Zcash resolves critical vulnerability in the Orchard pool via coordinated soft and hard fork. Funds are safe, privacy intact. Find out what has changed.

Zcash’s Orchard pool presented a critical security vulnerability last week, and the ecosystem responded with a coordinated network upgrade completed in the early hours of this Wednesday, June 3rd.

No evidence of exploitation has been found. User funds remained safe throughout the entire process.

Below:

• What the flaw was and why it required an emergency fork, not a simple patch

• How miners and exchanges acted in coordination without needing to trust each other

• What ZODL users need to do now to resume normal operations

The vulnerability was discovered on Friday, May 29th, by Taylor Hornby, an independent researcher contracted by Shielded Labs for ongoing protocol audits.

Hornby reported the issue to the engineering team at ZODL (Zcash Open Development Lab) that same evening, initiating a response process that took less than five days.

What was at stake was serious: without a fix, the flaw could allow double-spending within the Orchard pool, compromising the protocol’s accounting integrity.

What the vulnerability was
A flaw in the zero-knowledge circuit

The bug was in the implementation of Orchard’s zero-knowledge proof circuit, specifically in the halo2_gadgets crate. The point multiplication loop on the elliptic curve (ecc::chip::mul) kept a constant base between iterations, but this base was never tied to the protocol’s actual base.

In practice, an attacker could replace the real base with an arbitrary value, causing the gadget to compute [a] base + [b] B' instead of [scalar] base. This opened the possibility of accepting invalid proofs as valid.

Why a software patch wasn’t enough

Fixing a bug in a zero-knowledge proof circuit requires updating the circuit’s fixed verification key. This cannot be done via a node software update. It requires a consensus change — i.e., a hard fork.

But publishing the hard fork directly would expose the flaw details in the code before all network participants had updated. Anyone with access to the code would see exactly where the problem was.

How coordination worked without requiring trust
The role of the soft fork: buying time without revealing the flaw

The solution was a prior soft fork that temporarily disabled all Orchard transactions without exposing the technical reason. The soft fork was successfully activated at block 3,363,426, in the early hours of Tuesday, June 2nd.

Miners agreed to stop mining Orchard transactions for a few hours. Not because they blindly trusted ZODL, but because they inspected the code, understood the context, and concluded that temporarily halting Orchard protected their own businesses in the long run.

This is the central mechanism of decentralization: alignment of incentives, without requiring trust.

The hard fork with the full fix

With the soft fork active and the network stabilized, the actual fix was prepared and published. The NU6.2 hard fork activated in the early hours of Wednesday, June 3rd, at 00:10 EDT, at block 3,364,600.

The upgrade updated the Orchard circuit verification key, permanently closing the vulnerability. The patched versions are zcashd v6.20.0 and zebrad v5.0.0.

Impact and what users should do now
No funds were compromised

Zcash’s turnstile mechanism, which tracks the total ZEC balance in each pool (Sprout, Sapling, Orchard, transparent, and lockbox), confirmed that the total supply remained intact throughout the incident. Transactions in Sapling and the transparent layer continued operating normally.

Exchanges that custodied ZEC kept operations running during the rollout. No unauthorized value creation was detected.

Zodl v3.5.1: update now

The Zodl wallet released version 3.5.1 with support for the new consensus rules. The update is already available on the App Store (iOS) and GitHub (Android). The Google Play version is under review and should be released soon.

After the network upgrade, updated software is mandatory to spend Orchard funds under the new rules. Transactions attempted during the suspension window were not mined. Users with questions about the status of a transaction should check the TXID on a block explorer or contact @zodl_support.

If experiencing slow connection, it is recommended to go to Advanced Settings → Choose a Server and run a server test to select the best-performing one.