How AI Found Zcash's 4-Year-Old Counterfeiting Bug That Audits Missed ## TL;DR On May 29, 2026, security researcher Taylor Hornby used Anthropic's Claude Opus 4.8, paired with a custom analysis tool, to find a critical soundness flaw in Zcash's Orchard zero-knowledge circuit. The bug was an under-constrained element in the Orchard proof system (in the `halo2_gadgets` code) that let mathematically invalid inputs pass an elliptic-curve check that should have rejected them. In practice, an attacker could have minted unlimited counterfeit ZEC inside the shielded pool, with no signature on the transparent chain to detect it. The flaw had been live since Orchard activated in May 2022, roughly four years, across some of the most heavily reviewed cryptographic code in the industry. Hornby disclosed responsibly, an emergency fix shipped around June 1, and the public disclosure on June 4 sent ZEC down nearly 40% in 48 hours. Because of Orchard's privacy properties, there is no cryptographic way to know whether the bug was ever exploited. This is the single clearest case study in crypto for why AI-native security is no longer optional. A frontier model caught a catastrophic, value-counterfeiting bug that four years of elite human cryptographic review did not. If it can happen to Orchard, some of the most scrutinized code in the industry, it can happen to your protocol, and the only thing that reliably closes that gap is specialized, AI-augmented, continuous security running against your code. Not as an upgrade. As a requirement. That is precisely what Cecuro is. [Run a free audit with the #1 agentic smart contract auditor.](https://app.cecuro.ai/auth?mode=signup) ## What happened Zcash's Orchard pool is the protocol's most advanced shielded payment system. It hides sender, receiver, and amount behind zero-knowledge proofs, so the chain can verify that a transaction is valid without learning anything about it. That privacy is the product. It is also what makes a soundness bug catastrophic: if the verifier can be tricked into accepting an invalid proof, counterfeit value enters the pool invisibly. That is exactly what the flaw allowed. The Orchard circuit contained an under-constrained element, a point in the cryptographic logic where an input that should have been forced to satisfy a strict mathematical relationship was not fully pinned down. A malicious prover could feed in values the circuit was supposed to reject, generate a "valid" proof for a false statement, and create new shielded ZEC out of thin air. Working with Claude Opus 4.8 and a custom tool, Hornby did not just spot the anomaly. He wrote a complete, working exploit and ran it in a local test environment, where it generated unlimited, undetectable counterfeit ZEC. A frontier model was used to find a subtle soundness flaw in production cryptographic code, and then to weaponize it end to end. That second part is what makes this different from a static-analysis warning. He disclosed responsibly to Zcash's coordinating development body rather than touching mainnet. An emergency fix landed around June 1. Shielded Labs went public on June 4, ZEC dropped roughly 38 to 42% over the next two days, and the team began proposing a network upgrade with new supply-integrity accounting, because the privacy of the pool means no one can prove the bug was never used. ## Anatomy of an under-constrained circuit To see why this class of bug is so dangerous and so easy to miss, you have to understand what a zero-knowledge circuit actually does. A circuit is a system of equations. The prover supplies secret inputs (the witness), the circuit computes over them, and it produces a proof that all the equations hold. The verifier checks the proof. If the equations fully describe the intended computation, the only way to produce a valid proof is to have done the computation honestly. The danger lives in the gap between *assigning* a value and *constraining* it. In most circuit languages you can compute a witness value one way (assignment) and separately assert the equations the verifier enforces (constraints). If you assign a value but forget to constrain it, the prover is free to substitute anything. The verifier never checks. Here is the canonical shape of the bug in Circom, a different proving stack from Zcash's halo2 but the identical failure mode. Consider an `IsZero` component that should output 1 if and only if its input is zero. ```circom // ❌ UNDER-CONSTRAINED: assigned, never constrained template IsZero() { signal input in; signal output out; signal inv; // `<--` ASSIGNS a witness value. It adds NO constraint to the proof. inv <-- in != 0 ? 1 / in : 0; // `out` is likewise only assigned. The verifier never checks that // `out` actually equals 1-iff-in-is-zero, so a malicious prover can // set `out` to whatever value serves the attack. out <-- in == 0 ? 1 : 0; } ``` Everything looks correct. It computes the right answer for an honest prover. It passes functional tests, because tests run the honest path. But nothing in the circuit *forces* `out` to match `in`. A dishonest prover supplies their own `out`, and the verifier accepts it. The fix is to pin every output with an equation the verifier actually enforces. ```circom // ✅ CONSTRAINED: every signal bound by a checked equation template IsZero() { signal input in; signal output out; signal inv; inv <-- in != 0 ? 1 / in : 0; // `<==` and `===` add CONSTRAINTS the proof must satisfy. out <== -in * inv + 1; // out = 1 - in*inv in * out === 0; // forces: if in != 0 then out = 0 } ``` Now the relationship is part of the proof system. There is no witness a prover can supply that satisfies these equations while lying about `out`. Zcash's actual flaw was in an elliptic-curve point check rather than an `IsZero` gadget, but the essence was the same: a constraint that should have rejected invalid inputs was incomplete, so invalid inputs slipped through. ## Why four years of review missed it This was not careless code. Orchard's circuits are among the most scrutinized cryptographic artifacts in the entire industry, reviewed by specialist cryptographers, formally studied, and live across four years of production. So why did it survive? Because zero-knowledge circuits defeat the way human review usually works. Most code review is pattern recognition: you have seen this shape of bug before, and you spot it again. Circuit soundness bugs are not patterns, they are gaps. The vulnerable line is not present; the *constraint* is absent. You are looking for the equation that should be there and is not, across thousands of interacting algebraic relationships, where a single missing term anywhere creates an exploitable hole. Human attention does not scale to exhaustively checking "is every signal fully constrained" over a circuit that large. A frontier model approaches it differently. It can reason over the full constraint system at once, ask "what witness would satisfy these equations while violating the intended property," and then, critically, *write the code to prove the answer*. The exploit-generation step is what turns a suspicion into a confirmed, severity-rated finding. That is the capability that just became real, and it cuts both ways. ## This is the offensive-defensive crossover, in public A week before this disclosure, Anthropic released the Mythos tier publicly, with Fable 5 on the API and Mythos 5, "the strongest cybersecurity model in the world," restricted to defenders. The Zcash case is the live demonstration of what those models do. A frontier model found a four-year-old soundness flaw in elite cryptographic code and produced a working counterfeiting exploit. This time a responsible researcher held the pen. The capability does not care who holds it. The same reasoning that surfaced this bug for disclosure can surface the next one for an attack, and the cost of running that search keeps falling. Security experts reacting to the disclosure warned that advanced AI is about to drive a wave of vulnerability discovery across crypto and traditional finance alike. The Zcash near-miss is the opening example, not the exception. Every protocol with meaningful value should assume its codebase is now within reach of automated, exploit-writing analysis. Read the incident as a message addressed to your team. The most defended cryptographic system in crypto carried a fatal flaw for four years, and the thing that finally caught it was a frontier model run with intent. The question is no longer whether AI can find the bugs in your code. It can. The only question is whether the model that finds them is working for you or against you. If you are not running AI-native security on your protocol today, you are choosing to let the other side go first. ## What smart contract teams should take from a ZK bug Orchard is a circuit, not a Solidity contract, but the lessons transfer directly. **Soundness gaps hide in correctness.** The Orchard code was functionally correct. It did the right thing for honest inputs and passed its tests. The vulnerability was only visible when you asked what a *malicious* input could do. The same is true of reentrancy, oracle manipulation, ERC-4626 share inflation, and signature replay in smart contracts: the happy path looks fine, and the bug lives in the adversarial path that ordinary review does not exercise. **Heavy review is not the same as adversarial review.** Four years of expert attention did not catch this. The differentiator was not more eyes, it was a method that systematically searched for a witness that breaks the invariant and then built the exploit. That is what specialized agentic auditing does for contracts: it reasons about the protocol as an adversary and validates findings against execution. **AI-augmented detection is now table stakes.** The takeaway every analysis of this incident reached is the same: security budgets have to include AI tooling, run alongside everything else you already do. Not because human auditors failed, but because automated, exploit-writing analysis finds a different and dangerous class of issue, and it is now cheap enough that attackers will run it whether you do or not. If you take one thing from the Zcash disclosure, take this: the era where AI security was a nice-to-have ended the moment a frontier model out-found four years of expert review on the hardest code in crypto. Every serious protocol now needs an agent on its side that does, continuously and against its own contracts, exactly what was done to Orchard once. The teams that internalize this early treat it as infrastructure. The teams that do not become the next disclosure. ## Where Cecuro fits Cecuro is the agentic layer that brings this method to smart contracts. Our agents run for hours across an entire codebase, spawn specialized subagents per vulnerability class, reason about the protocol as a system rather than isolated functions, and validate every candidate finding with a proof-of-concept exploit before it reaches your report. A finding that survives execution is one you can act on, the same standard the Zcash researcher applied by hand. That approach is why Cecuro ranks #1 on EVMBench, the public exploit benchmark from OpenAI, Paradigm, and OtterSec, built from real Code4rena vulnerabilities. It is detection depth measured against real exploits, not marketing. | Dimension | Traditional audit | Generic AI scan | Cecuro | |---|---|---|---| | Adversarial soundness analysis | Manual, depends on reviewer | Shallow, pattern-based | Deep, agent-driven | | Validates findings with proof-of-concept | Slow, manual | No | Yes, every finding | | Speed | 2 to 6 weeks | Minutes, unreliable | Hours, reliable | | Cost per audit | $30K to $1M+ | API cost only | Free audit trial, then per-audit | | Coverage across chains and languages | Limited by availability | Broad, unspecialized | All chains and languages | | Fit for continuous defense | One-time snapshot | Weak standalone | Strong continuous layer | Running more than one detection method on high-value code is industry best practice for any serious protocol, regardless of which firms or tools a team already uses. It is about diverse perspectives catching different edge cases. Cecuro is built to be the leading agentic layer in that stack, running continuously between and after every other review. ## What to do this week The Zcash disclosure is a gift: a high-severity, four-year-old, audit-surviving bug, caught and patched before anyone lost funds, with the whole method laid out in public. It is also a warning with your protocol's name on it. Treat it as a fire drill, and act this week. **First, assume your codebase is now in scope for exploit-writing AI.** If a frontier model can do this to Orchard, it can run against your contracts. Plan for the offensive version of this capability, not just the defensive one. **Second, add adversarial, AI-augmented detection to your pipeline.** Not as a replacement for your existing reviews, as another layer that specifically hunts for the witness that breaks your invariants. This is the layer Zcash did not have until a researcher brought it. **Third, run Cecuro on your codebase now.** Connect a GitHub repository in under a minute and a full audit comes back in hours, with every finding validated against execution. The audit trial is free to start, a fraction of a single review cycle and a tiny fraction of the cost of a counterfeiting bug nobody catches in time. The Orchard flaw had a happy ending for one reason: a careful researcher reached it first, with a frontier model in hand. Your protocol will not always get that luck. The only way to guarantee the model that finds your bugs is working for you is to put one there yourself, today. That is the entire point of Cecuro, and it is why a four-year-old Zcash bug is the best argument we could ask for. [Start a free Cecuro audit now.](https://app.cecuro.ai/auth?mode=signup) ## Sources * CoinDesk, "Zcash plummets as Shielded Labs reveals a major bug that went undetected for four years," June 5, 2026 * Decrypt, "AI Is Helping Discover Tech Vulnerabilities, and Zcash Is Just the Latest Example," June 2026 * Unchained, "AI-Assisted Audit Uncovers Critical Zcash Orchard Vulnerability That Could Have Minted Unlimited Counterfeit ZEC," June 2026 * SC Media, "AI helps uncover critical four-year-old Zcash vulnerability," June 2026 * thirdweb blog, "AI Discovered a Critical Zcash Bug That Went Undetected for Four Years," June 2026 * CoinDesk, "AI exposed a massive flaw in a top crypto network, and experts warn banks could be next," June 5, 2026 * EVMBench, public exploit benchmark from OpenAI, Paradigm, and OtterSec