Zcash discloses critical flaw: AI helped uncover bug that could mint unlimited ZEC

Privacy-focused cryptocurrency Zcash has disclosed one of the most serious security incidents in its history. Researcher Taylor Hornby found a critical flaw in Zcash’s Orchard privacy pool on May 29, 2026. The bug theoretically allowed an unlimited amount of counterfeit ZEC to be created without detection by the network.

Notably, Hornby used Anthropic’s newly released AI model Opus 4.8—launched just a day earlier. According to Shielded Labs, the model was applied in a targeted audit of Orchard’s cryptographic circuits, exposing the vulnerability almost immediately.

The flaw was in the Orchard circuit, the cryptographic engine behind Zcash’s most advanced privacy layer. Because a check in an elliptic-curve calculation wasn’t strictly enforced, attackers could feed in fake inputs and still pass verification.

In theory, that opened the door to mint unlimited new ZEC with no way for other network participants to notice. Hornby built a working exploit and tested it successfully in a local environment. Shielded Labs says the same exploit could have generated unlimited, invisible ZEC on mainnet.

Making matters worse, the bug had been present since Orchard’s activation in May 2022. In other words, it went undetected for nearly four years despite audits and reviews by cryptographers and security researchers.

According to Shielded Labs, there is no cryptographic way to definitively determine after the fact whether the flaw was exploited before discovery. Orchard’s very privacy guarantees make such verification impossible.

The team stresses there is no evidence of real-world abuse. At the same time, the opposite cannot be proven either.

One striking angle: the role of AI. Shielded Labs says Hornby combined advanced AI-auditing techniques with traditional security analysis to probe complex cryptographic circuits.

Shortly after Opus 4.8 launched, he aimed the model squarely at the Orchard circuit. The vulnerability surfaced within a day.

It stands as one of the most notable examples of AI-assisted security research in crypto to date. While AI is often framed as a tool for attackers, this discovery shows it can also uncover fundamental flaws before bad actors do.

After the May 29 report, the Zcash Open Development Lab (ZODL) launched a coordinated emergency response with the Zcash Foundation and other ecosystem developers.

Shielded Labs says the vulnerability was fixed on June 1. By June 2, the full ecosystem response was complete—keeping the attacker window relatively small.

Developers praised the rapid cross-team collaboration across the Zcash network, which they say may have prevented malicious discovery and exploitation.

While Shielded Labs believes prior exploitation is unlikely, the team doesn’t want users to rely on that judgment alone.

They’re working with other developers on a network upgrade proposal. The plan includes introducing a new shielded pool and additional checks so users can verify the integrity of ZEC’s total supply.

The end goal: cryptographic proof that no counterfeit ZEC entered circulation via Orchard.

Developers expect to publish more details next week. As with any major network upgrade, community support will be required.

Shielded Labs also announced expanded security efforts, with AI at the center.

The team is again collaborating with Taylor Hornby and Anthropic to run additional audits using the latest AI models. They also plan to formally verify the entire Orchard circuit—producing a mathematical proof that similar vulnerabilities no longer exist.

Shielded Labs is additionally searching for a new Head of Security and an extra cryptographer to grow its security capacity.

The discovery underscores the complexity of modern privacy cryptography. Even systems scrutinized for years can harbor critical bugs that remain hidden.

It also highlights AI’s rising strategic role in cybersecurity. While often discussed as a risk, advanced models are proving to be powerful tools for defensive research.

For both the crypto sector and the broader AI industry, this may be a pivotal signal: as AI gets better at dissecting complex software and cryptography, the race between defenders and attackers will increasingly be decided by AI.