Zcash founder Zooko Wilcox said an AI-driven security review by Anthropic’s Claude Mythos found no serious vulnerabilities in Zcash’s protocol. The audit was requested by Shielded Labs, a Swiss non-profit that supports Zcash development, and Wilcox said the model did not uncover “any more serious bugs.”
The audit follows a June 3 incident when Zcash developers temporarily suspended Orchard transactions after a vulnerability was identified in the shielded pool. Developers restored functionality the same day via an emergency upgrade.
That flaw traced back to a four-year-old forgery bug in the Orchard shielded pool. Security researcher Taylor Hornby discovered the issue with assistance from Anthropic’s Claude Opus 4.8 model. The Zcash Foundation reported there is no evidence the vulnerability was exploited, no unauthorized value creation occurred, and user privacy remained intact.
The use of advanced AI models to find bugs has accelerated vulnerability discovery but also sparked wider security concerns across the crypto sector. Anthropic recently released a public version of its Mythos family (branded Fable 5) and said internal testing flagged thousands of high- and critical-severity issues in “systemically important software.” To reduce risk, Anthropic routes some sensitive cybersecurity queries to a different model, Claude Opus 4.8.
Shortly afterward, Anthropic suspended access to Fable 5 and Mythos 5 following a U.S. government export control directive that cited national security concerns.
Security practitioners warn the same AI capabilities that help defenders can also empower attackers. Mitchell Amador, CEO of bug-bounty platform Immunefi, has described a widening “vulnerability apocalypse,” where powerful models make it easier to discover exploit paths and have contributed to a resurgence in DeFi attacks.
Data show an uptick in crypto thefts: hacks totaled about $634 million in April, the highest monthly figure since the February 2025 Bybit incident that resulted in roughly $1.4 billion in losses, according to aggregated DeFi hack tracking.
The Zcash incident illustrates both the benefits and risks of AI in cybersecurity: models can help find and triage deep, long-standing flaws, but their public availability and power also change the adversary landscape. Zcash’s developers and the Foundation emphasize that the immediate issue was contained and addressed, while the broader industry continues to grapple with how best to use and govern advanced vulnerability-discovery tools.