Josh Swihart detailed Zcash’s emergency response to a vulnerability that could have allowed unlimited fake ZEC generation, with the token recovering more than 41% from its low post-disclosure.
summary
- Zcash deployed a soft fork and a hard fork to fix a critical vulnerability in Orchard that could have allowed unlimited fake ZEC to be generated.
- Mining pools and exchanges reviewed the emergency code changes, with ViaBTC and Foundry helping to coordinate the response, Josh Swihart said.
- ZEC has recovered over 41% from its June 5 low after patching the vulnerability and restoring Orchard transactions.
According to Josh Swihart, founder of Zcash Open Development Lab (ZODL), the team deployed a two-phase network upgrade after discovering a critical flaw in Zcash’s Orchard Protected Pool, the network’s privacy-focused core transaction system.
In a June 8 post on
A second upgrade has been made, the NU6.2 hard fork He lives on June 3 and the underlying vulnerability was addressed before Orchard transactions were restored.
The update follows last week’s revelation from Shielded Labs, an independent support organization for Zcash, which warned that a flaw in Orchard’s circuit could have allowed an attacker to mint an unlimited number of counterfeit ZEC.
Shielded Labs said the issue had been fixed, and added that it considered prior exploitation unlikely, though it acknowledged there was no cryptographic evidence that the bug had never been used.
Orchard acts as a protected master pool for Zcash, allowing users to send and receive ZEC through zero-knowledge proofs that hide transaction details while validating transfers.
Mining pools and exchanges have reviewed emergency repairs
During the response process, Swihart said ZODL worked closely with mining pools, exchanges, and other ecosystem participants who requested a code review before supporting the upgrade.
Among these participants, Swihart identified ViaBTC and Foundry as key contributors who helped coordinate the network’s response and verify emergency changes prior to activation.
Previous discussions about the vulnerability have already sparked conversations about long-term recovery measures. Shielded Labs previously presented a proposal known as Ironwood, which would isolate the existing Orchard pool, track coins exiting the system through revolving door accounting, and ultimately funnel users toward a new shielded pool with stronger supply verification mechanisms.
sporadic comments From David Schwartz, CTO Emeritus of Ripple, also addressed Zcash users’ concerns about funds remaining in Orchard.
Passive holders will not automatically lose ownership of their coins if no exploitation occurs before any rollover, Schwartz said, explaining that consensus rules can continue to recognize those balances even if the pool stops seeing regular activity.
ZEC rebounded after sharp sell-off
The market reaction to the revelation was immediate. According to previously reported price data, ZEC dropped from around $630 to around $303 after news of the vulnerability emerged, as traders faced uncertainty surrounding the safety of the protected pool and the possibility of counterfeit coins entering circulation.
Questions about the protocol’s security have reached far beyond the Zcash community. Among the notable reactions, BitMEX co-founder Arthur Hayes said he left his entire position at ZEC after learning of the vulnerability.
Recent trading has shown signs of stability. According to crypto.news data cited by Swihart, ZEC rose 13.5% over the past 24 hours to $428.67, representing a roughly 41.5% recovery from the June 5 low near $303.
Summarizing the incident, Swihart said the network resolved the vulnerability, tested incident response procedures, strengthened relationships with ecosystem partners, and aligned developers on the project’s recovery path.
