Author: Curry, Deep Tide TechFlow

Zcash ($ZEC), as the oldest privacy-focused cryptocurrency, has long been centered around the narrative of “verifiable privacy + a fixed supply cap of 21 million.”

However, recently, a serious vulnerability discovered with the assistance of the currently undisclosed strongest model Claude Opus 4.8 instantly shattered this trust foundation:

The Orchard privacy pool in Zcash design has the potential for ZEC forgery and inflation.

The specifics are that security researcher Taylor Hornby, commissioned by Shielded Labs to conduct a cryptographic protocol audit, used the recently released Claude Opus 4.8 model from Anthropic, successfully generating an unlimited amount of completely undetectable fake ZEC in a local environment.

The essence of the vulnerability is that one of the rules in the Orchard circuit (i.e., the transaction rules manual) was written too loosely, causing the proof engine to accept false transactions as valid during validation.

This issue was urgently patched on June 1-2 and fully disclosed by Zcash founder Zooko along with Shielded Labs on June 5. Within 24 hours of the disclosure, the price of ZEC plummeted by 26%-36%, and bullish confidence collapsed instantly.

More notably, well-known trader Arthur Hayes (who had previously listed ZEC as the second-largest holding of the “Holy Trinity” family fund) publicly confirmed he had liquidated all holdings. The reasoning reflects a strong concern for privacy demands:

“Although the probability is extremely low, the narrative of privacy against AI/government/large enterprises requires perfection, not just ‘most likely nothing will happen.’”

Amidst the market's skepticism, Josh Swihart, founder and CEO of Zcash Open Development Lab (ZODL) and the actual leader of the Zcash core development team, posted a response, with a title that feels more like a public confession seeking forgiveness:

Never Again.

Here is the complete translation of Josh Swihart's post in English:

Today, Shielded Labs suggested that the community explore establishing a second Zcash Orchard pool to address the forgery vulnerability recently patched in the existing Orchard implementation. Theoretically, the second Orchard pool could be implemented in the NU7 network upgrade at the end of July.

I do not hold a fixed stance on “whether a second Orchard pool should be established.” The more worthwhile discussion question is: How do we ensure that such vulnerabilities never happen again?

The best answer, as Sean said earlier, is formal verification. To simplify this for ordinary people: a shielded Zcash transaction includes a “proof” that it strictly adheres to the rules of the protocol—these rules are written in the “rules manual” (i.e., circuit), defining what constitutes a valid transaction.

The vulnerability in Orchard arose from one rule being written too loosely, leading it to accept false information but still pass validation. As a result, the system might be convinced to treat fake transactions as real—which means someone theoretically could forge ZEC in the Orchard pool.

This is a defect in the rules manual itself, not an issue with the underlying cryptography or the proof generation engine. As Sean said, shielded pools hide amounts and histories—this is the meaning of privacy.

However, because of this, you cannot directly verify values like you would with a public ledger. The only way to guarantee that no one forges anything is through mathematical proof: every transaction strictly adheres to the rules. Since the problem lies in the rules manual, the proof engine itself is actually irrelevant; the key is how the rules are written.

The Orchard rules manual is very complex; it has made many special case treatments in pursuit of speed. Although powerful, it is extremely cumbersome and difficult to check comprehensively. A rule written too loosely is hard to detect—this time it slipped through even after multiple rounds of expert security audits and reviews.

Formal verification can solve this problem.

It can use mathematical proof to compress the parts that humans need to audit into concise, readable rule statements, allowing the computer to comprehensively check whether the entire rules manual matches. Now AI tools are already able to assist in writing these proofs.

It simplifies the audit work significantly: you only need to look at a small, clear specification, and then run an irrefutable checker. We no longer rely on the naked eye to “see” if there are problems; instead, we use proofs to ensure that there are no issues.

Trust now relies solely on foundational cryptographic assumptions and a very minimal specification. This has already become the current industry standard. Tachyon is building with formal verification, adopting a simpler and more unified rules manual with much less special case and complexity compared to Orchard, and the entire rules manual can be perfectly checked by mathematical proof.

However, as Sean mentioned, there are already multiple teams conducting formal verification on the existing Orchard circuit. If successful, then launching a formally verified second Orchard pool in the short term before Tachyon could be the best path.

Tachyon is cleaner, but a formally verified Orchard could serve as a good transitional solution and also ensure that such vulnerabilities do not happen again. Thanks to Sean Bowe for the review and feedback.

Josh's response did not shy away from the severity of the vulnerability but shifted the focus to long-term solutions: formal verification (formal verification) + the simpler next-generation circuit Tachyon.

In fact, from a public relations perspective, openly admitting the problem and presenting a modification plan is a good choice both technically and emotionally.

It's just that in the recent market environment, where the cryptocurrency market is plummeting, Zcash's own issues will accelerate holders' surrender, making it feel more like a sell-off with no reason, but isn’t there now a ready-made reason?

After all, speculators may not care about the technical remedy, and the black swan is the catalyst for the decline.

A quick response to the patch and transparent disclosure are advantages, but “unable to prove innocence completely” + large holders exiting means that the short-term narrative and price will still be under pressure. In the long run, if formal verification can be implemented, it may help Zcash regain its positioning as “the hardest privacy coin,” but everything requires time.