In April 2026, Shielded Labs hired Taylor Hornby for one purpose: find vulnerabilities in Zcash before attackers do. Taylor is one of the most skilled security engineers in the space, with deep Zcash protocol knowledge. He got to work immediately, combining traditional security research with AI-assisted auditing techniques.
On May 28, Anthropic released Opus 4.8. The next day, Taylor pointed it at the Orchard circuit as part of his targeted review.
Within hours, he had a working exploit.
Not a theoretical one. A complete, tested exploit that generated unlimited, undetectable counterfeit ZEC in a local regtest environment. If he had run the same tool on mainnet, it would have done the same thing there.
The vulnerability was an under-constrained element in the Orchard zk-proof circuit. It allowed arbitrary false inputs into an elliptic curve multiplication while still passing the verification check. Two lines of code. Present since Orchard activated in May 2022 — four years undetected by some of the world's best cryptographers.
Taylor disclosed immediately to ZODL.
What followed was one of the most tightly coordinated emergency responses in cryptocurrency history.
Taylor discloses to ZODL engineers. Sean Bowe and the core team begin working on a fix.
A soft fork activates at block 3,363,366. Zebra v4.5.3 and zcashd v6.12.5 deploy simultaneously, temporarily disabling all Orchard transactions. Miners, exchanges, and infrastructure operators upgrade within hours — independently, voluntarily.
NU6.2 activates at block 3,364,600. Orchard re-enables with the corrected circuit. The vulnerability window closes.
No centralized kill switch. No foundation override. Independent miners in China, pools in the US, exchanges across three continents — all reviewed the code and made independent decisions to upgrade. Josh Swihart:
"The fix was completed before the soft fork. The soft fork was the means to guard against exploit by miners and node operators. It was coordinated, not centralized. Code verified by miners and nodes independently."
Price hit $258 at peak panic. Headlines screamed "Zcash Crash." Crypto Twitter did what it does. But the data tells a different story.
Still sitting at transparent addresses. Not sold. Not moved. Holders playing it safe.
Transferred to another t-addr. Still on Zcash.
Bridged cross-chain. That's 1.6% of the shielded pool, 0.5% of total supply.
Sent to exchanges. The total sell pressure from Orchard holders. 0.28% of supply.
Already reshielded back to privacy.
The shielded pool went from 31% to 30%. One percentage point. That's it.
"In the last 48 hours, amid all the FUD, the size of the Zcash shielded pool has dropped from 31% of supply to 30%. Down ~1%."
"In the past two days, we actually had net inflow into Zcash through NEAR Intents. As price was going down, people who believe in the protocol are coming in."
"I am not selling a single SOL or ZEC, fuck you bears"
Price recovered from $258 to $420+ within days. $1 billion added back to market cap in 24 hours after the Ironwood announcement.
On June 6, Zooko Wilcox published the Ironwood proposal — co-authored with Shielded Labs, ZODL, Zcash Foundation, Tachyon Group, and Valar Group.
The premise: you shouldn't have to trust anyone's assessment that the bug wasn't exploited. You should be able to verify it yourself.
Ironwood creates a new shielded pool with the fixed Orchard circuit. Upon activation, the old pool is locked — no new outputs can be created in it. Existing Orchard funds migrate to the new pool through turnstile accounting, which rejects any transaction attempting to move out more ZEC than legitimately entered.
The result: the moment Ironwood activates, anyone running a node can verify the total circulating supply is correct. No trust required.
"One thing that makes this work where the turnstiles only partially worked before: we're forcing the circulating supply of ZEC to exist only within safe pools. Any hypothetical counterfeiting is snuffed out."
The new pool will be formally verified — a mathematical proof that the circuit has no soundness bugs. Not audited. Not reviewed. Proved.
Target: late July 2026.
"The @Zcash bug leads to Ironwood, formal verification of the Orchard payment circuit. I love and support it."
"We will be ready at @Gemini for Ironwood."
"now when you tell the girls (or boys) you hold zcash, you can just say you have some ironwood instead. incredible name"
The honest answer on whether it was exploited: there is no cryptographic way to prove it wasn't, due to Orchard's privacy properties. But several factors make exploitation unlikely. The vulnerability evaded years of review by world-class cryptographers — it took Taylor plus a frontier AI model released the day before to find it. No heuristic in the on-chain data indicates an exploit. If a counterfeiter existed, they sat on free money through a massive bull run without cashing out. And the window between public frontier AI availability and the fix was measured in days.
Ironwood makes the question moot. Once it activates, the supply is provably sound regardless.
"Zcash will end up structurally stronger thanks to Ironwood. Other chains will face the same AI-era bug class without formal verification, turnstile-bounded supply, quantum recoverability, or continuous audits. Zcash will have all of them."
Bitcoin had the same class of bug in 2018 (CVE-2018-17144 — an inflation vulnerability). The difference: Bitcoin's fix was a patch. Zcash's response is a structural upgrade that makes this class of vulnerability mathematically impossible going forward.
The security landscape has changed. AI models now discover vulnerabilities faster than humans can audit code. The chains that survive this era will be the ones that found their bugs first — and responded by making them impossible, not just improbable.
Zcash is building that future now. Formal verification. Quantum recoverability. Turnstile accounting. Continuous AI-assisted auditing. Not aspirational roadmap items. Shipping this year.