Josh Swihart has detailed Zcash’s emergency response to a vulnerability that could have enabled unlimited counterfeit ZEC creation, as the token has recovered more than 41% from its post-disclosure low.
Summary
- Zcash deployed a soft fork and a hard fork to fix a critical Orchard vulnerability that could have enabled unlimited counterfeit ZEC creation.
- Josh Swihart said mining pools and exchanges reviewed the emergency code changes, with ViaBTC and Foundry helping coordinate the response.
- ZEC has recovered more than 41% from its June 5 low after the vulnerability was patched and Orchard transactions were restored.
According to Josh Swihart, founder of Zcash Open Development Lab (ZODL), the team deployed a two-stage network upgrade after discovering a critical flaw in Zcash’s Orchard shielded pool, the network’s primary privacy-focused transaction system.
In a June 8 post on X, Swihart said the first step involved a soft fork that disabled Orchard transactions while allowing developers to reduce the risk of exploitation without publicly revealing details that could have exposed the network to further threats.
A second upgrade, the NU6.2 hard fork, went live on June 3 and addressed the underlying vulnerability before Orchard transactions were restored.
The update follows last week’s disclosure from Shielded Labs, an independent support organization for Zcash, which warned that a flaw in the Orchard circuit could have allowed an attacker to mint unlimited counterfeit ZEC.
Shielded Labs said the issue had been fixed and added that it considered prior exploitation unlikely, although it acknowledged there was no cryptographic proof that the bug had never been used.
Orchard serves as Zcash’s main shielded pool, allowing users to send and receive ZEC through zero-knowledge proofs that conceal transaction details while validating transfers.
Mining pools and exchanges reviewed emergency fix
During the response process, Swihart said ZODL worked closely with mining pools, exchanges, and other ecosystem participants that requested code reviews before supporting the upgrade.
Among those participants, Swihart identified ViaBTC and Foundry as key contributors that helped coordinate the network response and verify the emergency changes before activation.
Earlier discussions around the vulnerability had already prompted conversations about longer-term recovery measures. Shielded Labs previously outlined a proposal known as Ironwood, which would isolate the existing Orchard pool, track coins leaving the system through turnstile accounting, and eventually guide users toward a new shielded pool with stronger supply verification mechanisms.
Separate comments from David Schwartz, CTO emeritus of Ripple, also addressed concerns from Zcash users about funds left behind in Orchard.
Schwartz said passive holders would not automatically lose ownership of their coins if no exploit occurred before any migration process, explaining that consensus rules could continue recognizing those balances even if the pool stopped seeing regular activity.
ZEC rebounds after sharp selloff
Market reaction to the disclosure was immediate. According to previously reported price data, ZEC fell from roughly $630 to around $303 after news of the vulnerability emerged, as traders grappled with uncertainty surrounding the integrity of the shielded pool and the possibility that counterfeit coins may have entered circulation.
Questions about the protocol’s security reached beyond the Zcash community. Among the high-profile reactions, BitMEX co-founder Arthur Hayes said he had exited his entire ZEC position after learning of the vulnerability.
Recent trading has shown signs of stabilization. According to crypto.news data cited by Swihart, ZEC rose 13.5% over the past 24 hours to $428.67, representing a recovery of about 41.5% from the June 5 low near $303.
Summing up the incident, Swihart said the network had resolved the vulnerability, tested its incident response procedures, strengthened relationships with ecosystem partners, and aligned developers around a recovery path for the project.
