News
9 Jun 2026, 14:04
Zcash Ironwood Upgrade Finalizes to Patch Orchard Pool Flaw, Targets July

Zcash developers have finalized consensus rule changes for the Ironwood upgrade, targeting late July. It aims to get an activation at block height 3,417,100 to address a critical vulnerability in the Orchard shielded pool that exposed the network to unlimited counterfeit ZEC minting. UPDATE: Zcash devs finalized the Ironwood upgrade, adding a new Orchard shielded pool to reduce the risk of unlimited counterfeit $ZEC circulating. ZEC has now recovered +80% from its intraday low of around $252 on June 5. pic.twitter.com/4jGJWXPlIH — Coin Bureau (@coinbureau) June 9, 2026 The upgrade introduces a replacement shielded pool, enforces supply controls via an existing turnstile mechanism, and disables new incoming payments to the compromised Orchard pool, all backed by formal verification of the underlying zero-knowledge proof circuits and independent third-party security audits. Discover: The Best Token Presales The Orchard Pool Bug: Ironwood to Fix Zcash The Orchard pool was introduced in May 2022 as part of the NU5 upgrade, which brought the Halo 2 proof system to Zcash and positioned Orchard as the protocol’s next-generation privacy layer. It is a shielded environment leveraging zero-knowledge proofs to obscure transaction amounts and participant addresses without a trusted setup. The flaw discovered in early 2026 resided in the Orchard protocol’s circuit integrity: an attacker exploiting it could have minted counterfeit ZEC without any on-chain trace detectable through normal node verification. The bug meant the total ZEC supply enforced by consensus was not actually bounded within the Orchard pool. Because Zcash’s zero-knowledge architecture is precisely what makes Orchard private, the same properties that protect legitimate user transactions also make unauthorized issuance invisible to external observers, and, critically, to the Zcash development team itself. An AI-assisted security review by external researchers surfaced the flaw, leading to a quiet patch and coordinated disclosure before Ironwood was formally proposed. Discover: The Best Crypto to Diversify Your Portfolio Turnstile, New Pool, and Supply Verification Ironwood was proposed jointly by ZODL, Tachyon, Valar Group, the Zcash Foundation, and Shielded Labs, a multi-stakeholder governance structure that distinguishes this response from a single-team patch. The upgrade’s core mechanism is a redesigned Orchard circuit that includes a flag capable of disabling payments to other users within a pool while preserving the ability to generate change notes, which Bowe has described as a privacy safeguard. Zcash (ZEC) 24h 7d 30d 1y All time Once activated, that flag will be permanently enabled for the legacy Orchard pool, constraining the valueBalance field and routing all new Orchard-addressed payments automatically to the replacement pool. The supply controls enforced by Ironwood depend on the protocol’s pre-existing turnstile mechanism; every ZEC exiting the old Orchard pool must pass through the turnstile before entering the new pool, and the turnstile enforces that the total value leaving the old pool cannot exceed the value that verifiably entered it. Bowe stated: “This combination enforces a bound on the circulating supply of ZEC through the use of the existing turnstile mechanism; the amount of ZEC that anyone can transact with is no more than the amount that is supposed to exist.” Once migration is complete, on-chain data will allow any full node to independently verify that no counterfeit ZEC crossed into the new pool, restoring trustless supply verification at the protocol level for the first time since the vulnerability was introduced. The activation target coincides with zcashd end-of-support at block height 3,417,100. Testnet trials, ecosystem coordination, and final security audits remain outstanding before mainnet activation. Wallet providers supporting Orchard are expected to offer one-click migration tooling, and the new pool is designed to preserve existing Orchard addresses, avoiding disruptive key rotation for active users. Discover: The Best Token Presales The post Zcash Ironwood Upgrade Finalizes to Patch Orchard Pool Flaw, Targets July appeared first on Cryptonews .
9 Jun 2026, 13:44
Zcash Climbs 80% Since June 5 as Traders Shrug off Orchard Bug Fears

Zcash jumped 11.3% to $478, marking an approximate 80% recovery since its June 5 plunge. The rally pushed its market capitalization back above $8 billion and wiped out $11.5 million in short positions. The Orchard Vulnerability Privacy coin Zcash (ZEC) surged on Tuesday, jumping 11.3% to $478 as it maintained a steady recovery that began
9 Jun 2026, 12:02
Humanity's $36 million exploit tied to compromised laptop hosting a 'multisig' wallet

The compromised laptop held enough multisig keys to take over the project's bridges on two chains, a basic security failure for a startup backed by Pantera and Jump Crypto.
9 Jun 2026, 11:52
Asterix hit as Flooring Protocol vulnerability spreads across forks

The Flooring Protocol exploit from June 8 got a sequel earlier today when Asterix, a fork of the NFT liquidity platform, became the victim of an exploit that drained roughly $40,000 in assets. The exploit news sours the mood after white hat researchers reported having helped claw back more than $500,000 in blue-chip NFTs from the same Flooring contracts vulnerability that appears to have been used to break into Asterisk. Flooring Protocol’s vulnerability spread to Asterisk via forked code A member of the BlockSec blockchain security firm, Phalcon was one of the first to notice the similarities between the Asterix attack vector and the flaw that allowed attackers to drain Flooring Protocol pools on June 8. Phalcon said the Flooring Protocol attack was essentially run back on Asterix because the latter was apparently forked from DN404/BT404, a token standard that blends fungible and non-fungible mechanics. Initial reports on the Flooring incident had loss numbers at above $900,000 before white hat interventions helped recover around $500,000. Asterix has already confirmed the breach in an X statement , acknowledging an exploit had struck the $ASTX token contract around 4 a.m. GMT+8. The team said it was investigating and would publish a full post-mortem once the analysis was complete. How did the Flooring exploit happen? Flooring Protocol, which shut down operations last year, allowed users to deposit NFTs into pools and receive fungible tokens pegged one-to-one to those locked assets. The Flooring Protocol attack that has since started to spread exploited a flaw in the platform’s BT404-style accounting system that Yuga Labs VP of Blockchain called a “ghost ownership” phenomenon on X . In simple terms, it means someone could use one malicious token ID to pass one ownership check and still reuse it to produce a different result in another accounting logic, causing a mathematical problem in token balance. In this case, the attacker created a near-infinite balance of fpTokens, the fungible tokens that anyone can use to claim NFTs locked in Flooring’s pools. Yuga Labs steps up with white hat effort Once the Flooring drain became public, Yuga Labs CEO Michael Figge said the company quickly launched a white hat rescue before another attacker could reach vulnerable NFTs. The NFT rescue operation secured 68 NFTs worth an estimated 346 ETH (roughly $570,000 at the time), including 29 Bored Ape Yacht Club NFTs, four Mutant Apes, two CryptoPunks, one Azuki, two Elementals, 26 Captains, one Moonbird, and two Doodles. Super Secret Rare (SSR), a project that detected its vulnerability after Asterisk was hit, warned users not to interact with the pool while the situation remained unresolved. FreeLunchCapital, the developer behind Flooring’s affected contracts, confirmed the exploit also hit BitmapPunks, which used a similar contract design. Both projects relied on fungible tokens pegged one-to-one to locked NFTs, making them vulnerable to the same attack path. One exploit after another The Flooring and Asterix incidents add to a miserable streak of security failures ripping through Web3. As Cryptopolitan observed in earlier reports , the astronomical dollar losses in April snowballed into a higher count of individual incidents in May, reaching 60 confirmed security incidents totaling $68.3 million in gross losses per Certik. PeckShield attributed $340.7 million in losses to 14 bridge and cross-chain exploits as of June 1. Forked protocols present their own kinds of headaches. When downstream projects copy code without auditing it, a single vulnerability in the base codebase can be replicated across multiple levels, just as it happened in the Flooring, Asterix case now. Yuga Labs said the rescued NFTs will be returned once Flooring Protocol developers complete a patch. 0xQuit warned users not to deposit new NFTs into Flooring while the vulnerability remains open. For Asterix holders, the $40,000 loss is smaller in scale, but the team has not yet disclosed whether any recovery is possible. If you're reading this, you’re already ahead. Stay there with our newsletter .
9 Jun 2026, 11:41
Bitcoin Stalls Near $62.6K as Strategy Adds 1,550 BTC, Humanity Hack Drains $32M

Bitcoin News The recent Bitcoin rebound off Friday's sub-$60,000 plunge looks more like a relief rally than a genuine turn, analysts caution. Traders argue the asset must reclaim the $79,000-$80,00...
9 Jun 2026, 11:02
ZachXBT Says Humanity Protocol’s $32 Million Crypto Hack Looks Staged — Here’s The Evidence He Found

Humanity Protocol, a biometric blockchain identity project that had been one of crypto’s top-performing tokens of 2026, suffered a catastrophic security incident on June 9 in which attackers drained approximately $32 million from more than 17 wallets — sending the H token crashing 90% within hours — before on-chain investigator ZachXBT publicly questioned whether the incident was a genuine external hack or a staged exit by the project’s own insiders. The attack unfolded in two phases. In the first, attackers minted 100 million H tokens and drained associated wallets, converting approximately $23.7 million into ETH across multiple addresses while leaving roughly $7.9 million in H tokens, per on-chain data flagged by Arkham Intelligence. In the second phase, the attacker extended the exploit to BNB Chain — taking over the H token’s proxy admin contract and minting an additional 100 million H tokens worth approximately $12.9 million to a fresh wallet, per blockchain security firm Blockaid’s on-chain monitoring of the incident. Humanity Protocol acknowledged the breach in an official post on X, confirming that private keys belonging to a member of the Humanity Foundation had been compromised. The team urged users to avoid interacting with the bridge or any liquidity pools until further notice, and stated that official updates would come only from the main account or co-founder Terence Kwok’s personal account, per the @Humanityprot post — one of your provided sources. ZachXBT’s Three-Post Takedown On The Crypto Hack The incident might have passed as a conventional private key compromise had ZachXBT not weighed in within hours. In three posts on X the pseudonymous on-chain investigator systematically dismantled the team’s narrative. In his first post, ZachXBT noted that the picture was unclear — it could be a hack or a deliberate rug — but flagged that the H team appeared to be working with an active market maker given the concentrated token supply, and that all H tokens were sold on DEXs rather than centralized exchanges — an unusual pattern for an external attacker seeking liquidity. In his second post, he sharpened the assessment: “The incident seems possibly staged. I am not buying the team’s story. It’s a convenient way for the active MM to have exited.” In his third post, he turned to the project’s broader credibility: “You choose to crime pump your token for weeks with zero fundamentals and think CT will blindly trust your story? Disclose your active MM agreements with the HK entity first.” ZachXBT later walked back some of his concerns after additional analysis suggested the private key compromise and market-making issues may be unrelated — but the damage to the project’s credibility was already done. The Context That Made ZachXBT’s Suspicions Land The timing of the incident carries its own weight. The H token had surged approximately 875% above its 2026 low before the crash, per BanklessTimes — making it one of the year’s most extreme performers in a sector not short of extreme performers. A token unlock is scheduled for June 25 — two weeks away — a timeline that would make a staged exit before unlock a financially rational, if criminal, decision. Three of the project’s four co-founders have documented histories involving lawsuits, financial fraud allegations, and management failures. Reports citing internal conversations suggested only approximately one million of the project’s nine million registered identities had completed biometric verification — the core metric on which Humanity’s entire value proposition rests. This development marks a critical and deeply familiar moment for the nascent sector. A 90% token crash tied to a private key compromise that crypto’s most respected on-chain investigator publicly questions as staged — arriving weeks before a major token unlock, involving a project whose leadership carries documented red flags — is precisely the pattern that has defined the sector’s most damaging fraud cases. Whether ZachXBT’s suspicions ultimately prove correct will depend on on-chain evidence still being gathered. What is already clear is that $32 million is gone and the community that trusted Humanity Protocol’s identity narrative is left with nothing but questions. Cover image from Grok, ETHUSD chart from Tradingview








































