Zcash activates NU6.2 hard fork after fixing Orchard double-spend flaw
A critical soundness bug discovered on May 29 in Zcash’s Orchard shielded pool was contained through coordinated soft- and hard-fork upgrades, with the Foundation saying there is no evidence of exploitation or supply inflation.
Zcash deployed the NU6.2 hard fork after privately coordinating an emergency response to a critical soundness vulnerability in Orchard, its shielded pool, that could have allowed invalid state transitions and potential double-spending within Orchard. The Zcash Foundation said researcher Taylor Hornby, conducting a protocol audit on behalf of Shielded Labs, found the flaw on May 29 and disclosed it to Zcash Open Development Lab core engineers the same day. A first soft-fork attempt ran into technical issues, but a revised patch activated on June 2 and temporarily disabled Orchard-related transactions. A full hard fork on June 3 restored Orchard with corrected code. The Foundation said there was no evidence the bug had been exploited, no unauthorized value creation was detected, the total ZEC supply remained protected by Zcash’s turnstile mechanism, and fund privacy across Zcash pools was unaffected. Confusion on social media about the network being offline was later attributed to explorers connected to a bad node or upgrading nodes, rather than a chain outage.
- Orchard: Zcash’s shielded pool for private transactions.
- double-spending: A flaw or exploit that allows the same funds to be spent more than once.
- turnstile mechanism: A Zcash safeguard designed to protect the total ZEC supply from unauthorized creation.