Zcash Plummets 30% Following AI-Discovered Counterfeiting Flaw Revelation
The cryptocurrency's market cap declined nearly $3 billion in a single day after a severe security flaw was publicly revealed, even though developers had already implemented a fix.
On Thursday, ZEC's value plummeted following the public revelation of a severe counterfeiting flaw within Zcash's Orchard pool that could potentially enable malicious actors to create an infinite supply of ZEC tokens.
Based on an announcement shared via X, Taylor Hornby, a security engineer contracted by Shielded Labs, identified the vulnerability on May 29 and promptly reported it to the Zcash Open Development Lab (ZODL), which launched an immediate emergency response to address the flaw through a hard fork that went live on June 3.
Nevertheless, questions persist regarding how extensively the security flaw, which had been present since May 2022, may have been exploited, causing Zcash to plummet over 30% during the past 24 hours to reach $410 as of this writing. The cryptocurrency's market capitalization has contracted by over $3 billion.
Despite these concerns, Arthur Hayes, BitMEX co-founder, stated on Friday that illegal minting of ZEC through this vulnerability is improbable, although he conceded that "it cannot be formally cryptographically proved impossible."
Sadly, due to the Orchard Pool exploit, I had to dump our entire ZEC bag.
"The Holy Trinity is dead," Hayes remarked, alluding to Zcash along with two additional tokens he liquidated this week, Hyperliquid (HYPE) and Near Protocol (NEAR).
Claude assists in bug discovery
Taylor utilized Claude Opus 4.8, which launched on May 28, just one day prior to the vulnerability's discovery, to aid in a precisely targeted examination of the Orchard circuit, the cryptographic foundation supporting Zcash's Orchard shielded pool.
The severe vulnerability enabled fraudulent inputs into an elliptic curve multiplication verification, meaning the mathematical processes designed to cryptographically authenticate transactions could be deceived.
Taylor constructed and verified a functional exploit, which created unlimited fraudulent ZEC.
If he had run the same tool on Zcash mainnet it would have generated unlimited, undetectable counterfeit ZEC in his mainnet Zcash wallet.
Security researchers
The principal worry is that no cryptographic method exists to verify whether someone had exploited this vulnerability previously before the patch was deployed, owing to Orchard's privacy characteristics.
Nevertheless, Shielded Labs expressed being "not overly concerned" given that the vulnerability was sufficiently subtle to escape detection during years of professional scrutiny, and its discovery required a deliberate, exceptionally skilled initiative utilizing state-of-the-art tools and AI technology.
The company is collaborating with Zcash developers on a recommended network enhancement to enable anyone to confirm the authenticity of the ZEC supply and to demonstrate the absence of fraudulent tokens within the Orchard pool, according to their statement.
Not the first counterfeiting vulnerability for Zcash
Mert Mumtaz, co-founder and CEO of Solana tooling firm Helius, indicated that nearly every privacy protocol contains a variation of this identical vulnerability.
This same FUD comes back every five months as new people learn how privacy pools work.
Mert Mumtaz, CEO of Helius
He clarified that it represents a theoretical vulnerability in the majority of zero-knowledge privacy protocols stemming from circuit bugs that prove challenging to exploit or identify.
This marks not the first instance of such a vulnerability being found in Zcash. In 2018, a counterfeiting flaw in the cryptographic foundation of zk-proofs was identified by the Electric Coin Company, which successfully resolved it without any losses in 2019.