Zcash sold one thing: privacy. From governments, from big tech, from AI. They handed its most advanced circuit to an AI, and it broke on the model's first day in public.
It didn't take four years. It didn't take four weeks.
It took hours.
On May 28, 2026, Anthropic shipped Claude Opus 4.8. On May 29, Taylor Hornby — former Senior Security Engineer at Electric Coin Company, former Zcash Foundation board member, contracted by Shielded Labs in April — fed the Orchard circuit to the freshly released model, wired to an auditing harness he built himself. That same night he had a critical soundness bug and a working exploit.
The coin armored against AI. PAILA by AI, in 24 hours.
What Orchard Was
Orchard was the crown jewel. Zcash's shielded pool, activated with NU5 on mainnet on May 31, 2022, built on Halo 2 — the first Zcash proving system that required no trusted setup. That was the entire point. No ceremony. No toxic waste. No having to trust that a group of strangers destroyed a secret. The cryptography alone guaranteed that nobody could counterfeit.
Soundness: the property that a verifier accepts only proofs of true statements. Break it, and an adversary can produce a proof that looks valid for a false statement. In a currency, that means spending or minting money that does not exist.
Four years in production. The NU5 audits by QEDIT and NCC. The OrchardZSA audit by Least Authority in January 2025, which found, verbatim, "no issues in the changes made to the Halo2 gadgets and circuits."
The bug had been there since the first block.
Anatomy of the Wrong Function
The flaw lives in halo2_gadgets::ecc::chip::mul, the variable-base scalar-multiplication gadget. The clinical description, from the GHSA-jfw5-j458-pfv6 advisory:
The incomplete double-and-add loop wrote each iteration's base coordinates with assign_advice instead of the mandatory copy_advice. The difference looks cosmetic. It isn't. copy_advice anchors the value to the real base through a chain of equality constraints. assign_advice merely writes it. The chain never reached the true base.
A malicious prover could run the loop against a free constant B' not equal to the base, making the gadget compute [a]base + [b]B' instead of [scalar]base. False elliptic-curve multiplication. That passed verification.
Hornby didn't just find the bug. With Opus 4.8 he wrote a complete exploit that generated counterfeit ZEC — unlimited and undetectable — in a local regtest environment. Feasibility proven.
The two official accounts differ on scope. Shielded Labs and Zooko call it "unlimited counterfeit ZEC within Orchard." The Zebra advisory is more precise: "double-spending of funds within Orchard, though with no ability to inflate the total ZEC supply." The cross-pool turnstile bounds total supply. Counterfeiting inside Orchard: possible and invisible. Inflating the global supply: blocked.
Fixing it allowed no soft patch — a ZK circuit has its verifying key pinned. The fix was a hard fork. The soft fork Zebra 4.5.3 disabled Orchard at block 3,363,426, ~02:00 UTC on June 2. NU6.2 (Zebra 5.0.0) re-enabled it with the corrected circuit at block 3,364,600, 00:05 EDT on June 3.
The Pattern
This is the sixth point on a curve that has been climbing for eighteen months. The sharpest.
Google Big Sleep found the first AI-discovered memory-safety 0-day in widely used software — SQLite, October 2024 — after 150 CPU-hours of fuzzing had failed. Sean Heelan used o3, the raw API with no scaffolding, to find a remote use-after-free in the Linux kernel. Claude Opus 4.6 found 22 vulnerabilities in Firefox in two weeks for about $4,000 of API spend. Anthropic's Mythos Preview wrote exploits for a 27-year-old OpenBSD bug and was deemed too dangerous for general release.
Every one of those was memory-safety or concurrency in conventional imperative code. Terrain where models pattern-match against well-trodden bug classes.
Orchard is something else. A soundness break in a zero-knowledge arithmetic circuit. A domain that demands formal reasoning about constraint systems. The kind of bug that survived rounds of review by elite cryptographers precisely because it is invisible. Aztec's Joe Andrews said it: under-constrained elliptic-curve checks are among the most common weaknesses in production ZK circuits. AI is industrializing their discovery.
How many circuits in production assume soundness because three audit firms signed the paper?
This is not the closing move. It is the opening one.
The Irony
The edge that cannot be sanded down.
Orchard was privacy-preserving by design. The same math that hides your legitimate transactions hides the counterfeiter's. Which is why it is impossible to prove whether the bug was exploited in the 2022–2026 window. There is no evidence of unauthorized value creation. There is no cryptographic proof of non-exploitation either. Udi Wertheimer summed it up: "Zcash enables a unique class of bugs where if they're exploited, no one would know."
The postmortem doesn't end in a root cause. It ends in a permanent epistemic hole. The network can patch the bug. It can never close the question.
Arthur Hayes, CIO of Maelstrom, understood it before the market did and sold his entire position. Not because he believed minting had happened — he admitted it was "extremely unlikely." But because you can't prove the opposite: "it cannot be formally cryptographically proved impossible – The privacy from AI, govt, big tech narrative demands perfection." The whole narrative — privacy from AI — demanded perfection. It lasted until an AI looked at the code. He declared his "Holy Trinity" thesis dead. ZachXBT accused him on the spot of using his followers as exit liquidity: "How much exit liquidity was created from your followers over the past couple days?" Hayes's defense: "I sold to a willing seller at a price."
The bug didn't have to be exploited to do damage. It only had to be irrefutable.
The remedy Shielded Labs proposes — the Ironwood pool, with formal verification and AI-assisted review to finally prove no counterfeit ZEC exists — leans on exactly what just failed. The cure for an AI-found bug includes more AI.
The Market and the Vacuum
ZEC was coming off a privacy-coin rally, six-month highs near $680 in late May. After disclosure: June 3 close at $623.99, June 5 close at $389.86, with an intraday low near $309. About 38% in 24 hours, roughly 50% peak-to-trough over 48 hours per BitMEX. June 5 volume: ~68% above the 30-day average, more than $2.9 billion. A cascade of forced liquidations. Longs dominated — ~$70.55M against ~$11.36M of shorts. One whale lost ~$70M in a day. Some $2.4 billion in market cap evaporated.
The disclosure landed on a leadership vacuum. In January 2026, the entire Electric Coin Company team resigned in a governance fight with the Bootstrap board. CEO Josh Swihart called it "constructive discharge." By June, Zcash had no unified maintainer. The fix was scrambled together among ZODL engineers — Jack Grigg, Daira-Emma Hopwood, Kris Nuttycombe — and the Zcash Foundation. There was almost nobody home when the most consequential bug in its history surfaced.
By June 9, ZEC had rebounded ~80% off the low, toward $470–$480, helped by Ironwood and the absence of exploitation evidence. The market recovered the price. Not the certainty.
Attribution
Perpetrator: one wrong function. assign_advice where copy_advice belonged. There was no named attacker — there was a gadget that lied and a verifier that believed it for four years.
Accomplices: the audit firms that walked past it — QEDIT, NCC, and Least Authority, which in 2025 explicitly wrote "no issues in the changes made to the Halo2 gadgets." And the no-trusted-setup ideology that promised this class of risk was eliminated. Halo 2 removed the ceremony so you wouldn't have to trust anyone. Soundness broke anyway.
Systemic failure: a project that let its entire engineering team walk out in a boardroom fight months before the most advanced AI auditor in history pointed itself at their circuit. An industry that confuses "audited" with "secure" and "no trusted setup" with "unbreakable."
Days later, Hornby announced he was adding Monero to his queue: "Absolutely! I'll add Monero to my queue of things to audit." XMR fell ~10%. A privacy coin lost a tenth of its value on the mere announcement that an AI auditor had it on the list.
The weapon sells by subscription. And the next target already moved an entire market before a single exploit exists — only because the auditor said its name.
The AI didn't find the bug in four years. It found it on its first day, awake for a few hours.
Which circuit is next? And the one who points it next time — will they open a GitHub issue, or just start minting?