Zcash audit by Anthropic finds no serious bugs, says Zooko

Zooko Wilcox says a security audit of the Zcash protocol conducted by Anthropic in collaboration with Mythos turned up no additional serious bugs. For a project that just spent the better part of a week in crisis mode over a critical vulnerability, that’s the kind of news the Zcash community desperately needed to hear.

The vulnerability that shook Zcash

On May 29, 2026, researcher Taylor Hornby, working for Shielded Labs, identified a soundness bug in the zero-knowledge proof circuit powering Zcash’s Orchard shielded pool. The vulnerability had been sitting there, undetected, since Orchard’s activation back in May 2022. That’s four years of exposure.

The bug could have allowed someone to mint counterfeit ZEC coins that would be completely undetectable on-chain.

Hornby found the flaw with assistance from Anthropic’s Claude Opus 4.8 model. Between June 2 and June 4, 2026, the Zcash network underwent an emergency upgrade that included both a soft fork and a hard fork. The patch was deployed before any confirmed exploitation occurred on-chain.

On June 5, Wilcox publicly disclosed the vulnerability. ZEC’s price dropped between 30% and 50%, erasing billions in market capitalization. Because of Zcash’s privacy design, proving that no counterfeit coins were minted during the vulnerability window is extraordinarily difficult.

What the new audit means

Wilcox’s announcement that Anthropic and Mythos found no additional serious bugs in the protocol follows an approach of integrating AI-assisted code review into Zcash’s security infrastructure. After Claude Opus 4.8 helped identify the Orchard vulnerability, the audit continues that partnership in a more systematic way.

The bigger picture for privacy coins and investors

The Orchard vulnerability episode exposed a fundamental tension in privacy coin design. When a soundness bug appears in a transparent blockchain like Bitcoin or Ethereum, you can audit the entire chain to confirm no illegitimate coins were created. With Zcash’s shielded pools, that level of verification is intentionally impossible.

The lingering uncertainty about historical supply inflation remains unresolved, and possibly unresolvable given the protocol’s privacy guarantees.

If models like Claude can catch zero-knowledge proof circuit bugs that human reviewers missed for four years, the implications for smart contract security across the industry are significant. Shielded Labs and other organizations in the Zcash ecosystem are now actively incorporating AI into their security audits following the incident.

Disclosure: This article was edited by Editorial Team. For more information on how we create and review content, see our Editorial Policy.