ln

Regarding the suspected attack on the Aztec Router contract on the Ethereum chain, Aztec Labs has officially launched an investigation and clarified that Aztec Connect was deprecated three years ago. Aztec Labs does not hold any administrator keys or control over the system, and currently cannot pause or upgrade it. Therefore, the community is reminded to be vigilant against false "support" accounts and private messages.

David Sacks, the head of AI and crypto affairs at the White House, stated that although the commercial version of the Mythos series model Fable released by Anthropic this week includes safety barriers, once those barriers are bypassed, users will be able to access Mythos's advanced cyber attack capabilities. Sacks pointed out that Anthropic had previously described Mythos as a "cyber weapon" that requires regulation, so fixing the related vulnerabilities should have been its responsibility.Sacks mentioned that a partner trusted by both Anthropic and the U.S. government discovered a jailbreak method to bypass the safety barriers while testing Fable. The U.S. government subsequently requested Anthropic CEO Dario Amodei to fix the vulnerabilities or take the model offline, but this request was refused. Anthropic stated in a declaration that the vulnerability is "not serious," a claim that contradicts the judgment of the U.S. government and relevant partners.Sacks stated that Anthropic has always emphasized that safety should be prioritized, but this time it prioritized maintaining consumer-grade model services. In response, the U.S. government reluctantly imposed export control measures on Anthropic and hopes that Anthropic will resolve the safety issues as soon as possible to lift the related restrictions and restore the full release of Fable.Sacks also denied that this action is related to previous disputes between the U.S. Department of Defense and Anthropic, stating that the government recognizes Anthropic's technological capabilities and believes that the current issues can be resolved relatively easily, with the initiative currently in Anthropic's hands.

Zcash founder Zooko Wilcox posted to express gratitude to Anthropic for helping to protect Zcash users.At the request of Shielded Labs, they conducted a security audit of Zcash using Mythos, and no other serious vulnerabilities were found in the Zcash protocol. Shielded Labs and other teams are continuing to advance security reinforcement work, and updates will be released later.

The Bitcoin Core team posted on the X platform that the new -privatebroadcast feature introduced in Bitcoin Core version 31 has a privacy vulnerability that may expose the sender's IP address to the receiving node under certain network conditions. A fix will be released with version 31.1.

According to Arkham monitoring, a certain address has just withdrawn approximately 1% of the total amount from the Zcash privacy pool Orchard Pool. Currently, Orchard Pool theoretically still holds about 3.88 million ZEC, valued at approximately 1.65 billion dollars at the current price.

According to Bits.media, the reward pool of the NovaBox platform was hacked on June 9 on Ethereum, resulting in a loss of approximately 56.73 ETH, affecting over 130 deposit users. The attacker drained the pool's funds from 65.11 ETH to 0.09 ETH in a single transaction, accounting for about 99.86%.Security company F12 stated that the incident was not due to a smart contract vulnerability, but rather a flaw in the reward distribution mechanism. The attacker borrowed 427.5 WETH through an Aave V3 flash loan, exploiting a loophole in NovaBox's mechanism of distributing dividends before updating balances when users deposit or withdraw. The hacker first deposited a small amount of NOVA tokens to trigger the dividend calculation, then deposited a large amount of ETH, significantly increasing the actual share. However, since the system did not update the balance in time, dividends were still calculated based on the previous small share, while payments were made based on the new large share, resulting in approximately 145.82 ETH of "phantom dividends," which drained the reward pool.

The founder of Slow Fog, Yu Xian, stated that the attack Asterix encountered is similar to that of Flooring Protocol and BMP yesterday (the underlying protocols are DN404 and BT404), with high-level NFT ID displacement operations overflowing and being reused. It seems the attackers are looking for common vulnerabilities.It is reported that Asterix disclosed an attack incident affecting the ASTX token contract yesterday, stating that its Uniswap v4 liquidity pool was attacked on June 8, with attackers stealing approximately 30 ETH through 242 transactions. The vulnerability originated from a lack of token ID restriction checks on approval operations in an early version of DN404. Attackers exploited the outdated token approval to repeatedly sell tokens in the pool to obtain ETH, and then extracted equivalent tokens through forged IDs, leading to a cycle that drained the funds.Smart contracts are immutable and cannot be patched. The team advises users to stop interacting with the current pool and tokens and is planning to migrate to deploy secure tokens. The team suspects that the attackers used a jailbroken AI tool for fuzz testing to discover unconventional logic paths.

According to CoinDesk, security engineer Taylor Hornby, who discovered a serious vulnerability in Zcash using the Anthropic Opus 4.8 AI model, stated that Monero (XMR) has been added to the audit queue, and more privacy coin projects will undergo security reviews in the future.Hornby previously discovered a critical vulnerability in the Zcash Orchard privacy pool on May 29, which had gone unnoticed since May 2022 and could theoretically allow attackers to create unlimited undetectable fake ZEC. The development team at Shielded Labs completed an emergency fix before June 1 and subsequently disclosed the details of the vulnerability. As a result of the incident, ZEC dropped by as much as 38% within 24 hours after the news broke, with the market concerned that attackers may have exploited the vulnerability to steal funds from the privacy pool without leaving on-chain traces.Hornby stated that he was commissioned by the nonprofit organization Shielded Labs in April of this year to identify protocol vulnerabilities before attackers could exploit them. Although he had the means to profit from the vulnerability, he chose to report the issue to the development team, stating that "such betrayal is unacceptable." Additionally, Hornby plans to apply for funding from the Zcash community to support subsequent security research efforts.

Dragonfly Managing Partner Haseeb published a statement regarding the recently patched Zcash vulnerability, indicating that there are many misunderstandings in the market about this event. He pointed out that even if the vulnerability had been exploited before it was fixed, attackers could only profit by faking ZEC in the privacy pool, and these tokens must first be converted from a privacy address to a transparent address to enter mainstream trading platforms.Since the supply of ZEC in transparent addresses can be publicly verified, any abnormal transfers exceeding the maximum supply will be detected and blocked, so the vast majority of investors holding transparent ZEC and exchange users will not be affected.Haseeb stated that the Zcash team plans to introduce a new "Turnstile" mechanism and a brand new privacy pool in future upgrades to verify that there is no inflation issue in the current privacy pool. He also mentioned that formally verified cryptographic systems can reduce implementation errors from a design perspective. Haseeb finally disclosed that Dragonfly still holds ZEC, and he is also a ZODL investor.

Dragonfly partner Haseeb tweeted to clarify the recently fixed vulnerability in Zcash. He stated that if the vulnerability had been exploited before the fix (although the probability is extremely low), it would manifest as the privacy pool minting false ZEC. Attackers would need to sell quickly, but since the market primarily trades transparent ZEC, they cannot directly sell the unmasked privacy ZEC on mainstream exchanges. Therefore, the losses would mainly be borne by users holding privacy ZEC, with almost no impact on holders of transparent ZEC and price discovery.Haseeb emphasized that the Zcash team will introduce a new turnstile mechanism and a brand new privacy pool in the next upgrade to verify that the privacy pool has not been inflated. He also has high hopes for formal verification technology, believing it is an important path for enhancing software security across the industry in the future, especially crucial for privacy protocols.

According to the THORChain blog, ZEC has been added to the THORChain launch queue, but due to a recently disclosed vulnerability in Zcash that affects the normal use of integrators, THORChain needs to complete a code modification in the Bifrost module before proceeding.The development team stated that the modification is very minor but must be completed before the launch of ZEC. Currently, Monero (XMR) is expected to launch at the end of this month, with ZEC following afterward.

The ZEC treasury company Cypherpunk posted on platform X in response to the market fluctuations of the ZEC token, stating that all software has vulnerabilities. Historically, Bitcoin has "over-minted" 18.4 billion BTC due to errors. However, this does not mean that blockchain technology should be abandoned; rather, security should be enhanced through formal verification and provable correctness.Cypherpunk emphasized that with the development of AI technology, vulnerability detection will become faster and broader, but the key lies in who can identify problems before malicious actors do. Zcash demonstrates its capability in this regard through an upcoming update.Previously, it was reported that the privacy coin ZEC faced market sell-offs due to the revelation of a security vulnerability that could potentially lead to unlimited issuance, causing the coin's price to drop over 50% in a single day.

Arthur Hayes (@CryptoHayes), co-founder of BitMEX and CIO of Maelstrom Fund, stated that he has liquidated all his $ZEC holdings due to a vulnerability attack on ZEC's Orchard Pool.Hayes pointed out that although the possibility of malicious minting is extremely low, it cannot be formally proven impossible at the cryptographic level; the privacy narrative demands "perfection" rather than "high probability safety." He also mentioned that if subsequent assumptions are falsified, he does not rule out the possibility of buying back at a lower price. Currently, his team still holds $WLD positions and maintains a bullish stance.

On May 29, 2026, Taylor Hornby discovered a critical forgery vulnerability in the Zcash Orchard funding pool. Taylor Hornby reported the vulnerability to the Zcash Open Development Lab, and all parties collaborated to complete the fix on June 2. This vulnerability could be exploited to secretly create an unlimited number of forged ZEC within Zcash Orchard. Due to the privacy features of Orchard, it is impossible to cryptographically prove whether the vulnerability was exploited before the fix was deployed. The vulnerability had existed since the activation of Orchard in May 2022, until an emergency fix was deployed on June 1, 2026.With the assistance of AI tools, Taylor Hornby wrote a complete exploit and generated unlimited and undetectable forged ZEC in a local testing environment. Currently, Shielded Labs is collaborating with other Zcash developers to explore network upgrade proposals that would allow anyone to verify the integrity of Zcash's supply.

According to The Block, the Donjon security team under Ledger has bypassed the firmware verification mechanism of the TROPIC01 chip used in the Trezor Safe 7 through precise laser attacks in a laboratory environment, allowing unauthorized firmware to be loaded as long as the attacker possesses the physical device.Chip manufacturer Tropic Square further discovered that there are additional attack vectors in the MAC-and-Destroy security mechanism used for PIN verification on this chip, but details will not be disclosed until the enhanced version of the chip is launched at the end of 2026.Trezor stated that the PIN, mnemonic backup, and private keys have never been stored on a single chip, and they have notified partners, so ordinary users do not need to take action. Currently, the feasibility of attacks can be reduced by disabling the chip's MAINTENANCE mode.

The official announcement from the Zcash (ZEC) Foundation states that independent security researcher Taylor Hornby discovered a serious reliability vulnerability in the Orchard zero-knowledge proof circuit on May 29, which could allow double spending within the Orchard pool.Core engineers from ZODL confirmed the issue within hours and initiated a fix. To buy time, they temporarily disabled Orchard operations through an emergency soft fork of Zebra 4.5.3 in the early hours of June 2. Finally, today, they activated the NU6.2 hard fork through Zebra 5.0 — at 12:05 PM Beijing time, the mainnet successfully completed the upgrade at block height 3,364,600, re-enabling Orchard with the corrected circuit, and the vulnerability was permanently closed.This is the second time Zcash has triggered a protocol upgrade due to security issues since its launch in 2016, with no known exploits occurring during the process. The network's total supply guard mechanism confirmed that the total supply remained intact, and user privacy, as well as Sapling and transparent transactions, were not affected.

The Zcash Foundation announced the release of the Zebra 4.5.1 version update to fix a consensus-level security vulnerability and strongly recommends that all node operators upgrade immediately.The vulnerability, identified as GHSA-2prc-cj5x-4443, involves a sigop (signature operation count) statistical error in P2SH transactions, which could lead to potential consensus fork risks. This fix corrects the incomplete patch issue from the previous 4.5.0 version, which was just released yesterday.The Zcash development team stated that the problem originated from discrepancies in sigop counting logic across different implementations, which could cause nodes to produce different results when validating transactions, thereby affecting on-chain consensus consistency. The fix was implemented by reverting and adjusting the Rust implementation logic to ensure alignment with the expected behavior of the protocol.The Zcash Foundation emphasizes that there is currently no workaround for this issue, and upgrading to 4.5.1 is the only way to ensure that nodes remain on the correct chain and avoid potential fork risks.

According to The Block, the Sui Foundation released an incident analysis report on the recent three interruptions of the mainnet, attributing the three network outages that occurred last Thursday and Friday to two independent vulnerabilities introduced by the v1.72 version upgrade. The first interruption lasted about six and a half hours, while the second and third occurred on Friday morning and afternoon, respectively.The first two interruptions were caused by the "address balance" feature introduced in v1.72, which exposed flaws in the transaction fee deduction method. When a transaction was canceled due to insufficient funds, the network would still spend those funds, resulting in a negative balance that caused the validation node reconciliation process to crash. The foundation acknowledged that the temporary fix pushed urgently on Thursday carried known interruption risks, and the team accepted this risk to quickly restore on-chain services, which led to another network interruption on Friday morning.The third interruption was triggered by another undisclosed random state vulnerability, occurring when the validation nodes restarted to install the fix patch. Sui stated that user funds were never at risk, that both vulnerabilities have been fixed, and that a mechanism to forcibly terminate stalled epochs has been established. The foundation also mentioned that AI agents with access to its production systems significantly accelerated the diagnostic process.

DxSale.Network posted on platform X in response to a previous security incident, revealing that the recent vulnerability originated from the newly launched atomic swap feature on the Binance Smart Chain (BSC), affecting the v1 lock-up contract that was launched in 2021.The team has identified the source of the issue and stated that the v2 and above versions of the lock-up contract are completely secure and have passed the Certik audit. Users can rest assured that assets locked in v2 and above are not affected.