How Claude Opus 4.8 found the four-year-old Zcash zero-knowledge proof bug (May 2026)

On May 29, 2026, security researcher Taylor Hornby — auditing the Zcash protocol on behalf of Shielded Labs — discovered a critical soundness vulnerability in the Orchard zero-knowledge proof circuit. The bug had been live since the Orchard pool launched in May 2022. It allowed unlimited counterfeit ZEC to be minted inside the shielded pool with no on-chain trace.

The tool Hornby used to write the working exploit was Anthropic's publicly-available Claude Opus 4.8.

This isn't the Mythos-on-Glasswing story. This is one independent researcher with a public API key finding a four-year-old bug worth hundreds of millions in protected supply. It's the most concrete data point on what frontier models can actually do for security research today.

What the bug was

The vulnerability lived in the implementation of the Orchard zero-knowledge proof circuit in the halo2_gadgets crate. Specifically: an under-constrained element in an elliptic-curve multiplication check. The proof engine accepted mathematically invalid inputs as legitimate.

What that means in practice: an attacker could construct a transaction whose proof "passed" verification but encoded values the math should have rejected. The result — minted counterfeit ZEC inside the Orchard pool with no detectable signature on the transparent ledger.

It was a supply-inflation vulnerability, not a double-spend. The attacker mints from nothing; the chain doesn't notice.

What's at stake

The Orchard pool went live in May 2022. The bug was present from day one. Four years exposure.
Shielded Labs stated explicitly: there is "no definitive way to determine" whether the bug was exploited before discovery, because Orchard's privacy properties hide the inputs to every transaction.
ZEC dropped roughly 31-50% in 48 hours after the disclosure as the market priced in supply-integrity uncertainty.

The fix took ~5 days end-to-end:

Date	Event
May 29	Bug discovered, disclosed privately to ZODL core engineers
June 1	Patch developed
June 2	Emergency soft fork (Zebra 4.5.3) disables Orchard actions
June 3	NU6.2 hard fork activates corrected circuit (Zebra 5.0.0)

Second security-driven protocol upgrade in Zcash history. The first was the founding-team trusted-setup remediation. This is the second.

How the AI-assisted workflow looked

Per Shielded Labs' public writeup:

"The vulnerability was real and exploitable. Taylor, with the help of Opus 4.8, wrote a complete exploit which, when he tested it in a local regtest environment, generated unlimited, undetectable counterfeit ZEC."

The workflow as reported:

Audit framing. Hornby was conducting an ongoing protocol audit for Shielded Labs — a structured review of the Orchard circuit code, not a random AI prompt.
AI-assisted code analysis. Opus 4.8 reviewed the halo2_gadgets circuit definitions alongside the formal proof obligations they should have enforced.
Hypothesis generation. The model surfaced the under-constrained element — a check that wasn't tight enough to reject malformed inputs to the elliptic-curve multiplication.
Exploit construction. Opus 4.8 then wrote a working exploit that produced counterfeit ZEC in a local regtest environment.
Validation. Hornby tested the exploit, confirmed the bug was real, then disclosed privately.

The model wasn't autonomous. Hornby drove the audit, framed the hypotheses, validated outputs. But the model materially accelerated each stage — particularly the exploit-construction step where translating a circuit-level math flaw into a working executable counterfeiter is the bottleneck for human researchers.

What this proves (and doesn't)

What it proves

Public frontier models are now security-research-grade. Opus 4.8 — accessible to anyone with an API key — found a bug that four years of human review missed. The narrative that "real security AI is locked behind Project Glasswing" isn't accurate for public-domain models.
AI-assisted security pays compound returns on dense math. ZK circuits, cryptographic primitives, formal protocol specs — these are exactly the domains where the model's ability to hold the entire context window in mind beats human attention spans.
Disclosure-to-fix can compress meaningfully. The whole end-to-end took 5 days from discovery to hard fork. Anvat observed the entire AI-using research community pull faster timelines on incident response in 2026 vs 2025.

What it doesn't prove

AI is replacing security researchers. Hornby framed the audit, asked the right questions, ran the formal-method checks, and made the disclosure call. The model accelerated work he was already doing well — it didn't generate the audit from scratch.
Every codebase is one Opus 4.8 prompt away from a CVE. ZK circuits and crypto code are unusually well-suited to AI analysis. Random web-app codebases are a different problem.
You can replace formal verification. The Orchard team had formal-method tooling. The bug existed in the implementation of the circuit, not in the spec — exactly the gap manual + AI review catches but pure formal verification doesn't always cover.

What it means for AI-assisted security research

Two practical takeaways:

1. Frontier-model access is now a base-rate security investment

If you maintain critical infrastructure software — a blockchain protocol, a payments system, a key-management library, an OS kernel — having frontier-model access in your auditor's toolchain isn't optional in 2026. It's the same logic that put fuzzers in every security team's stack a decade ago.

The cost calculation for a small team:

1 senior auditor's monthly Opus 4.8 budget: ~$200-500 on direct Anthropic, ~$140-350 on a discount gateway (30% off list)
One bug found = $50K-$5M in avoided incident cost (industry baseline)
ROI is not subtle

2. The model-vs-model gap will widen what individual researchers can do

The Zcash bug was caught with Opus 4.8 — the public flagship. The Mythos-class capability that's gated behind Glasswing is 25% better on CyberGym vulnerability reproduction. When Mythos-class capability hits the public API tier (Anthropic says "weeks" as of June 2026), independent researchers will be operating at a capability level that was nation-state-only two years ago.

Defense-side teams should plan for offense-side researchers to have the same uplift.

How to set up an AI-assisted security audit workflow

A practical pattern that works for protocol audits:

import Anthropic from "@anthropic-ai/sdk";
 
const client = new Anthropic({
  baseURL: "https://api.anvat.app/v1", // 30% off list
  authToken: process.env.ANVAT_API_KEY,
});
 
// 1. Load the formal spec + implementation into the cached prefix
const auditPrompt = await client.messages.create({
  model: "claude-opus-4-8",
  max_tokens: 4096,
  system: [
    {
      type: "text",
      text: SECURITY_AUDIT_SYSTEM_PROMPT,
      cache_control: { type: "ephemeral" },
    },
    {
      type: "text",
      text: formalSpec, // the protocol spec / RFC / paper
      cache_control: { type: "ephemeral" },
    },
    {
      type: "text",
      text: implementation, // the actual circuit / code
      cache_control: { type: "ephemeral" },
    },
  ],
  messages: [{
    role: "user",
    content: `For each constraint in the spec, identify whether the
implementation enforces it precisely, over-constrains it, or
under-constrains it. Flag any under-constrained checks for
hypothesis generation.`,
  }],
});
 
// 2. For each flagged item, run hypothesis -> exploit generation
// 3. Validate in a sandbox before disclosing

The cached prefix is critical. A protocol audit re-asks similar questions across dozens of code sections — caching the spec + implementation cuts cost ~80% over the audit lifetime.

What's coming next

Two converging trends to track:

Public-tier capability gains. Mythos-class models will likely hit the general API in mid-to-late 2026. When they do, the same workflows above will produce 25-50% more findings per researcher hour.
Defensive AI infrastructure. Project Glasswing is the formalisation of "AI for defense" at hyperscaler scale. The pattern will replicate in finance, energy, telecoms. Expect sector-specific AI-defensive coalitions over the next 12 months.

For the individual security researcher or small audit team: the most valuable thing you can do today is build the muscle for AI-assisted protocol review. The tools are public, the methodology is documented (Hornby's writeup is a primer), and the bugs are out there.

Claude Mythos & Project Glasswing explained → Claude Opus 4.8 full spec → Using Claude for security research →

Run Opus 4.8 audits at 30% off list

The same model that found the Zcash bug — accessible at api.anvat.app with full prompt caching for repeated audit context. $2 free credit on signup, no card.

Get a key → →