How AI Found A Four-Year-Old Bug In Zcash — And What It Means For Crypto Security

What Happened: A Quick Summary

On May 29, 2026, security researcher Taylor Hornby discovered a critical vulnerability inside Zcash's Orchard privacy pool. Hornby had been engaged by Shielded Labs specifically to look for this kind of issue. He used Anthropic's Claude Opus 4.8 as part of the review, and within roughly 24 hours of the model's public release, had identified a flaw that had survived four years of expert scrutiny.

The bug was serious. In the right hands, it could have allowed an attacker to generate unlimited counterfeit ZEC — the native token of the Zcash network — inside the shielded pool, with the network's cryptographic verification system treating those fake coins as completely legitimate.

Hornby did not exploit the flaw on the live network. He reported it directly to Zcash's coordinating development body (ZODL) the same evening. By June 3, 2026, an emergency hard fork had been deployed, permanently closing the vulnerability.

This event is an important case study in how zero-knowledge proof systems fail, why AI is changing security research, and what responsible disclosure looks like in practice.

Understanding Zero-Knowledge Proofs: The Basics

Before unpacking the bug, it helps to understand what zero-knowledge proofs actually are and why blockchains use them.

A zero-knowledge proof is a method that allows one party (the prover) to convince another party (the verifier) that a statement is true, without revealing any of the underlying private information. It is the cryptographic equivalent of proving you know a password without ever saying the password out loud.

In the context of privacy-focused blockchains like Zcash, ZK proofs serve a specific purpose: they allow the network to verify that a transaction is valid (i.e., no coins are being created from nothing, and the sender actually has the funds) without exposing the sender's address, the recipient's address, or the amount transferred.

This is done through something called a ZK circuit — a mathematical representation of the rules a transaction must satisfy. Think of a circuit as a set of constraints, like a checklist the network runs against every transaction. If all boxes are checked, the transaction passes. If any box fails, it is rejected.

Where Bugs Hide: Under-Constrained Circuits

ZK circuit code is not like ordinary software. It is not written in familiar languages like Python or JavaScript. It uses specialized frameworks such as Circom or Halo2 that compile human-readable logic into constraint systems used by cryptographic proof engines.

This translation layer is the source of most ZK security failures. When a developer writes a constraint, they are defining a mathematical rule the proof must satisfy. If that rule is incomplete or slightly wrong, the proof system does not crash or throw an error. It just accepts invalid inputs quietly.

This is called an under-constrained circuit. A 2024 analysis found that roughly 96% of documented bugs in SNARK-based ZK systems were caused by under-constrained circuits, meaning checks that appeared to work but were not actually enforcing the rules they were supposed to.

The Zcash Orchard bug followed exactly this pattern. Two lines of code left an elliptic curve multiplication check under-constrained. As a result, mathematically invalid inputs could pass a verification step that should have rejected them — and the zero-knowledge proof system would stamp the fraudulent transaction as valid.

The Orchard Pool: What It Is and Why It Matters

Zcash has multiple transaction pools. Transparent transactions work similarly to Bitcoin and are publicly visible. Shielded transactions use ZK proofs to hide transaction details.

Orchard is Zcash's newest and most advanced shielded pool. It was introduced in May 2022 as part of the NU5 network upgrade and built on the Halo2 proving system. A key milestone of the Orchard launch was that it was the first Zcash pool to operate without a trusted setup — a design improvement that had been a long-term goal for the Zcash team.

The bug lived in the Orchard circuit from the moment the pool launched. It was present for approximately four years before being discovered.

Why Did the Bug Survive Four Years of Review?

This is one of the most important questions raised by the Zcash incident, and the honest answer is that ZK circuit auditing is genuinely hard — even for expert cryptographers.

Traditional smart contract auditors use established tools, fuzzers, and well-understood code patterns. ZK circuits require a different kind of expertise. The constraints must be verified against the mathematical specification of the proof system, which requires deep knowledge of the underlying algebra. A circuit can look correct to a non-specialist while concealing a subtle flaw in its constraint structure.

The Zcash Orchard circuit had undergone multiple rounds of expert review, including by some of the most qualified ZK cryptographers in the field. The bug survived all of them. It was not a trivial mistake that anyone should have caught quickly — it was the kind of subtle under-constraint that only became visible under a specific type of deep, targeted analysis.

Claude Opus 4.8 assisted Hornby in conducting exactly that kind of analysis. The model helped review the circuit code and identify the problematic constraint. Within roughly 24 hours of the model's public release, Hornby had enough to write a working proof-of-concept exploit in a local test environment.

What AI Changes About Security Research

The Zcash case is likely an early example of a significant shift in how cryptographic security research gets done.

Frontier AI models are becoming capable of reasoning through complex mathematical constraint systems, identifying subtle logical inconsistencies, and assisting researchers in writing and testing exploit code. This cuts both ways. Security teams can use these tools to find bugs before attackers do. But the same capabilities, if accessible to malicious actors, lower the barrier to discovering critical vulnerabilities.

Security researchers have noted publicly that capabilities approaching today's most advanced vulnerability-discovery tools could become more widely available within months.

For the crypto industry, the implication is clear: ZK security auditing can no longer rely solely on periodic expert reviews. Continuous AI-assisted monitoring is becoming part of responsible protocol security.

Responsible Disclosure: How the Zcash Team Handled It

Responsible disclosure is the practice of reporting a discovered vulnerability to the affected party privately, giving them time to fix it before any public announcement.

Hornby followed this process by the book. He disclosed the flaw to ZODL engineers on the evening of May 29. The Zcash ecosystem responded quickly:

• June 2: A soft fork disabled all Orchard-containing transactions while a circuit fix was finalized.

• June 3: The NU6.2 hard fork activated, deploying a corrected circuit and permanently closing the vulnerability.

• June 4: Shielded Labs published a public disclosure explaining what happened.

The five-day window from discovery to full resolution was the second security-driven protocol upgrade in Zcash history since the network's launch in 2016. The response is considered a model for how serious vulnerabilities should be handled.

What About the Four Years Before the Fix?

Because Orchard is a privacy pool, it is not possible to cryptographically determine whether the vulnerability was ever exploited between May 2022 and June 2026. The privacy properties that protect legitimate transactions also make unauthorized transactions invisible by design.

The Zcash team and Shielded Labs have stated that they assess exploitation as unlikely, reasoning that the bug was sufficiently subtle that it evaded years of expert review and required cutting-edge AI assistance to uncover. That argument is reasonable but cannot be verified with certainty.

Shielded Labs is exploring a proposed network upgrade called 'turnstile accounting' which would force all existing Orchard coins through a verifiable checkpoint, allowing anyone to confirm whether counterfeit supply exists. This would be a significant privacy trade-off, and the decision rests with the Zcash community.

The Broader Lesson for Crypto Security

The Zcash Orchard bug is not an isolated incident. Under-constrained circuits have caused significant losses across the broader ZK ecosystem, including incidents on other networks over the past several years.

What makes ZK bugs uniquely dangerous is that they fail silently. A standard software bug might cause a visible crash or error. A ZK circuit bug passes every test while quietly allowing fraudulent activity to occur. By the time anyone notices something is wrong, the damage may already be done.

For builders, auditors, and anyone using ZK-based protocols, the Zcash case reinforces several practical points:

• ZK audits require specialized cryptographic expertise — standard smart contract tools are not sufficient.

• Multiple independent audits are necessary, not just a single review.

• AI-assisted auditing is becoming a legitimate and valuable part of the security stack.

• Responsible disclosure processes matter enormously when vulnerabilities are found.

• Privacy-by-design creates trade-offs: the same properties that protect users also make post-hoc auditing of potential exploitation impossible.

Ready to go deeper? Enroll in the AI Bootcamp and learn how to build at the intersection of AI in one weekend. 

Frequently Asked Questions

What is a zero-knowledge proof?

A zero-knowledge proof is a cryptographic technique that lets one party prove to another that a statement is true, without revealing any supporting details. In blockchain applications, it allows transaction validity to be confirmed without exposing sender, recipient, or amount.

What went wrong in the Zcash Orchard bug?

A specific check in the Orchard ZK circuit was not properly enforcing the rules it appeared to enforce. An attacker could have fed mathematically invalid inputs into that check and had them accepted, allowing the creation of counterfeit ZEC that looked entirely legitimate to the network.

Was the Zcash bug exploited?

There is no confirmed evidence of exploitation on the main network. However, because Orchard is a privacy pool, it is technically impossible to rule it out with certainty. The Zcash team considers exploitation unlikely given how difficult the bug was to find.

What is responsible disclosure?

Responsible disclosure means privately notifying a software or protocol team about a security vulnerability before publishing any details publicly. This gives the team time to develop and deploy a fix before the information becomes available to potential attackers.

How is AI changing crypto security auditing?

Frontier AI models can assist security researchers in reading and reasoning through complex cryptographic circuit code, identifying subtle logical inconsistencies that might be invisible to standard tools. This makes high-quality security analysis accessible more quickly and at greater scale than traditional manual review alone.

What is an under-constrained ZK circuit?

An under-constrained ZK circuit is one where the mathematical rules defining what a valid proof must satisfy are incomplete. This allows invalid inputs to pass the verification step that should reject them, effectively making fraudulent proofs appear legitimate.

Disclaimer: This content is for educational and informational purposes only and is not financial advice. Nothing here is a recommendation to buy or sell any asset or use any platform. Do your own research and manage your risk.

Read More

AI + Crypto Convergence in 2026: What It Means for Web3 Developers and Users

AI Meets DAOs: How Artificial Intelligence Is Changing On-Chain Governance in 2026

Beginner’s Guide to Decentralized AI (DeAI): Subnets, Bittensor Basics, and Safe Participation Tips

AI Agent Crypto Wallets and Regulation: What Developers and Users Need to Know in 2026