Nexo Earn with Nexo
ZODL’s Josh Swihart praises security response to ZEC bug as a masterclass in crisis management

ZODL’s Josh Swihart praises security response to ZEC bug as a masterclass in crisis management

A critical vulnerability that could have minted unlimited counterfeit ZEC was patched in days with zero exploits, zero losses, and zero privacy compromises

Share

Add us on Google
by Editorial Team

A bug capable of creating unlimited fake Zcash tokens was discovered, disclosed, and neutralized in less than a week. No funds were lost. No privacy was compromised.

Josh Swihart, founder and CEO of ZODL (Zcash Open Development Lab), called the response to a critical vulnerability in Zcash’s Orchard shielded pool a “masterclass” in security coordination. Given that the flaw could have let an attacker print ZEC out of thin air, the praise isn’t exactly unearned.

What happened, and how fast it got fixed

On May 29, 2026, researcher Taylor Hornby privately disclosed a vulnerability in Zcash’s Orchard shielded pool. The bug was the nightmare scenario for any cryptocurrency: it allowed for the potential creation of unlimited counterfeit ZEC tokens.

Advertisement

The response came in two phases. First, an emergency soft fork rolled out between June 1-2, 2026, hitting at block 3363426. This temporarily disabled Orchard transactions. Then came the hard fork. Dubbed NU6.2, it executed on June 3, 2026, at block 3364600. That’s a full patch deployed in roughly five days from initial disclosure.

Not a single exploit was reported. No user funds were affected. And no user privacy was compromised during the process. The shielded pool saw only about a 1% dip in size during the panic window.

The market’s panic, and its equally swift recovery

ZEC’s price dropped approximately 50% from recent highs once the vulnerability became public knowledge. After the NU6.2 hard fork went live on June 3, ZEC bounced back with a rally of 41.5-42%.

Who did the heavy lifting

Swihart was deliberate about crediting the broader ecosystem rather than just his own team. The fix required coordination between ZODL, the Zcash Foundation, mining pools including ViaBTC and Foundry, multiple exchanges, and node operators scattered across the network.

For ZODL specifically, this was an early and high-stakes test. The organization formed after the full engineering team departed from the Electric Coin Company (ECC) due to governance disagreements. In March 2026, ZODL secured over $25 million in seed funding. Executing a flawless emergency response to a critical zero-day vulnerability within months of standing up a new organization is a fundamentally different proof point than fundraising.

Disclosure: This article was edited by Editorial Team. For more information on how we create and review content, see our Editorial Policy.
TECHNOLOGY

ZODL’s Josh Swihart praises security response to ZEC bug as a masterclass in crisis management

ZODL’s Josh Swihart praises security response to ZEC bug as a masterclass in crisis management

A critical vulnerability that could have minted unlimited counterfeit ZEC was patched in days with zero exploits, zero losses, and zero privacy compromises

by Editorial Team

Share

Add us on Google

A bug capable of creating unlimited fake Zcash tokens was discovered, disclosed, and neutralized in less than a week. No funds were lost. No privacy was compromised.

Josh Swihart, founder and CEO of ZODL (Zcash Open Development Lab), called the response to a critical vulnerability in Zcash’s Orchard shielded pool a “masterclass” in security coordination. Given that the flaw could have let an attacker print ZEC out of thin air, the praise isn’t exactly unearned.

What happened, and how fast it got fixed

On May 29, 2026, researcher Taylor Hornby privately disclosed a vulnerability in Zcash’s Orchard shielded pool. The bug was the nightmare scenario for any cryptocurrency: it allowed for the potential creation of unlimited counterfeit ZEC tokens.

Advertisement

The response came in two phases. First, an emergency soft fork rolled out between June 1-2, 2026, hitting at block 3363426. This temporarily disabled Orchard transactions. Then came the hard fork. Dubbed NU6.2, it executed on June 3, 2026, at block 3364600. That’s a full patch deployed in roughly five days from initial disclosure.

Not a single exploit was reported. No user funds were affected. And no user privacy was compromised during the process. The shielded pool saw only about a 1% dip in size during the panic window.

The market’s panic, and its equally swift recovery

ZEC’s price dropped approximately 50% from recent highs once the vulnerability became public knowledge. After the NU6.2 hard fork went live on June 3, ZEC bounced back with a rally of 41.5-42%.

Who did the heavy lifting

Swihart was deliberate about crediting the broader ecosystem rather than just his own team. The fix required coordination between ZODL, the Zcash Foundation, mining pools including ViaBTC and Foundry, multiple exchanges, and node operators scattered across the network.

For ZODL specifically, this was an early and high-stakes test. The organization formed after the full engineering team departed from the Electric Coin Company (ECC) due to governance disagreements. In March 2026, ZODL secured over $25 million in seed funding. Executing a flawless emergency response to a critical zero-day vulnerability within months of standing up a new organization is a fundamentally different proof point than fundraising.

Disclosure: This article was edited by Editorial Team. For more information on how we create and review content, see our Editorial Policy.