ZEC dropped 40% after a security vulnerability was disclosed in its Orchard shielded transaction pool, a core component of the privacy-focused cryptocurrency. The flaw was patched. But the team that originally built and understood this code the most intimately wasn’t the one who fixed it — they left five months ago.
What Happened
The vulnerability was identified by security researcher Taylor Hornby during an audit of the codebase commissioned by the Zcash development team. Hornby used AI-assisted tools, including Anthropic’s Claude Opus, to help analyze the Orchard circuit, according to individuals familiar with the work.
Sponsored
The issue was located in validation logic within the Orchard circuit, which governs shielded transactions. Developers said the flaw could have allowed invalid inputs to pass verification under specific conditions, potentially enabling the creation of unbacked ZEC within the shielded pool.
The vulnerability had been present since Orchard’s activation in May 2022, thus, for nearly four years of exposure.
Developers said it is not possible to definitively determine whether the vulnerability was exploited prior to discovery due to the privacy properties of the shielded pool.
A patch was deployed following disclosure, according to project maintainers.
The Team That Wasn’t There
The fix was deployed by the Zcash Foundation and Shielded Labs. In January 2026, Josh Swihart, CEO of the Electric Coin Company, the organization that created Zcash and built the Orchard protocol, resigned alongside the entire ECC staff.
The departures followed a governance dispute with the Bootstrap Project board, with staff citing constructive discharge.
The former team has since formed an independent entity focused on privacy technology but has not launched a competing chain.
Second Emergency in a Month
The disclosure follows a separate security incident this year. In May 2026, the Zcash Foundation urgently released Zebra 4.4.0, addressing multiple security vulnerabilities in its Rust-based node implementation.
Several of the issues were classified as consensus-critical and, if exploited, could have led to network divergence or chain splits. The release followed an urgent security response, with operators advised to upgrade immediately.
The vulnerabilities affected core validation and networking logic in the node software, including areas that could cause inconsistencies between implementations of Zcash’s protocol.
What Comes Next
Shielded Labs has proposed a new Zcash network upgrade that would deploy a new shielded pool and route all coins leaving Orchard through turnstile accounting, letting anyone verify that no counterfeit ZEC exists. Like any major upgrade, it would need community support and governance approval before activation.
Discover DailyCoin’s popular crypto news right now:
Binance Raises LUNC Burn Bar With 2.2B Burn, Price Flops
XRP vs. XLM: The $114 Trillion RWA Race Is Heating Up
People Also Ask:
Zcash is a privacy-focused cryptocurrency that uses zero-knowledge proofs to enable shielded transactions where sender, receiver, and amount can be hidden.
Orchard is a core privacy layer in Zcash that processes shielded transactions using cryptographic circuits designed to validate transfers without revealing transaction details.
Consensus-critical bugs can cause nodes in a blockchain network to disagree on valid transactions, potentially leading to chain splits or incorrect balances.
