Zcash (ZEC) activated an emergency hard fork on Wednesday to fix a critical bug in its Orchard protected transaction pool. The vulnerability arose from a robustness issue in the zero-knowledge proof circuit that validates private transactions. In theory, it could have allowed the creation of additional ZECs within the pool, opening the door to undetected inflation or invalid state transitions accepted by the network.
On Wednesday, the Zcash Foundation saying there is “no evidence of unauthorized value creation.” However, due to the privacy design, confirming the absence of hidden inflation remains difficult for outside observers. Independent researcher Taylor Hornby identified the issue on May 29 during a protocol audit conducted for Shielded Labs. according CoinDesk.
Developers acted quickly through private coordination with miners and exchanges, and an emergency soft fork implemented in Zebra 4.5.3 temporarily disabled all actions in the affected protected pool, known as Orchard. A hard fork was then activated on Wednesday at block height 3,364,600, re-enabling protected transactions with the implemented fix.
This is the second time Zcash has faced a bug with the potential to create new units of its currency in a way that is difficult to verify, as a previous bug from 2018 theoretically allowed for unlimited counterfeiting. The Zcash team kept the knowledge strictly restricted and introduced a fix in an update. as covered by Fortune around the time the bug was revealed.
The latest incident has generated strong commentary both about the risks to the soundness of the Zcash cryptocurrency monetary system and the governance process associated with the response, which some consider centralized. Peter Todd, who has been a researcher in the blockchain space since the early days and was accused of being Bitcoin creator Satoshi Nakamoto in an HBO documentary last year, argued in X that privacy at the consensus level creates unique dangers. “Bitcoin has never had an inflationary exploit that could destroy the value of the currency,” he wrote. “Zcash’s privacy makes inflationary exploits much more dangerous.” He noted that approximately 30% of ZEC’s supply is in the protected fund and that any undetected inflation or forced freeze of those funds represents a severe blow to holders, including himself. Todd, who also participated in Zcash’s initial trusted setup ceremony, used the episode to question the wisdom of trying to build similar privacy features directly into Bitcoin’s base layer.
Seth for Privacy, COO of privacy-focused cryptocurrency Cake Wallet, criticized the coordination itself as too centralized. In a postdescribed ZODL, a for-profit entity backed by venture capital, as having “secretly coordinated an entire soft and hard fork of a network” while marketing the result. He said his team learned about the bug only through a public post from Wallets and other ecosystem participants were forced to make last-minute updates or faced broken functionality, he argued. “This is not the way decentralized networks should be managed,” he wrote, calling the handling an “abuse of the internal access that ZODL has.”
ZODL founder Josh Swihart rejected this characterization and fixed“You don’t seem to know how responsible disclosure works. I don’t have time to explain it to you.”
Of course, questions about centralization in the crypto industry extend far beyond Zcash. Critics have been around for a long time noted stablecoins with unique issuers and networks like Coinbase’s Base that appear designed to capture value for traditional financial institutions rather than preserving the decentralized and cypherpunk principles that many associate with Bitcoin’s original design. A stablecoin issuer recently suffered an attack that It exploited a single point of vulnerability. in the design of your on-chain smart contract. In April, Entities linked to the Iranian regime saw $344 million of their holdings of USDT (the stablecoin issued by Tether) frozen.. On top of that, Circle, the issuer of USDC, raised $222 million specifically to develop its own blockchain infrastructure, a move that could make their stablecoin operations look more and more like conventional financial rails.
Zcash itself has been one of the best-performing cryptos in recent years, with the cryptocurrency posting gains, at points, exceeding 900% over the past twelve months amid renewed attention to privacy features. That said, much of that price action seems driven by traders pivoting toward narrative rather than measurable growth in real-world Zcash usage for those seeking privacy. For use cases where privacy carries higher risks, such as ransomware payments and darknet marketplace trading, Monero remains the dominant choice. Analysis of new darknet markets launched in 2024 found that almost half used Monero exclusively, while Zcash appeared much less frequently.
In particular, NSA whistleblower Edward Snowden, who, like Todd, also participated in Zcash’s initial trust-building ceremony, has been a long-standing public supporter of Zcash, describing him in a 2017 CoinDesk interview as the most interesting Bitcoin alternative. The strategy director of the Human Rights Foundation, Alex Gladstein, on the other hand, has continued to focus on bitcoin as the central tool for financial sovereignty and resistance to surveillance or censorship, citing its established store-of-value properties and privacy enhancements advancing secondary layers of the protocol.
The episode leaves Zcash with a protected fund up and running once again, but also with lingering questions about the extent to which any future inflation could be ruled out and how much coordinating power a small set of entities has. The latter of those two problems is a problem found effectively in all crypto projects that are still trying to find growth outside of an initial niche user base.
