Zcash Privacy Pool Vulnerability Surfaced With AI Assistance, Token Falls 38%

A security researcher using Anthropic's Claude Opus 4.8 uncovered a critical flaw in Zcash's Orchard privacy pool within days, exposing a vulnerability that had survived four years of review by leading zero-knowledge cryptographers and sending ZEC down roughly 38% on Thursday. Taylor Hornby, a security researcher hired by Shielded Labs, discovered the flaw in May with assistance from Claude Opus 4.8. Hidden in two lines of code, the bug stemmed from a check that appeared to validate transaction inputs but was not enforcing the intended rules, potentially allowing an attacker to create counterfeit ZEC inside the shielded pool without detection. Hornby built a working exploit to verify the vulnerability before reporting it to developers, and an emergency fix was deployed on June 1.

The incident has drawn attention to the broader implications of frontier AI models for crypto security. "The significance isn't really that AI can find bugs," Ben Goertzel, founder and CEO of SingularityNET, told Decrypt. "It's that the kind of bug it can now find has changed." Goertzel said the Orchard flaw belongs to a class of subtle logic bugs that frontier AI models are increasingly capable of identifying, including smart-contract errors, access-control failures, and situations where software behaves differently than its designers intended. He described the discovery as "an early marker of a shift that's going to be hard to overstate," adding that "the model of security research as a handful of revered human specialists doing slow, artisanal, deeply-expert audits doesn't go away, but it stops being the whole game."

Researchers are increasingly turning to systems such as Anthropic's Claude Mythos and Claude Opus 4.8 and OpenAI's GPT-5.5 to identify software vulnerabilities, raising questions about what happens when those capabilities become widely available. As those tools improve, security research is shifting toward a model in which human specialists oversee continuous AI-driven review capable of analyzing codebases far more extensively than traditional audits, according to Goertzel. The Zcash response itself may offer an early preview of how the industry adapts to the new landscape.