeit supply. The discovery highlights the potential for advanced AI models to uncover previously unknown vulnerabilities in cryptographic systems, raising concerns about the security of systems not yet tested against such tools. Source: Security Affairs SC Staff Related Vulnerability Management Hackers exploit critical Everest Forms Pro vulnerability for website control SC Staff June 8, 2026 The vulnerability resides within the plugin's Complex Calculation feature, which processes user input and inserts it into a PHP code string for execution via the "eval()" function. Vulnerability Management Hackers actively exploit SolarWinds Serv-U flaw to crash servers, CISA warns SC Staff June 5, 2026 The vulnerability, tracked as CVE-2026-28318, is a denial-of-service flaw in SolarWinds Serv-U file transfer software. Vulnerability Management Critical Redis vulnerability CVE-2026-23479 allows remote code execution SC Staff June 4, 2026 The vulnerability, rated 8.8 by CVSS 3.1 and 7.7 by CVSS 4.0, resides in the unblockClientOnKey() function within src/blocked.c. Get daily email updates SC Media's daily must-read of the most current and pressing daily news Business Email By clicking the Subscribe button below, you agree to SC Media Terms of Use and Privacy Policy . Subscribe Related Terms Bug Buffer Overflow Disassembly You can skip this ad in 5 seconds