Zcash patches critical double-spending flaw in Orchard privacy pool

The vulnerability and emergency response

The Orchard pool, introduced in 2022, is considered the crown jewel of Zcash's privacy architecture. Hornby disclosed the flaw to Zcash Open Development Lab (ZODL) engineers the same evening he found it. Developers then issued an emergency soft fork—essentially a temporary rule change—that shut down Orchard transactions while a permanent patch was being finalized.

Private coordination with miners and exchanges began the evening of May 31. A second activation attempt succeeded early Monday morning, halting all Orchard activity at block 3,363,426.

Network upgrade and restoration

The permanent fix arrived Wednesday, when a full network upgrade dubbed NU6.2 restored Orchard functionality using a corrected circuit. Josh Swihart, ZODL founder, described the upgrade as the most ambitious in Zcash's history given the time constraints and coordination required across developers, miners, exchanges, and other parties.

The Zcash Foundation urged all node operators to upgrade immediately to Zebra 5.0.0. Following the upgrade, block explorers appeared to show the network hadn't produced blocks for hours—a display error. Experts and the block explorers themselves confirmed the network was running normally; explorers were temporarily impacted as they upgraded their own nodes.

Integrity confirmed, price unaffected

Officials said the total supply of ZEC was never at risk. Zcash's built-in "turnstile" mechanism, which tracks value across all transaction pools, confirmed no unauthorized coins were created. There is no evidence the bug was ever exploited.

The price of Zcash didn't appear to have been impacted at all by the disclosure of the emergency upgrade. ZEC climbed more than 10% over the last 24 hours to a recent price near $629, pushing its 30-day rise above 53%. ZEC is now up 1,084% over the last year, though it remains well off its all-time peak of $3,191 set in 2016.