Zcash (ZEC) activated an emergency hard fork on Wednesday to address a critical bug in its Orchard shielded transaction pool. The vulnerability stemmed from a soundness issue in the zero-knowledge proof circuit that validates private transactions. In theory, it could have permitted the creation of additional ZEC inside the pool, opening the door to undetected inflation or invalid state transitions accepted by the network.
On Wednesday, the Zcash Foundation said there is “no evidence of unauthorized value creation.” Because of the privacy design, however, confirming the absence of any hidden inflation remains difficult for outside observers. Independent researcher Taylor Hornby identified the problem on May 29th during a protocol audit conducted for Shielded Labs, according to CoinDesk.
Developers moved quickly via private coordination with miners and exchanges, and an emergency soft fork implemented in Zebra 4.5.3 temporarily disabled all actions on the affected shielded pool, known as Orchard. A hard fork then activated on Wednesday at block height 3,364,600, re-enabling shielded transactions with the fix in place.
This marks the second time Zcash has faced a bug with the potential to create new units of its currency in a difficult-to-verify manner, as an earlier flaw from 2018 theoretically allowed unlimited counterfeiting. The Zcash team kept knowledge tightly restricted and slipped a fix into an upgrade, as covered by Fortune around the time the bug was disclosed.
The latest incident has drawn sharp commentary on both the risks to the soundness of the Zcash cryptocurrency’s monetary system and the governance process associated with the response, which some view as centralized. Peter Todd, who has been a researcher in the blockchain space since the earliest days and was accused of being Bitcoin creator Satoshi Nakamoto in an HBO documentary last year, argued on X that privacy at the consensus level creates unique dangers. “Bitcoin has never had an inflation exploit that could destroy the value of the currency,” he wrote. “The privacy of Zcash makes inflation exploits far more dangerous.” He noted that roughly 30% of ZEC supply sits in the shielded pool and that any undetected inflation or forced freeze of those funds represents a major blow to holders, including himself. Todd, who was also involved in Zcash’s initial trusted setup ceremony, has used the episode to question the wisdom of attempting to bolt similar privacy features directly onto Bitcoin’s base layer.
Seth for Privacy, who is the COO of privacy-focused crypto wallet Cake Wallet, criticized the coordination itself as overly centralized. In an X post, he described ZODL, a for-profit entity backed by venture capital, as having “secretly coordinated an entire soft and hard fork of a network” while marketing the outcome. He said his team learned of the bug only from a public X post, had questions ignored for days, and received meaningful information only hours before the hard fork went live. Wallets and other ecosystem participants were forced into last-minute updates or faced broken functionality, he argued. “This is not the way decentralized networks should be run,” he wrote, calling the handling an “abuse of the insider access that ZODL has.”
ZODL founder Josh Swihart pushed back on this characterization and stated, “It doesn’t sound like you know how responsible disclosure works. I don’t have time to explain it to you.”
Of course, questions about centralization in the crypto industry extend well beyond Zcash. Critics have long pointed to stablecoins with single issuers and networks such as Coinbase’s Base that appear designed to capture value for traditional financial institutions rather than preserve the decentralized, cypherpunk principles many associate with Bitcoin’s original design. One stablecoin issuer recently suffered a hack that exploited a single point of vulnerability in the design of its on-chain smart contract. In April, entities linked to the Iranian regime saw $344 million of their USDT (the stablecoin issued by Tether) holdings frozen. On top of that, Circle, the issuer of USDC, raised $222 million specifically to develop its own blockchain infrastructure, a move that could make their stablecoin operations look increasingly more like conventional financial rails.
Zcash itself has been one of crypto’s stronger performers in recent years, as the cryptocurrency posted gains, at certain points, exceeding 900% over the trailing twelve months amid renewed attention to privacy features. That said, much of that price action appears driven by traders rotating into the narrative rather than measurable growth in real-world use of Zcash for those in search of privacy. For use cases where privacy carries the highest stakes, such as ransomware payments and darknet market commerce, Monero remains the dominant choice. Analyses of new darknet marketplaces launched in 2024 found that nearly half used Monero exclusively, while Zcash appeared far less often.
Notably, NSA whistleblower Edward Snowden, who, like Todd, was also involved in Zcash’s initial trusted setup ceremony, has been a longtime public supporter of Zcash, describing it in a 2017 CoinDesk interview as the most interesting Bitcoin alternative. Human Rights Foundation Chief Strategy Officer Alex Gladstein, on the other hand, has continued to focus on bitcoin as the core tool for financial sovereignty and resistance to surveillance or censorship, citing its established properties as a store of value and the privacy improvements advancing on secondary protocol layers.
The episode leaves Zcash with a working shielded pool once again, but also with lingering questions about how thoroughly any future inflation could be ruled out and how much coordination power sits with a small set of entities. The latter of those two issues is a problem found in effectively all crypto projects that are still trying to find growth outside of an initial, niche userbase.
