Just one day after Anthropic released Opus 4.8, Hornby used the model to review Zcash’s Orchard privacy pool and uncovered a critical flaw. The bug, present since Orchard launched in May 2022, could have allowed an attacker to create unlimited counterfeit ZEC that would appear completely legitimate and remain undetectable.

Hornby developed a working proof-of-concept exploit in a test environment and immediately reported the issue to ZODL engineers, who deployed an emergency fix on June 1, 2026.

The researchers disclosed the flaw to ZODL, Zcash’s coordinating development body. ZODL addressed the flaw on June 1 with the release of an emergency fix. ZEC dropped 43% on the news, wicking as low as $250.

The uncomfortable part isn’t the bug itself. It’s that nobody can know whether someone else found it first.

“Because Orchard is a privacy pool, there is no way to cryptographically determine whether this vulnerability was exploited between May 2022 and June 2026.” reports Yahoo Finance. “The privacy properties that make Orchard valuable are the same properties that make exploitation undetectable.”

The Zcash team says prior exploitation is unlikely because the bug evaded years of expert review and required cutting-edge AI tools to discover. That is a reasonable argument, but it should not be taken as proof.

The proposed fix is a network upgrade called “turnstile accounting.” Shielded Labs wants to deploy a new shielded pool and force every existing Orchard coin through a verifiable checkpoint that would expose any counterfeited supply.

“Our assessment is that exploitation of this vulnerability was unlikely. However, we do not believe that users should rely on our assessment, or anyone else’s. Shielded Labs is exploring —with the help of other Zcash developers—a proposed Network Upgrade to allow anyone to verify the integrity of the Zcash supply and to prove the non-existence of counterfeit Zcash in the Orchard pool.” continues Shielded Labs. “The proposal involves deploying a new shielded pool and enforcing turnstile accounting on all coins from the Orchard pool.”

If counterfeit ZEC exists, it would show up as a discrepancy at that checkpoint. This requires community governance support and a standard Zcash network upgrade process; a detailed proposal is expected next week. Shielded Labs is also starting a project to mathematically verify the entire Orchard circuit from scratch, and is hiring a Head of Security and a Cryptographer.

The case highlights a key concern for security researchers: advanced AI models can uncover critical flaws in well-reviewed systems very quickly. Using Anthropic’s Opus 4.8, a researcher found a four-year-old Zcash bug within 24 hours of release. This suggests many cryptographic systems not tested against modern AI may still hide unknown vulnerabilities, with no clear way to assess their safety.

Opus 4.8 is the model that’s publicly available. Anthropic’s Mythos model isn’t. If a public release found this in 24 hours, the question every protocol team should be asking right now is who else has access to better tools, and what have they already found.

Follow me on Twitter: @securityaffairs and Facebook and Mastodon