Zcash just pulled off a five-day sprint to patch a critical vulnerability in its privacy infrastructure, and exchanges temporarily froze ZEC deposits and withdrawals while the fix went live. The NU6.2 hard fork activated at mainnet block 3,364,600 around 00:05 EDT on June 3, 2026, re-enabling the Orchard shielded transaction pool after an emergency soft fork had disabled it hours earlier.

What happened and how fast it was fixed

On May 29, security researcher Taylor Hornby identified a critical soundness bug in the Orchard shielded transaction pool. Orchard is the newest and most advanced layer of Zcash’s privacy architecture, the system that lets users send fully shielded transactions where sender, receiver, and amount are all hidden from the public blockchain.

The fix came in two phases. First, an emergency soft fork on June 2 temporarily disabled Orchard functionality entirely. Then the NU6.2 hard fork activated at block 3,364,600, restoring full Orchard capability with the bug patched. From discovery to resolution: five days.

Exchange response and market reaction

Exchanges weren’t taking any chances. Bitget paused ZEC deposits and withdrawals starting June 2, and ViaBTC cited hard fork instability as its reason for doing the same. Services were queued for resumption after the upgrade completed successfully.

ZEC traded at approximately $629 in the early hours of June 3, representing gains of over 10% in the preceding 24-hour window. Over the prior 30 days, ZEC had climbed more than 53%.

The overall ZEC supply was never at risk. Transparent transactions, the non-shielded kind, continued to function normally throughout the incident. The pause and fix were focused exclusively on the Orchard shielded pool.

The broader context for Zcash

Zcash has been one of the original privacy-focused cryptocurrencies since its 2016 launch. The NU6.2 upgrade is only the second hard fork in the protocol’s history prompted by security concerns. The coordination between the Zcash Foundation and ZODL involved aligning on an emergency response, executing a soft fork, and then a hard fork within five days.

What this means for investors

The existence of the bug is itself a data point. A soundness flaw discovered in production, not in an audit, raises questions about the thoroughness of prior security reviews. Taylor Hornby deserves credit for the catch, but the question of how long the vulnerability existed before detection remains relevant.

One thing to watch: whether other exchanges beyond Bitget and ViaBTC resume services promptly, or whether some use the incident as a reason to delist ZEC entirely. Exchange availability has been a persistent challenge for privacy coins, and every security event is an opportunity for compliance-nervous platforms to quietly walk away.