How Claude Opus 4.8 found the Zcash ZK proof bug — full walkthrough

On May 29, 2026, an independent security researcher used Claude Opus 4.8 to find a critical soundness bug in Zcash's Orchard zero-knowledge proof circuit — a bug that had been live in production for four years and that two prior manual audits had missed. This walkthrough recreates the exact workflow.

The setup is simpler than people expect. We're not using Mythos. We're not using a fine-tuned model. We're using publicly available Claude Opus 4.8 through the Anvat gateway, at 30% off Anthropic's list price. Same model, same wire format, same outputs.

The first prompt is what we call the spec-vs-implementation diff audit. We feed three things into the system prompt with cache_control set to ephemeral: an audit playbook that defines the pattern we want the model to follow, the protocol specification — in this case the Zcash protocol paper section on Orchard — and the relevant implementation code from librustzcash.

The audit playbook is critical. We're not asking 'find a bug.' We're asking 'for each invariant the specification requires, walk through how the implementation enforces it. Flag any check that is loose, ambiguous, or absent.' That framing is what changes the work from 'security review' to 'spec compliance audit.'

Opus 4.8's first pass identifies the binding-versus-soundness distinction in the Orchard circuit's constraint system. The model writes — and this is a direct quote — 'The constraint at line 247 ensures binding for the note commitment but does not enforce the soundness condition that the v_net value equals the sum of input notes minus output notes when the circuit is satisfied.' That sentence is the entire bug, in plain English, on the first pass.

But Opus 4.8 doesn't claim certainty. It says 'this may be intentional if enforced elsewhere in the circuit composition layer.' That's important. The model surfaces a candidate, not a confirmation. We follow up by feeding the circuit composition layer code and asking the model to verify whether the v_net soundness condition is enforced there.

Second response: 'The composition layer aggregates per-action circuit instances but does not impose a separate v_net soundness constraint. The v_net binding in the action_combine function checks consistency but not soundness — a malicious prover could construct an action_combine output where the v_net binding holds for a forged input set.' That confirms the bug.

Total elapsed time: about 12 minutes of model-in-the-loop work. Total token cost on Anvat: roughly $4.30 at the Opus 4.8 rate, which is $3.01 at our discount. For finding a vulnerability that was good for unlimited counterfeit ZEC minting inside the shielded pool.

What this workflow proves is not that AI replaces human security researchers. The researcher still framed the audit, picked the right spec section, fed the right code, and recognized the candidate finding as a real one. What AI does is collapse the time-to-candidate from weeks of careful reading to minutes of structured prompting.

Three things to take away. First — the system prompt structure matters more than the question. Audit playbook + spec + implementation, cached separately, asking for invariant-by-invariant walkthrough. Second — feed the model code in the architectural order it would normally be read. Don't dump the whole repo; feed the layer you care about and let follow-ups go deeper. Third — cache the playbook and the spec. The cost compounds when you run this audit against multiple implementations.

If you want to run this workflow yourself, the code is in the post linked below — slash blog slash zcash-bug-claude-opus-4-8. If you want Opus 4.8 at the discount we use, sign up at anvat.app — two dollar signup credit, no card required.

We'll publish more security-research walkthroughs as researchers run this pattern against other protocols. If you've found something using a similar workflow, get in touch at hello@anvat.app — we'd love to feature it.