ZEC market capitalization fell by almost $3 billion over the past 24 hours following the disclosure of a critical vulnerability, despite it being patched already.<\/h5>\n\n\n\n![\"\"\/](\"https:\/\/s3-images.ctmedia.io\/media\/article-covers\/c-man-falling.jpg\")
<\/figure>\n\n\n\nThe price of ZEC fell on Thursday after further details were disclosed of a critical counterfeiting vulnerability in Zcash\u2019s Orchard pool that could theoretically allow a bad actor to mint an unlimited amount of ZEC.<\/p>\n\n\n\n
According to a post on X, security engineer Taylor Hornby, who was engaged by Shielded Labs, discovered<\/a> the bug on May 29 and disclosed it<\/a> to the Zcash Open Development Lab (ZODL), which deployed an emergency response to fix the vulnerability with a hard fork activated on June 3. <\/p>\n\n\n\nHowever, there are new concerns about the extent to which the vulnerability, which has existed since May 2022, has been used, leading Zcash<\/a> to fall more than 30% over the past 24 hours to $410 at the time of writing. Its market capitalization has shrunk by more than $3 billion.<\/p>\n\n\n\nHowever, BitMEX co-founder Arthur Hayes said<\/a> on Friday it is unlikely that ZEC has been illegally minted this way, though he acknowledged \u201cit cannot be formally cryptographically proved impossible.\u201d<\/p>\n\n\n\n\u201cSadly, due to the Orchard Pool exploit, I had to dump our entire ZEC bag,\u201d he said.<\/p>\n\n\n\n
\u201cThe Holy Trinity is dead,\u201d he added, referring to Zcash and the two other tokens he sold this week, Hyperliquid (HYPE) and Near Protocol (NEAR).<\/p>\n\n\n\n![\"\"\/](\"https:\/\/s3-images.ctmedia.io\/media\/content\/pasted-image-212.jpeg\")
ZEC crashes 30% in 24 hours after two months of solid gains. Source:<\/em>TradingView<\/em><\/a><\/figcaption><\/figure>\n\n\n\nClaude assists in bug discovery <\/h2>\n\n\n\n
Taylor used Claude Opus 4.8, which was released on May 28, a day before the discovery, to assist in a highly targeted review of the Orchard circuit, the cryptographic component underlying Zcash\u2019s Orchard shielded pool.<\/p>\n\n\n\n
The critical bug allowed false inputs into an elliptic curve multiplication check, which means the math that is supposed to cryptographically verify transactions could be fooled.<\/p>\n\n\n\n
Taylor built and tested a working exploit<\/a>, which generated unlimited counterfeit ZEC. <\/p>\n\n\n\n\u201cIf he had run the same tool on Zcash mainnet it would have generated unlimited, undetectable counterfeit ZEC in his mainnet Zcash wallet,\u201d the security researchers said<\/a> on Friday. <\/p>\n\n\n\nThe primary concern is that there is no cryptographic way to prove whether anyone had previously exploited it before it was patched, due to Orchard\u2019s privacy properties. <\/p>\n\n\n\n
However, Shielded Labs was \u201cnot overly concerned\u201d because the bug was subtle enough to evade years of expert review, and the discovery was a deliberate, highly skilled effort using cutting-edge tools and AI.<\/p>\n\n\n\n
The firm is working with Zcash<\/a> developers on a proposed network upgrade to allow anyone to verify the integrity of the ZEC supply and to prove the nonexistence of counterfeit tokens in the Orchard pool, they stated. <\/p>\n\n\n\nNot the first counterfeiting vulnerability for Zcash<\/h2>\n\n\n\n
Mert Mumtaz, co-founder and CEO of Solana tooling firm Helius, said<\/a> that almost all privacy protocols have a variant of this same vulnerability. <\/p>\n\n\n\n\u201cThis same FUD comes back every five months as new people learn how privacy pools work,\u201d he said. <\/p>\n\n\n\n
He explained that it is a theoretical risk in most zero-knowledge privacy protocols from circuit bugs that are hard to exploit or detect.<\/p>\n\n\n\n
<\/figure>\n\n\n\nThe price of ZEC fell on Thursday after further details were disclosed of a critical counterfeiting vulnerability in Zcash\u2019s Orchard pool that could theoretically allow a bad actor to mint an unlimited amount of ZEC.<\/p>\n\n\n\n
According to a post on X, security engineer Taylor Hornby, who was engaged by Shielded Labs, discovered<\/a> the bug on May 29 and disclosed it<\/a> to the Zcash Open Development Lab (ZODL), which deployed an emergency response to fix the vulnerability with a hard fork activated on June 3. <\/p>\n\n\n\n However, there are new concerns about the extent to which the vulnerability, which has existed since May 2022, has been used, leading Zcash<\/a> to fall more than 30% over the past 24 hours to $410 at the time of writing. Its market capitalization has shrunk by more than $3 billion.<\/p>\n\n\n\n However, BitMEX co-founder Arthur Hayes said<\/a> on Friday it is unlikely that ZEC has been illegally minted this way, though he acknowledged \u201cit cannot be formally cryptographically proved impossible.\u201d<\/p>\n\n\n\n \u201cSadly, due to the Orchard Pool exploit, I had to dump our entire ZEC bag,\u201d he said.<\/p>\n\n\n\n \u201cThe Holy Trinity is dead,\u201d he added, referring to Zcash and the two other tokens he sold this week, Hyperliquid (HYPE) and Near Protocol (NEAR).<\/p>\n\n\n\n Taylor used Claude Opus 4.8, which was released on May 28, a day before the discovery, to assist in a highly targeted review of the Orchard circuit, the cryptographic component underlying Zcash\u2019s Orchard shielded pool.<\/p>\n\n\n\n The critical bug allowed false inputs into an elliptic curve multiplication check, which means the math that is supposed to cryptographically verify transactions could be fooled.<\/p>\n\n\n\n Taylor built and tested a working exploit<\/a>, which generated unlimited counterfeit ZEC. <\/p>\n\n\n\n \u201cIf he had run the same tool on Zcash mainnet it would have generated unlimited, undetectable counterfeit ZEC in his mainnet Zcash wallet,\u201d the security researchers said<\/a> on Friday. <\/p>\n\n\n\n The primary concern is that there is no cryptographic way to prove whether anyone had previously exploited it before it was patched, due to Orchard\u2019s privacy properties. <\/p>\n\n\n\n However, Shielded Labs was \u201cnot overly concerned\u201d because the bug was subtle enough to evade years of expert review, and the discovery was a deliberate, highly skilled effort using cutting-edge tools and AI.<\/p>\n\n\n\n The firm is working with Zcash<\/a> developers on a proposed network upgrade to allow anyone to verify the integrity of the ZEC supply and to prove the nonexistence of counterfeit tokens in the Orchard pool, they stated. <\/p>\n\n\n\n Mert Mumtaz, co-founder and CEO of Solana tooling firm Helius, said<\/a> that almost all privacy protocols have a variant of this same vulnerability. <\/p>\n\n\n\n \u201cThis same FUD comes back every five months as new people learn how privacy pools work,\u201d he said. <\/p>\n\n\n\n He explained that it is a theoretical risk in most zero-knowledge privacy protocols from circuit bugs that are hard to exploit or detect.<\/p>\n\n\n\nClaude assists in bug discovery <\/h2>\n\n\n\n
Not the first counterfeiting vulnerability for Zcash<\/h2>\n\n\n\n