AI Uncovers Zcash Bug That Could Have Enabled Unlimited ZEC — Crypto on Alert

Headline: AI-powered bug hunting just upended Zcash — and the crypto world may be next AI systems that once only helped write code are now finding critical software flaws — and Zcash’s surprise emergency patch this week shows how fast that capability can ripple through crypto markets. What happened with Zcash - Independent security researcher Taylor Hornby used Anthropic’s Claude Opus 4.8 to uncover a critical bug in Zcash’s Orchard privacy pool that existed from Orchard’s activation in May 2022 until an emergency fix on June 1, 2026. - The flaw could have allowed an attacker to mint unlimited counterfeit ZEC. Because of Orchard’s privacy properties and the nature of the bug, Shielded Labs — the organization behind Zcash development — says there is no cryptographic way to determine whether the vulnerability was ever exploited. - The uncertainty alone sent ZEC’s price tumbling this week. Why AI is changing vulnerability research - The latest frontier models — Anthropic’s Claude Mythos/Opus and OpenAI’s GPT-5.5 among them — are being used not only to generate and explain code, but to review, audit, and actively hunt for software vulnerabilities. - That shift accelerated after Anthropic’s 2025 launch of Claude Code, which the company said drove a sharp increase in AI-generated code across engineering teams and moved models from code suggestion to writing and running code themselves. - Security pros warn this makes vulnerability discovery faster and easier. “AI is far better at reviewing code than most people and finding potential vulnerabilities in it,” Danny Jenkins, CEO and co-founder of ThreatLocker, told Decrypt, calling more advanced models an imminent “big problem.” He says AI lowers the barrier to entry for exploit development and expands who can search for weaknesses. How companies and researchers are using AI defensively (and offensively) - Anthropic expanded Project Glasswing this week, giving 150 companies and institutions access to Claude Mythos to find and remediate vulnerabilities before broader release. - Mozilla credited Anthropic’s models with identifying hundreds of bugs it patched in Firefox. Researchers also used Mythos Preview in work that produced one of the first public exploits targeting Apple’s M5 chips. - Microsoft in May introduced MDASH, an agentic vulnerability-discovery system it says found previously unknown Windows flaws. Debate over access: gatekeeping vs. democratization - Some argue restricting access to cutting-edge models is security by obscurity and ultimately ineffective. Stanislav Fort, founder and chief scientist of security firm Aisle and former researcher at DeepMind and Anthropic, told Decrypt that trying to bottle up capabilities only delays the inevitable and handicaps defenders. “The answer isn’t restriction; it’s democratization of the defensive stack,” he said. - The real danger, Fort warns, is asymmetry — attackers getting high-powered tools while open-source maintainers and defenders lack equal access. Why crypto and DeFi are especially exposed - Blockchain projects are tempting targets: code is often public and the financial rewards for successful exploits are high. - Zcash is the most recent high-profile example of an AI-assisted discovery slipping past years of human review. The broader DeFi sector already endured a brutal start to 2026: more than $840 million was stolen from DeFi projects in the first five months of the year, including over $600 million in April alone in attacks on projects such as KelpDAO and Drift Protocol. - Emerging tactics like “vibe hacking,” where AI coding agents automate reconnaissance, credential theft, malware development and other stages of an attack, are lowering the skill barrier for sophisticated cybercrime. What security experts recommend - Defenders can — and must — use the same tools. Blockaid CTO Raz Niv says AI will likely amplify attackers, not replace them, by automating routine work and freeing hackers to focus on advanced techniques. “The good news is defenders can use the same tools,” he said. - CertiK’s Natalie Newson notes April 2026 was unusually bad for crypto exploits but says overall incident counts (excluding phishing) remain roughly consistent and below 2023 peaks. Still, the Zcash event is a wake-up call about unseen risks in privacy-preserving systems where exploitation can be undetectable. - Practical steps include wider access to AI-assisted auditing for open-source maintainers, faster coordinated disclosure and patching processes, and integrating AI into continuous monitoring and simulation for threat detection. Bottom line AI is rapidly becoming a force multiplier in security research — uncovering long-buried bugs and also making exploit development cheaper and faster. The Zcash incident illustrates both sides of that coin: a vulnerability found and patched thanks to AI, but with no way to know whether it was already exploited. For crypto projects and DeFi teams, the message is clear: adopt AI-powered defenses, prioritize audits, and assume adversaries will too. Read more AI-generated news on: undefined/news