Cautious Thorchain update compounds ZCash woes as vulnerability headache grows

THORChain has remained offline for three weeks since it experienced a $10.7 million vault exploit.

THORChain initially planned to integrate ZEC support into its platform, but even that is now delayed after a critical flaw was discovered in Zcash’s Orchard shielded pool. That decision could not have come at a worse time for ZEC, which has taken a beating since the AI–discovered vulnerability was revealed.

What happened to THORChain and when will it restart?

THORChain has been offline for three weeks following a major security breach that resulted in the loss of $10.7 million from one of its vaults.

The problem at THORChain started with a flaw in a security system called the GG20 threshold signature scheme. An attacker was able to join the network as a node operator and exploit this weakness to drain funds from a single vault. The other four vaults were not affected.

THORChain’s developers released a fix (version 3.19) several days ago, but the network is yet to resume normal operations.

The team even added a new safety step called “key verify” to ensure every remaining vault is secure before operations resume. The restarting process will include node operators moving to the new software version, migrating funds, and finally reopening trading. Barraford estimated that this process will take several days to complete once it begins.

The recovery plan, called ADR028, aims to cover the $10.7 million loss without creating new RUNE tokens or diluting existing holders. Instead, the protocol’s own money will be used, and any remaining loss will be shared with synthetic asset holders. The protocol is also offering the hacker a bounty to return the funds.

What was the Zcash bug, and why did it cause such a big price drop?

Zcash was supposed to be THORChain’s next chain integration, ahead of Monero, but that timeline slipped after security researcher Taylor Hornby, working under contract with Shielded Labs, discovered a soundness bug in Zcash’s Orchard shielded pool.

The bug has been present in the Orchard protocol “rulebook” since it launched in May 2022. Hornby used Anthropic’s Opus 4.8 model to create a working example of the exploit in a test environment and confirmed it could produce fake tokens in a local test environment.

An emergency soft fork quickly temporarily disabled Orchard transactions on June 2, and a hard fork (NU6.2) reactivated the pool with a corrected circuit on June 3. The five-day turnaround from discovery to resolution was only the second security-driven protocol upgrade in Zcash’s ten-year history.

When the bug was disclosed, ZEC dropped roughly 40% within 24 hours. CoinMarketCap data showed the token trading near $333, down from a 52-week high above $700.

Arthur Hayes, the chief investment officer at Maelstrom and co-founder of BitMEX, said on X that he liquidated his entire ZEC position. Hayes previously set a public price target of 10% of Bitcoin’s value for ZEC, but the 30% drop forced him to rethink.

He left open the possibility of buying back the tokens if his concerns about supply integrity proved unfounded.

Blockchain intelligence firm Arkham flagged at least one large holder who watched more than half the value of a $174 million ZEC position evaporate without selling.

Shielded Labs, the organization that fixed the bug, explained that it is cryptographically impossible to determine whether or not the bug was ever used due to the four-year window before it was found, but the firm also stated that it is unlikely the bug could have evaded years of expert review if it was active.

Just discovering the vulnerability required AI-assisted auditing techniques, and the remediation window was narrow once the flaw became known.