Summary
- A significant vulnerability in Zcash's Orchard privacy pool was found that could have led to double-spending, but there was no exploitation.
- Developers implemented a two-phase emergency solution: initially halting Orchard transactions through a temporary soft fork, followed by a complete network upgrade to restore functionality.
- ZEC has increased by over 50% in the past month and seems unaffected by the announcement of the emergency fix.
The Zcash Foundation announced on Wednesday that it had secretly addressed a serious flaw in the cryptocurrency's core transaction framework, executing an unusual emergency network upgrade after a researcher identified a bug that could enable unauthorized spending.
The vulnerability was discovered on May 29 by independent security researcher Taylor Hornby and was located in the Orchard Action circuit, which forms the cryptographic basis of Zcash's leading privacy pool. Introduced in 2022, the Orchard pool is a crucial component of Zcash's privacy features, requiring no trusted setup and managing a large proportion of circulating ZEC tokens.
Hornby reported the issue to engineers at the Zcash Open Development Lab (ZODL) that same evening. Within hours, protocol developers validated the problem and initiated a well-planned, confidential response to mitigate potential exploitation prior to deploying a fix.
This coordinated effort unfolded over five days. Initially, developers executed an emergency soft fork—essentially a temporary rule modification—that completely suspended Orchard transactions while the patch was being finalized. Coordination with miners and exchanges commenced on the evening of May 31. The first attempt to activate the fix faced deployment issues, but a second attempt succeeded early Monday morning, freezing all Orchard transactions at block 3,363,426.
The definitive solution was implemented on Wednesday with a full network upgrade—termed NU6.2—that reinstated Orchard operations with a corrected circuit. This hard fork was necessary because rectifying a zero-knowledge proof system requires updating a cryptographic verifying key, which cannot be accomplished through standard software patches.
Officials stated that the overall supply of ZEC was never in jeopardy. Zcash's built-in "turnstile" mechanism, which monitors value across all transaction pools, confirmed that no unauthorized coins were generated. There is no evidence that the bug was exploited.
“Considering the limited time and the number of stakeholders involved (developers at ZODL and Zcash Foundation, miners, exchanges, and others), this was the most ambitious network upgrade in Zcash's history,” stated Josh Swihart, founder of ZODL, in a post on X.
Given the time available and the number of parties involved (the devs at @zodl_app and @ZcashFoundation, miners, exchanges, others), this was the most ambitious network upgrade in Zcash's history.
I’m particularly thankful to my team, including @feministPLT, @nuttycom, @str4d,… https://t.co/C9DePWVBT2
— Josh Swihart 🛡 (@jswihart) June 3, 2026
The Foundation urged all node operators to promptly upgrade to Zebra 5.0.0, the software that implements the new network rules.
After the upgrade, block explorers indicated that the network had not produced any blocks for several hours, leading to speculation about potential downtime. However, experts, along with the block explorers themselves, clarified that the network was functioning normally, with the explorers temporarily affected during their own node upgrades.
“Block explorers are merely readers. They extract data from a node, process it, and display it. If the node is updating or resyncing, the explorer may show outdated information,” explained block explorer CipherScan on X. “The blockchain continued to produce blocks throughout the entire period. Miners remained active, and transactions continued to confirm.”
The price of Zcash (ZEC) does not seem to have been influenced by the announcement of the emergency upgrade, as the privacy-focused cryptocurrency has continued its upward trend. Currently, ZEC has risen more than 10% in the last 24 hours, nearing a price of $629, marking a 30-day increase of over 53%.
Over the past year, ZEC has surged by 1,084%, reaching a recent high of almost $700 last fall—close to its peak in recent weeks. Nevertheless, ZEC is still significantly below its all-time high of $3,191 achieved in 2016.