The AI Audit That Sent ZEC Down 38% Hits a Wall on XRP Ledger

ZEC fell 38% in one trading day after Shielded Labs, the nonprofit developer behind Zcash, disclosed a four-year-old counterfeiting vulnerability in its Orchard privacy pool discovered by an AI audit. XRP Ledger’s upcoming Confidential Transfers upgrade keeps total token supply in plaintext, a design its authors say prevents hidden inflation regardless of what a future AI audit finds inside the encryption layer.

The core difference is one architectural choice. XRPL encrypts individual balances while leaving aggregate supply figures in public plaintext. Zcash’s Orchard pool encrypted everything, supply totals included, inside the zero-knowledge layer, leaving no external anchor to detect silent minting.

Thirty-Eight Percent in Twenty-Four Hours

Security engineer Taylor Hornby found the vulnerability on May 29, 2026. Shielded Labs had engaged him in April specifically to audit the Orchard protocol, and he ran the review using Anthropic’s Claude Opus 4.8, released the day before on May 28, paired with a custom AI auditing framework he named zcash-full-stack-auditor. An AI agent within the framework flagged the critical flaw at around 6 p.m. MDT. By 11:53 p.m., Hornby had a working proof-of-concept and a full report delivered to the Zcash Open Development Lab (ZODL) over Signal.

The flaw sat in the halo2_gadgets Rust crate, specifically inside the variable-base scalar multiplication gadget that powers Orchard’s zero-knowledge proof circuit. Two lines of code left an elliptic curve multiplication check under-constrained. Mathematically invalid inputs passed a verification step that should have rejected them, allowing an attacker to spend the same shielded note multiple times by revealing a valid-looking nullifier with each spend. The bug had been present since Orchard’s activation in May 2022, surviving four years of specialist cryptographic review.

The vulnerability could have been exploited to undetectably create an unlimited amount of counterfeit ZEC within Orchard.

Zcash co-founder Zooko Wilcox posted that statement on X on June 5, the same day CoinDesk and Decrypt recorded ZEC’s 38% 24-hour decline and The Block reported the sell-off ultimately pushed the token as low as roughly $250 from a prior level near $630. Emergency fixes deployed between June 1 and June 3 in two stages, concluding with the NU6.2 hard fork that replaced the flawed circuit at block 3,364,600. Shielded Labs acknowledged there is no cryptographic way to determine whether the exploit was used before the patch.

The Zcash Foundation said its turnstile mechanism, an accounting system tracking total value flows across the Sprout, Sapling, Orchard, and transparent pools, detected no unauthorized value creation in cross-pool transfers. That mechanism watches amounts entering and leaving Orchard; it cannot audit what happens inside the pool itself. Within Orchard, the vulnerability allowed forging of double-spent transactions that would appear as legitimate ZEC to other participants, with no on-chain trace. Zcash encountered a structurally similar counterfeiting vulnerability in the older Sprout shielded pool, which it disclosed in 2019.

How Claude Opus 4.8 Found What Four Years Missed

ZK (zero-knowledge, a cryptographic method that proves a statement true without exposing the underlying data) circuit audits have historically required weeks of specialist work by cryptographers fluent in constraint systems and elliptic curve mathematics. Hornby and his AI framework compressed that to hours.

His approach fits a broader pattern. A January 2026 paper on arXiv found AI agents achieving a 63% success rate on smart-contract exploit benchmarks, with researchers noting capability growth in this area is accelerating. In February 2026, Octane disclosed that an AI-assisted audit found a high-severity bug in Nethermind, an Ethereum execution client, that could have halted block production for approximately 38% of Ethereum validators.

The Zcash case moves that concern from app-layer code to base-layer cryptography. Smart contract vulnerabilities sit above the monetary layer; the Orchard flaw was inside the circuit that defines which tokens are valid on the network. Once Opus 4.8 helped Hornby identify the under-constrained multiplication gadget, the exploit followed quickly: invalid inputs simply passed the broken gate.

The sell-off accelerated after the June 5 public disclosure, not after the June 1 initial patch. Shielded Labs’ proposal for a follow-up upgrade includes new supply-accounting measures specifically because the existing architecture cannot definitively rule out pre-patch exploitation inside Orchard’s shielded layer. That acknowledgment, not the patch itself, drove the deepest selling; Orchard’s privacy properties mean any within-pool counterfeiting before the fix is cryptographically unverifiable in hindsight.

The Supply Line That Orchard Couldn’t Hold

J. Ayo Akinyele, Senior Director of Engineering at Ripple (the enterprise payments company behind XRP Ledger’s development) and one of the XLS-0096 co-authors, characterized the XLS-0096 design as “verifiable privacy” in post-disclosure commentary, contrasting it with what he described as Zcash’s “blind anonymity.” Orchard hides as much as possible, including the running supply total inside the pool. That scope decision removed the external supply anchor that any independent check could use to detect silent minting without access to the private proofs.

The XLS-0096 Confidential MPT specification, co-authored by Akinyele with Ripple colleagues including Murat Cenk and Aanchal Malhotra, draws the line in the abstract: individual balances and transfer amounts are encrypted and hidden from validators and external observers, but issuance limits remain “publicly enforceable through the existing invariant OutstandingAmount ≤ MaxAmount, without requiring decryption of confidential balances.” A second plaintext field, ConfidentialOutstandingAmount, specifically tracks how many tokens are held in confidential balances. Both fields sit outside the encryption layer, readable by any validator without a private key.

An attacker finding a flaw in XRPL’s ZK circuit and attempting to forge tokens inside a confidential balance would still need to pass a plaintext supply check that validators enforce on every transaction separately from the encrypted proof system. Zcash’s turnstile protects against cross-pool accounting fraud; it has no view inside Orchard. The XRPL design keeps the supply total outside the encrypted layer entirely, placing it on a different check that does not depend on the ZK proofs being sound.

Sender and receiver identities also stay public under XLS-0096. That scope limits the upgrade to concealing amounts and balances while preserving the XRP Ledger’s account-based model and avoiding the compliance friction associated with full anonymity.

What the XLS-0096 Spec Keeps in the Open

The XRPL Standards repository specification lists four design properties that Akinyele and the team say collectively block the hidden-inflation class of attack that hit Zcash:

• Plaintext supply enforcement: OutstandingAmount, the sum of all non-issuer balances, is maintained as a public ledger field. Validators enforce OutstandingAmount ≤ MaxAmount on every transaction without decrypting any individual balance.
• Dedicated Account isolation: The issuer account cannot hold confidential balances for its own issuance. Any issuer wanting to participate in confidential circulation must use a separate dedicated account treated by the ledger as a standard non-issuer holder, keeping all issuance events transparent at the ledger level.
• Split-balance model: Each confidential account divides holdings into a Spending balance (CB_S, used to generate proofs for outgoing transfers) and an Inbox buffer (CB_IN, which receives incoming transfers). Merging them requires an explicit on-ledger transaction that increments a version number bound to newly generated proofs, preventing replay attacks and the stale-proof failures common in concurrent ZK systems.
• Fixed-size proof composition: EC-ElGamal (elliptic curve ElGamal, a homomorphic public-key scheme that allows arithmetic on encrypted values without decryption) combined with AND-composed compact sigma proofs and range proofs packages every transfer’s validity checks into a bounded, fixed-size proof per transaction type, giving validators a consistent verification target.

Issuer controls from XLS-33, the Multi-Purpose Token (MPT) standard that XLS-0096 extends, carry over to confidential balances. Issuers can freeze accounts and execute clawback transactions that burn a holder’s confidential balance and permanently remove those tokens from circulation. Account holders can provide cryptographic view keys to auditors or regulators without public exposure, a mechanism designed specifically for compliance-sensitive deployments.

Whether the ZK proof implementation itself is sound is a separate engineering question the draft process is actively working through. The visible-supply invariant constrains any implementation gap: a ZK circuit flaw could potentially allow double-spending within a single account’s confidential balance, but it could not manufacture tokens that exceed the public supply cap validators enforce on every transaction.

XLS-0096 Remains in Draft

The amendment was submitted to the XRPL Standards process on January 15, 2026. It has not been activated on the XRP Ledger mainnet as of June 6.

Its initial deployment scope covers Multi-Purpose Tokens, the asset class introduced by XLS-33 on XRPL mainnet in October 2025. Stablecoins including RLUSD (Ripple’s dollar-backed stablecoin pegged to one US dollar), tokenized real-world assets, and institutional settlement instruments are the intended first use cases. Native XRP transactions are outside the current scope. The development team has said the architecture could extend to native XRP in future implementations once the MPT layer is proven in production.

Banks and regulated financial institutions require transaction counterparty data for AML (anti-money-laundering) compliance and reporting. Full anonymity would disqualify XRPL from those use cases. Akinyele’s published position on privacy and institutional blockchain finance frames the target as infrastructure that is “scalable, compliant, and trustworthy” rather than anonymous.

XRPL Foundation community lead Vet, who highlighted the XLS-0096 design in direct response to the Zcash disclosure on June 5, cited the XRP Ledger’s growing institutional asset base, with nearly $1.9 billion in tokenized assets represented on-chain, as the context a privacy upgrade designed for regulated deployments is intended to serve.

XRP’s Fourteen-Percent Drop Has Separate Causes

XRP fell from approximately $1.60 to around $1.09 over the past seven days, a decline of roughly 14% per market data cited in Pluang’s weekly review. Large-holder selling and renewed uncertainty over US crypto regulation are the identified drivers. The token broke below the $1.30 support level traders had been tracking, with the next technically significant zones considerably lower.

The broader altcoin market was already under stress before Zcash’s circuit story became public. Ethereum dropped 10% on June 5, pulling total altcoin market capitalization below $880 billion. That move preceded the Zcash vulnerability disclosure and reflects macro selling pressure unconnected to privacy-protocol security.

On-chain activity at the XRP Ledger level has continued without disruption. XRP Ledger network growth from late May showed a surge in new wallet creation alongside expanding institutional market access, a separate signal from the current price move.

The XLS-0096 amendment sits in draft status, with no activation date set on the XRP Ledger mainnet.

Disclaimer: This article is for informational purposes only and does not constitute financial or investment advice. Cryptocurrency prices are highly volatile and may change significantly after publication. Readers should consult a qualified financial professional before making any investment decisions. Figures are accurate as of publication.