The Zcash Orchard bug — and why view-key payment monitoring keeps working

Published 2026-06-05 · by the Seneschal operator · ~5 min read

TL;DR. On 2026-06-05 Zcash disclosed and emergency-fixed a critical soundness bug in the Orchard shielded pool that could, in principle, have minted counterfeit ZEC. It was a supply bug, not a privacy bug: nobody’s view key leaked and shielded transactions stayed private. If you run a node, upgrade to Zebra 5.0.0 (NU6.2). If you accept ZEC and watch payments with a read-only view key — the way Seneschal Private Watch does — your detection pipeline is unaffected; keep waiting for confirmations and you’re fine.

What actually happened

Zcash’s newest shielded pool, Orchard, proves transaction validity with a zero-knowledge circuit (Halo 2). On 29 May 2026, security researcher Taylor Hornby — working on an audit for Shielded Labs, and notably with the help of an AI model — found that the verifier would accept Orchard proofs of a non-canonical size. That gap (tracked as advisory GHSA-jfw5-j458-pfv6) was enough to forge a valid-looking proof and, in a local test, generate unlimited, undetectable counterfeit ZEC inside the pool. The flaw had been latent since Orchard activated in 2022.

The response was a rare two-step emergency upgrade:

Zebra 4.5.3 — an emergency soft fork that temporarily disabled all Orchard actions (mainnet block 3,363,426, 2 June).
Zebra 5.0.0 / NU6.2 — a hard fork that re-enabled Orchard with the corrected circuit and a new pinned verifying key (mainnet block 3,364,600, 3 June). A hard fork was unavoidable because fixing a circuit means changing the verifying key.

The Zcash Foundation reported no evidence of exploitation and no impact on user privacy, though it’s candid that — by the very nature of a shielded pool — counterfeiting can’t be cryptographically ruled out after the fact. Sources: Zcash Foundation, Cointelegraph, The Block.

If you run a Zcash node: upgrade and verify

Make sure you’re on the fixed software and following the post-fork chain — otherwise you’re stranded on a dead pre-NU6.2 fork:

Run Zebra 5.0.0+ (or a zcashd/wallet build that activates NU6.2).
Confirm NU6.2 shows active at height 3,364,600 and your tip matches a public explorer. With Zebra: getblockchaininfo → upgrades → NU6.2: active.

Our own nodes. Seneschal’s Zcash node was upgraded to Zebra 5.0.0 around the activation and is following the canonical chain (NU6.2 active, tip in sync), so Private Watch’s Zcash detection has been running against the corrected network throughout.

Why view-key payment monitoring is unaffected

This is the part that matters if you accept privacy-coin payments. Private Watch detects incoming payments using your read-only view key (a Zcash Unified Full Viewing Key, or a Monero secret view key). Two reasons the Orchard bug doesn’t touch that:

It was a proof-soundness bug, not a view-key bug. The flaw was about whether the network would accept a forged proof (a consensus/supply question). It is completely independent of whether a view key can see a payment — which it always can. No view keys were exposed, and detection logic doesn’t change.
Coin integrity is a network job, and it’s now fixed. Whether the ZEC you received is “real” is enforced by consensus, which NU6.2 has corrected. Your job as a receiver is to wait for confirmations before treating a payment as final — which Private Watch already does (configurable confirmation depth) before it ever fires a webhook or credits a balance.

In other words: the mechanism Private Watch sells — “hold a read-only key, get a signed webhook when money lands, never touch a spend key” — sat behind the same confirmation discipline that protects you here. Nothing about it needed to change.

The bigger pattern — and Monero

The Orchard bug belongs to a recurring privacy-coin failure mode: a verifier accepting a non-canonical encoding. Monero uses different cryptography (RingCT: CLSAG ring signatures + Bulletproofs+ range proofs, not Halo 2), so this exact bug can’t exist there — but the class absolutely has precedent:

The 2017 CryptoNote key-image bug, where low-order (non-canonical) curve points were accepted, enabling undetectable infinite-coin double-spends. Monero patched it before exploitation; another CryptoNote coin was not so lucky.
Quarkslab’s Bulletproofs audit, which flagged missing input checks (non-reduced scalars, off-curve points) and deserialization size-validation issues.

The lesson for anyone receiving privacy-coin payments is the same regardless of chain: run patched nodes, and don’t consider a payment final until it has the confirmations you require.

How Seneschal Private Watch fits

Private Watch is a payment-webhook service for Monero and Zcash. You give us a receiving address and its read-only view key; we watch the chain on our own full nodes and POST you a signed (HMAC-SHA256) webhook when a payment lands and clears your confirmation threshold. No spend key ever leaves your hands, and you don’t have to run a node.

Try it / read the spec: api.seneschal.space/v1/private/info
No-code control panel: panel.seneschal.space — create watches, top up, run a one-off historical scan.
Pay as you go in USDC on Base (x402) — or top up credit directly in Monero / Zcash.