A security researcher discovered a critical vulnerability in Zcash's Orchard transaction pool that could be exploited to create an "unlimited" amount of counterfeit tokens within the pool.
Shielded Labs, an independent Zcash support organization, published the findings on the social media platform X on Thursday. It said it hired security engineer Taylor Hornby to conduct a review of the protocol in April.
The announcement coincided with a steep decline in the price of Zcash (ZEC). It fell 31% over the past 24 hours to $409.64 as of 11:00 p.m. ET on Thursday, according to The Block's ZEC price page. Much of the decline occurred in the five hours following the post's publication.
Hornby, a long-time contributor to the Zcash ecosystem, evaluated the protocol using both AI-assisted and traditional security research techniques to identify vulnerabilities before they could be exploited by malicious actors, according to the post.
On May 29, Hornby discovered the Orchard circuit vulnerability using Anthropic's newly released Opus 4.8 model and immediately shared the findings with engineers at the Zcash Open Development Lab (ZODL).
Orchard pool is Zcash's shielded transaction pool, allowing users to send and receive ZEC with full zero-knowledge privacy. The Orchard circuit is a zero-knowledge proof system that ensures only valid transactions are accepted in the pool.
"The vulnerability was real and exploitable," Shielded Labs wrote. "Taylor, with the help of Opus 4.8, wrote a complete exploit which, when he tested it in a local regtest environment, generated unlimited, undetectable counterfeit ZEC."
The post explained that the vulnerability stemmed from an "under-constrained" element of the Orchard circuit, which made it possible to enter arbitrary false inputs to an elliptic curve multiplication and still have it approved.
While the vulnerability was patched on June 1, it has been present since Orchard's activation in May 2022, Shielded Labs said.
Actual exploit unlikely
Shielded Labs wrote in its post that the privacy properties of Orchard and the nature of the vulnerability make it difficult to know whether the pool had been exploited before discovering the flaw.
Despite the uncertainty, Shielded Labs said the team is not "overly concerned" that counterfeiting took place before the bug was fixed, as the vulnerability has gone under the radar for many years, even under the scrutiny of the world's best cryptographers.
"The discovery was not accidental — it was the result of a deliberate effort to identify vulnerabilities of this kind before malicious actors could," the post said. "[Hornby] used the most recent AI tools, available only to white-hat security researchers, along with a sophisticated custom-built AI harness and prompts, and worked hard to outrace the attackers. We think he probably succeeded."
While Shielded Labs said that actual exploitation of this vulnerability is unlikely, its team is exploring a proposed network upgrade to allow anyone to verify the integrity of the Zcash supply and prove that there are no counterfeit Zcash in the Orchard pool. The proposal would also deploy a new shielded pool and enforce turnstile accounting on all coins in the Orchard pool.
"This was a serious vulnerability, and we believe it's important to be transparent about what it means for Zcash users," the post said. "While no one wants to discover a vulnerability like this, we're confident that Zcash is well-positioned to recover."