Critical Zcash Vulnerability Found and Fixed - Schneier on Security
Critical Zcash vulnerability in Orchard privacy pool found and fixed.
Summary
A critical vulnerability was discovered in Zcash's Orchard privacy pool by researcher Taylor Hornby, allowing for the potential creation of ZEC from nothing. The Zcash team hired Hornby to find such issues, and he identified the flaw quickly. While the vulnerability has been fixed, it remains unknown if it was exploited before discovery.
Full text
Critical Zcash Vulnerability Found and Fixed If you’re a user—owner?—of this cryptocurrency, this is important: On May 29, the security researcher Taylor Hornby found a critical vulnerability in Zcash Orchard privacy pool using Claude Opus 4.8. The Zcash team hired Hornby specifically to look for this kind of issue. He found one fast enough to be embarrassing. The Orchard pool is the newest and most advanced shielded transaction system in the cryptocurrency Zcash. Introduced in 2022, it allows users to send and receive ZEC while keeping transaction details private. It uses zero-knowledge proofs to validate transactions without revealing amounts or participants. The bug: a specific check that was supposed to validate transaction inputs wasn’t actually enforcing the rules it appeared to enforce. An attacker could have exploited the flaw to feed false inputs into that check and generate ZEC from nothing, with the zero-knowledge proof system blessing the fraudulent transaction as valid. It’s fixed; that’s the good news. The bad news is that there’s no way of knowing if anyone exploited the vulnerability to steal money. And this fragility is the fundamental problem that makes blockchain such a bad idea. Tags: AI, blockchain, cryptocurrency, vulnerabilities Posted on June 8, 2026 at 1:06 PM • 0 Comments