Overview
- A security researcher discovered a soundness flaw in the Orchard shielded pool on May 29, 2026 that could in theory allow undetectable creation of ZEC inside the private pool.
- Developers deployed an emergency soft fork on June 2 and a hard fork (NU6.2) on June 3 that patched the circuit and restored Orchard functionality across the network.
- Project teams report no on-chain evidence that the bug was exploited but say Orchard’s zero-knowledge privacy hides transaction details so independent proof is impossible.
- Markets reacted sharply after public disclosure with ZEC down roughly 30–40% from pre-disclosure levels and a newly created wallet withdrawing about 37,316 ZEC from Binance on June 5.
- The Zcash Open Development Lab and partners have proposed Ironwood, a planned late-July upgrade that uses turnstile cross-pool accounting to make supply verifiable while also prompting debate over the emergency fix’s narrow coordination.