ZEC Co-Founder Responds to Orchard Vulnerability: No Evidence of Theft Detected; Orchard Pool to Be Frozen
TechFlow Selected TechFlow Selected
ZEC Co-Founder Responds to Orchard Vulnerability: No Evidence of Theft Detected; Orchard Pool to Be Frozen
Shielded Labs believes the likelihood of prior exploitation of the Orchard vulnerability is low, so user assets remain secure and the token supply remains normal.
Navigating Web3 tides with focused insightsBy Zooko Wilcox and Jason McGee
Translated by Luffy, Foresight News
A recent security vulnerability was discovered in Zcash’s Orchard shielded pool, prompting widespread concern over two key questions: Has the total Zcash supply been compromised? Are user assets safe?
Current discussions conflate multiple distinct topics, making it difficult for many to grasp the vulnerability’s real-world impact on ordinary users. This article addresses these concerns and clarifies their underlying implications.
The Orchard vulnerability raises four critical questions:
- Has the vulnerability already been exploited by attackers?
- Can users safely withdraw their legitimate assets currently held in Orchard?
- Can users independently verify that Zcash’s total supply has not been artificially inflated?
- How can we confirm that no other similar counterfeiting vulnerabilities exist in the project?
Has the vulnerability already been exploited?
There is currently no definitive answer. Overall, the likelihood of prior malicious exploitation appears low—but we cannot rule it out entirely. Three main factors support this assessment:
- For years, top-tier cryptographers and security researchers worldwide have rigorously audited Zcash’s codebase—yet this vulnerability remained undetected. It was proactively identified by Taylor Hornby of Shielded Labs—not accidentally exposed. Hornby employed AI-powered security analysis tools and custom-built detection systems specifically designed to uncover such deeply hidden flaws. Such vulnerabilities demand deep expertise in the Zcash codebase; they are exceptionally difficult for non-specialists to locate or exploit.
- Immediately after disclosure, the Zcash development team coordinated with major mining pools to temporarily freeze the Orchard pool and rapidly deploy a patch—significantly narrowing the window of opportunity for potential attackers.
- Most cryptocurrency attacks aim for rapid financial gain. Once a vulnerability becomes public, attackers typically move quickly to cash out. Exploiting this flaw would require withdrawing counterfeit ZEC from the Orchard pool and exchanging them for other assets—a process that almost always leaves detectable traces. If exploitation had occurred earlier, evidence would likely already be visible. Historically, attackers follow a “hit-and-run” pattern—exiting swiftly rather than concealing activity for months or years.
Can legitimate assets in Orchard still be withdrawn?
We believe yes—provided the vulnerability has never been exploited. If this holds true, all legitimately deposited assets in Orchard can be withdrawn without issue.
Conversely, if attackers have already generated counterfeit tokens and deposited them into the pool, existing withdrawal mechanisms cap total outflows at the original amount of legitimately deposited ZEC. In that scenario, if counterfeit tokens are withdrawn first, some users’ legitimate assets may not be fully recoverable.
We consider this extreme scenario highly unlikely. For those still concerned, transferring assets out of the Orchard pool remains an option—but users should understand the risks associated with different withdrawal methods:
- Transfer to a transparent address (t-address): Transaction amounts and timestamps become fully public, and assets become permanently linked to that address—eliminating all privacy.
- Transfer to the Sapling shielded pool: While transaction amounts and timestamps remain recorded, assets are not tied to specific addresses or historical transactions—offering stronger privacy than t-addresses. Note, however, that Sapling relies on a trusted setup ceremony completed in 2018, which introduces its own security risks.
- Wallets: Among mainstream self-custody wallets, only YWallet and Zkool currently support transfers to the Sapling pool.
- Other wallets or custodial platforms: Operational errors, software bugs, or platform-level risk controls may introduce additional complications.
Overall, these risks remain manageable. Given our assessment that exploitation is highly unlikely, leaving assets in their current shielded wallet is a prudent choice. Transferring assets out is also viable—if done securely—and users should decide based on their individual circumstances.
Can users independently verify that Zcash’s total supply hasn’t been inflated?
Not yet. Due to this vulnerability, ordinary users currently lack the ability to independently verify whether the shielded pool’s token balance has been inflated.
However, the upcoming Ironwood network upgrade will resolve this issue. Its logic works as follows:
This upgrade will permanently disable the Orchard pool—no new deposits will be accepted, and internal transfers within the pool will be prohibited. All assets can only be withdrawn via pre-existing channels, whose total withdrawal capacity is strictly capped at the original amount of legitimately deposited tokens—effectively eliminating the possibility of overspending.
After the upgrade, anyone running a node will be able to independently verify compliance of the total supply. Even if counterfeit tokens were previously introduced, they will no longer circulate within Orchard or inflate the overall supply. Users won’t need to speculate about attacker behavior or other users’ actions—the protocol itself guarantees no oversupply can occur.
This point is crucial: Zcash’s long-term credibility rests on users’ ability to independently verify its total supply. The Ironwood upgrade restores that capability.
How can we confirm no other token-counterfeiting vulnerabilities exist?
We cannot provide absolute certainty at this stage—but there are strong reasons to believe no similar vulnerabilities remain.
Shielded Labs, together with several partner teams, conducted a comprehensive audit of the Zcash protocol, focusing specifically on token-counterfeiting vulnerabilities. During the audit, the team also leveraged Anthropic’s unreleased Mythos AI model for auxiliary detection. We will publish a detailed report outlining the audit methodology and findings.
To date, no new counterfeiting vulnerabilities have been found. This audit involved seasoned engineers, professional security teams, and cutting-edge AI analysis tools—strengthening our confidence that no other high-risk, undisclosed counterfeiting vulnerabilities remain.
In parallel, we’re collaborating with partners including the Tachyon project to conduct additional security checks, further reinforcing our defenses. Updates on this effort will follow.
Summary
The Orchard vulnerability raises four core questions: whether it has been exploited, whether legitimate assets remain withdrawable, whether users can verify the total supply, and whether other counterfeiting vulnerabilities exist.
Based on current audit results, we assess the probability of prior exploitation as very low—meaning user assets remain secure and the total supply remains intact. Repeated independent audits across multiple teams further reinforce our confidence that no other undisclosed counterfeiting vulnerabilities currently exist.
One unavoidable reality remains: users still cannot independently verify the total supply today. The upcoming network upgrade will fully resolve this. Once implemented, the Orchard pool will be permanently shut down, enabling users to independently verify the total supply—without needing to assess whether counterfeiting ever occurred.
Join TechFlow official community to stay tuned
Telegram:https://t.me/TechFlowDaily
X (Twitter):https://x.com/TechFlowPost
X (Twitter) EN:https://x.com/BlockFlow_News
@zooko
