Reports indicate that security researcher Taylor Hornby used Claude Opus 4.8 to help discover a critical vulnerability in Zcash’s Orchard Privacy Pool, the newer shielded transaction system of Zcash that has been in use since May 2022. The system uses Zero-Knowledge Proof technology to verify the validity of transactions without revealing transaction amounts. However, the vulnerability was found in the transaction input validation mechanism, which did not properly enforce required conditions. As a result, attackers could potentially create counterfeit ZEC while the transactions would still appear valid to the system.
Shielded Labs, a research and development organization associated with Zcash, stated that the vulnerability had existed since Orchard was launched in May 2022 until an emergency patch was released on June 1, 2026. Hornby developed a Proof-of-Concept to test the issue and reported it to engineers at ZODL, the organization coordinating Zcash development, for urgent remediation. A key concern is that, due to Orchard’s privacy features and the nature of the vulnerability, it is not possible to clearly prove whether the flaw had been exploited during the past four years. However, the Zcash team assessed that prior exploitation was unlikely.
Following the disclosure, Shielded Labs proposed an additional mitigation through a network upgrade called Turnstile Accounting. The upgrade would create a new shielded pool and require coins from the old Orchard Pool to pass through a checkpoint that can verify the correctness of the coin supply. If counterfeit ZEC exists, it would appear as a discrepancy during this process. This case demonstrates that advanced AI models can help quickly identify vulnerabilities in systems that have already undergone security reviews for many years. It also highlights the need for cryptographic projects and other highly sensitive systems to strengthen their security review processes in line with an era in which AI can accelerate both vulnerability discovery and the analysis of complex systems.