On 29 May 2026 — one day after Anthropic released its Opus 4.8 model — independent security engineer Taylor Hornby pointed the model at the Halo 2 gadget library underpinning Zcash's Orchard shielded pool. Two lines of code in an elliptic-curve constraint produced a soundness bug: the proving system would accept invalid state transitions. In plain language, an attacker with the right circuit could have produced a zero-knowledge proof that minted ZEC inside Orchard without any matching deposit. The bug had been live since Orchard activated in May 2022 — about four years.
Coordinated disclosure ran from 31 May through 3 June. Zebra 4.5.3 shipped an emergency soft fork that disabled Orchard actions at block 3,363,426 on 2 June. The NU6.2 hard fork — Zebra 5.0.0 — re-enabled Orchard with the corrected circuit at block 3,364,600 on 3 June. The Electric Coin Company and Zcash Foundation went public on 4 June. ZEC fell roughly 38–50% on the news.
Two things matter more than the price move and rarely get separated cleanly in the headlines.
One: Zcash's total supply is auditable, because coins crossing between pools pass through what the protocol calls a turnstile — a transparent accounting layer that compares value-in against value-out per pool. The Zcash Foundation confirmed on 4 June that turnstile records show no excess value left Orchard during the bug's lifetime. By that measure, no counterfeit coins ever made it into the wider economy.
Two: Whether counterfeit ZEC was minted inside Orchard — sitting in shielded addresses, never withdrawn — cannot be checked by anyone outside the attacker. Shielded Labs said so explicitly on 4 June, and on 5 June proposed a new network upgrade that would let users independently verify Orchard's internal supply going forward.
The bug is fixed. The privacy guarantee that made it possible to detect this attack only through the turnstile — and impossible to detect future attacks on the same surface from the outside — is the same property the shielded pool exists to provide. That is the trade-off privacy coins have always had on the table.
Thomas Hunt's directive after the news broke was specific: "I said multiple times that they would have trouble because they couldn't audit or verify the coins and that this kind of hack could happen." We searched 484 show transcripts that mention Zcash or Monero across The Bitcoin Group (TBG), World Crypto Network (WCN), and Mad Bitcoins (MB). The strongest receipts:
The toxic waste is not the only way to have counterfeit. Like the Bitcoin had an integer overflow bug, which allowed someone to create 180 billion Bitcoin… And the only reason we know that happened is because Bitcoin had a small privacy. So if we had a bug like that in Zcash, which is entirely possible, there would be no way to notice it and fix it.— World Crypto Network, 26 October 2016 · four days before Zcash's genesis block · brain.db:
320f182ecf0e4fbb8122e3d58ce5ecfa
This is the prediction, almost ten years ahead, in one sentence. The speaker (panel discussion on WCN) names exactly the mechanism that just played out: a counterfeit bug inside a shielded pool would be undetectable. The Zcash Foundation's June 2026 statement — "we cannot rule out exploitation within Orchard" — is the same claim told from the other side.
Brand new cryptocurrency, Zcash, dominated the news with claims of anonymity that drove the market wild… Still an impressive debut for a new technology that may actually provide seamless anonymous payments, or it might just break or be broken.— Thomas Hunt, Mad Bits, 29 October 2016 · episode opening segment · brain.db:
a183f03b42824f1eb252cbf2cb3a2fe2
Three days into Zcash's existence, in Thomas's own voice, on his own show: the binary is works as advertised or break or be broken. The June 2026 disclosure resolves which branch was always possible.
In the case of Zcash, no one has any idea if it's actually working. And some are speculating the same thing for Monero…— World Crypto Network, 4 February 2017 · brain.db:
ec0320a23d754938978f9f9b7980d92d
I don't understand why anyone in the world wants to use Zcash for this stuff because every time the topic comes up Zuko runs out there screaming "we can make Zcash not anonymous." It's just like hilarious… I don't understand what his coin is for… I don't understand why anyone takes Zcash seriously. Dash, as you guys all know, I think Dash is a joke. Monero has some potential, but a lot of these anonymous coins, they're too anonymous for their own good.— Thomas Hunt, The Bitcoin Group, 2 June 2017 · brain.db:
9a64841eb23f4f569fbd131440b31e4a
Nobody uses the anonymity features of Zcash. You actually have to use their network differently in order to get the anonymity features. And no one does. So it's fake anonymity… As opposed to Monero, what you're saying is actual privacy.— World Crypto Network, 11 January 2018 · brain.db:
af4a1e0107984536abbfbbcd29473bcd
No-one can hack Zcash because no-one can audit Zcash.— Peter Todd, quoting Riccardo "Fluffypony" Spagni · retweeted by @MadBitcoins, 5 February 2019 · tweet ID 1092832667559636992
Filed during the disclosure of the previous Zcash counterfeiting bug — the 2018 Halo-precursor flaw discovered by Ariel Gabizon and patched in secret. Thomas amplified the line. The 2026 Orchard bug is the second-known soundness-class flaw in Zcash's lifetime. The audit-problem framing has held twice.
Honesty note: across 203 show appearances of "Zcash" and 281 of "Monero" in the WCN/TBG/MB corpus, Thomas's framing was consistent but not always sharply phrased — much of the strongest material comes from guest panels on shows he hosted (notably the Zooko-on-WCN episode of 26 Oct 2016, where the "no way to notice and fix it" line appears in a Zcash-friendly discussion of fungibility). The MadBits opening (#2) and the 2 Jun 2017 TBG monologue (#4) are Thomas's own voice. The retweet (#6) is his amplification. We did not find a tape of Thomas saying verbatim "they can't audit their supply and someone will exploit it," and we don't claim he did.
Bitcoin's supply is auditable because every transaction sits on a public ledger as input UTXOs destroyed and output UTXOs created. Anyone can run bitcoin-cli gettxoutsetinfo and sum every spendable coin. If two satoshis appeared from nowhere — as in the 2010 integer overflow bug, where 184 billion BTC briefly existed — the chain literally shows the bad output. Bitcoin's worst supply bug got rolled back within hours because the imbalance was visible to anyone who looked.
Zcash's shielded pools work the opposite way. Transactions inside Orchard publish only a zero-knowledge proof asserting that some valid spend happened, plus a nullifier preventing the same note from being spent twice. The proof reveals neither sender, recipient, amount, nor — critically — whether the spend balanced. The entire pool's integrity rests on the assumption that the circuit checks all the constraints it's supposed to check. When the circuit has a bug, an attacker can produce a proof that passes verification but doesn't represent a legitimate spend. To a node, it looks identical to a normal shielded transaction.
Monero is differently structured but lands in a related place. Monero uses ring signatures (the spender hides in a decoy set) and RingCT (amounts are committed but obscured). Total Monero supply can be audited by summing block rewards — they're transparent — but the same in-pool counterfeit detection is hard, and Monero has shipped an emergency patch for exactly this class of bug before (a CryptoNote multi-output flaw in 2017, fixed in coordinated secret with downstream forks).
The contrast is structural, not editorial:
| Property | Bitcoin | Zcash (shielded) | Monero |
|---|---|---|---|
| Total supply auditable from chain | Yes — sum UTXOs | Yes — via turnstile | Yes — sum rewards |
| In-pool / private supply auditable | N/A (no private pool) | No | No |
| Sender/recipient visible | Yes (addresses) | No | No |
| Amount visible | Yes | No | No |
| Counterfeit bug visible from chain | Yes (caught 2010) | No (turnstile only after exit) | No |
None of this is a moral claim about whether privacy should exist. It is a statement about what kinds of failure each system can show you as an outside observer. Bitcoin trades surveillance for verifiability. Zcash trades verifiability for privacy. The 2026 Orchard bug is what that trade-off looks like when it's tested by an actual flaw.
Pattern: every project that hides supply has, sooner or later, shipped a flaw in the surface that hides it. Some flaws were caught by good operational security (Monero 2017). Some by chainwide visibility that the project happened to still have (Verge 2018, Bitcoin Private 2018). One — the 2018 Zcash Halo bug — was patched in secret. The 2026 Orchard bug joins that history, with a wrinkle: it was found by an AI model, and the project is openly saying the in-pool exposure window is uncountable.
The 2026 Orchard event is not "privacy coins are dead." Monero will keep working as Monero does. Zcash's NU6.2 hard fork shipped on schedule. ZEC will trade. Shielded Labs' proposed in-pool audit upgrade may well restore the property the protocol lacks today.
What the event clarifies is which property Bitcoin holds that the rest of the field has been trading away. The integer-overflow incident of 15 August 2010 — when a malformed transaction created 184,467,440,737.09551616 BTC out of two outputs — was caught and reverted within five hours because every node could see the imbalance. Satoshi himself posted the patched binary to Bitcointalk that evening. The chain was forked clean by block 74,691. The bug existed; the response was possible because the ledger was readable.
Zcash's response to its 2026 bug was structurally different. Disclosure was private for six days. The fix was coordinated with miners and exchanges before it was public. The Foundation's "no exploitation observed" claim rests on the turnstile — a mechanism the project added precisely because the broader chain doesn't show what's happening inside the pool. None of that is malpractice. It is what privacy-by-default forces on you when a bug appears in your cryptographic foundation.
The receipts on tape — from 2016 forward — are not that privacy coins are bad. They are that this specific failure mode was always on the table, that the people building Bitcoin-first shows said so on the record, and that the trade-off finally cashed itself out.
320f182ecf0e4fbb8122e3d58ce5ecfa — WCN, 26 Oct 2016 — Zooko-era Zcash discussion (fungibility panel)a183f03b42824f1eb252cbf2cb3a2fe2 — Mad Bitcoins, 29 Oct 2016 — Mad Bits opening segment, "or it might just break or be broken"50166a0c107449d29bd6456df15594b2 — TBG, 29 Oct 2016 — "Zcash Unleashed"ec0320a23d754938978f9f9b7980d92d — WCN, 4 Feb 2017 — "no one has any idea if it's actually working"9a64841eb23f4f569fbd131440b31e4a — TBG, 2 Jun 2017 — Thomas Hunt monologued7130627fda3489f8b6340b70fd41542 — WCN, 8 Oct 2017 — Monero secret-patch discussionaf4a1e0107984536abbfbbcd29473bcd — WCN, 11 Jan 2018 — "fake anonymity"