Zcash drops 34% to $396 as Orchard bug triggers supply fears

A critical flaw in Zcash's Orchard shielded pool, undiscovered for four years, has raised doubts about whether the protocol can guarantee its 21 million ZEC supply cap.

Zcash's ZEC token fell 34% to $396 in 24 hours after the disclosure of a soundness bug in the Orchard zero-knowledge proof circuit that could have allowed an attacker to create counterfeit coins inside the network's most private transaction pool. The vulnerability, discovered May 29 by independent researcher Taylor Hornby during a Shielded Labs audit, had been present since Orchard launched in 2022. Trading volume surged 44% as holders rushed to exit, with former BitMEX chief executive Arthur Hayes confirming he had sold his entire ZEC position.

"The privacy of Zcash makes inflation exploits far more dangerous," Peter Todd, a longtime Bitcoin researcher, said. "Bitcoin has never had an inflation exploit that could destroy the value of the currency." Todd noted that roughly 30% of ZEC's supply sits in the shielded pool, making any undetected inflation impossible to verify externally because shielded transactions are hidden by design.

The Zcash Foundation said there was "no evidence of unauthorized value creation" and that user privacy was not affected. Developers executed a two-step emergency upgrade — Zebra 4.5.3 temporarily disabled Orchard actions, then Zebra 5.0.0 activated the NU6.2 hard fork at block 3,364,600 on June 3, re-enabling the pool with a corrected circuit. The transparent and Sapling pools operated normally throughout the incident.

The episode marks the second time Zcash has faced a bug with the potential to create new units undetected, following a similar flaw in 2018. Shielded Labs and Zcash co-founder Zooko Wilcox are working on a proposed upgrade that would route all Orchard coins through an enhanced turnstile accounting system, allowing anyone to verify the supply cap without breaking user privacy. No timeline has been announced.

Why the Market Is Pricing in a Trust Discount

The 34% decline far exceeded the broader crypto market's 2.69% drop on the same day, showing this was a coin-specific crisis rather than macro-driven selling. Zcash's market capitalization fell to $6.5 billion as the token gave back a portion of the 900% gains it had posted over the prior 12 months as interest in privacy features grew.

The selloff accelerated after Hayes disclosed his exit, citing doubts about whether the supply could ever be fully verified. His departure carries weight in crypto markets: when prominent traders exit a position publicly, it often triggers follow-on selling from retail and institutional holders who interpret the move as informed capitulation.

The Verifiability Problem at the Core of Privacy

The bug exposed a structural tension in privacy-focused blockchains. Zcash's value proposition depends on advanced zero-knowledge proofs that hide transaction details, but that same privacy makes it impossible for outside observers to confirm that no counterfeit coins were ever created. The Foundation's statement that there was "no evidence" of exploitation is not the same as proof that exploitation did not occur.

Seth for Privacy, chief operating officer of Cake Wallet, criticized the response as overly centralized, saying Zcash Open Development Lab "secretly coordinated an entire soft and hard fork of a network" while wallets and ecosystem participants received meaningful information only hours before the hard fork went live. ZODL founder Josh Swihart defended the process as standard responsible disclosure.

For ZEC holders, the next milestone is the proposed turnstile upgrade. If the community can demonstrate that the supply cap remains intact, confidence may return. Until then, the market is pricing in a risk premium that no amount of cryptographic complexity can easily erase.

This article is for informational purposes only and does not constitute investment advice.