AI Finds Bugs Humans Missed for Decades: Inside the FFmpeg and Zcash Discoveries

Several of the bugs had been latent for 15 to 20 years, predating even intensive security audits from Google and Anthropic . The vulnerabilities were primarily heap and stack buffer overflows across components like the TS demuxer and VP9 decoder . The company also developed a PoC demonstrating a remote code execution (RCE) exploit primitive .

This wasn't Depthfirst's first FFmpeg discovery. Earlier in May, the firm reported finding 12 memory corruption bugs in the library, some tracing back to code from 2009, and committed up to $5 million in credits to help open-source projects fix AI-discovered flaws . Despite these efforts, the remediation pipeline is visibly strained. As of late May 2026, many FFmpeg CVEs—including CVE-2026-6385 and CVE-2025-22921—were still listed by Debian as unpatched or "postponed" .

The core implication: An autonomous agent operating for roughly $21,000 total found more zero-days in one library than most human teams find in a year. The bottleneck has shifted decisively from discovery to patching.

Claude Opus 4.8 Finds a 4-Year-Old Counterfeiting Flaw in Zcash

On May 29, 2026, independent security researcher Taylor Hornby, auditing the Zcash protocol for Shielded Labs, discovered a critical "soundness" vulnerability in Zcash's Orchard shielded pool . He found it just one day after Anthropic released its Claude Opus 4.8 model on May 28 .

Hornby built a custom "Zcash Full-Stack Auditor" framework on top of Opus 4.8. This system reasoned through the zero-knowledge circuit constraints of the Orchard pool and surfaced a missing or incomplete check in the elliptic curve multiplication logic—a flaw that allowed forged proofs to pass validation . Hornby then wrote a working local exploit that minted counterfeit ZEC in a test environment .

The impact was severe: The bug could have been exploited to undetectably create an unlimited number of counterfeit ZEC tokens, breaking Zcash's fixed 21-million-coin supply cap . The flaw had existed since Orchard's activation in May 2022—an undetected four-year window .

Emergency Technical Response

Zcash developers and the Zcash Open Development Lab (ZODL) responded rapidly :

• May 29, 2026: Hornby discovers the bug and immediately discloses it .
• May 29 – June 1: The bug is patched via a coordinated emergency update .
• June 2: An emergency soft fork (at block 3,363,426) disables Orchard transactions to prevent any potential exploitation .
• June 3: The NU6.2 hard fork re-enables Orchard with the patched circuit. Block explorers were briefly offline, and miners reported temporary network instability .

The Zcash Foundation stated there is no evidence the bug was ever exploited in the wild . However, because of the shielded pool's privacy properties, there is no cryptographic way to prove whether counterfeit coins were ever minted . This fundamental unverifiability became a central concern for the market.

ZEC Price Crash and Market Impact

Before the public disclosure, ZEC was trading at highs above $600 . Once the bug became public on June 5, the token's value cratered :

• CoinMarketCap reported a ~31% drop .
• KuCoin reported a decline of over 40% .
• Bankless Times and BitMEX reported a crash of roughly 50% from peak to trough, with ZEC falling from $624 on June 4 to $309 on June 5 .

The crash was amplified by an erosion of trust in Zcash's 21-million cap and the unwind of crowded long positions . Prominent trader Arthur Hayes also publicly exited his position, adding sell pressure .

The Bigger Picture: AI-Driven Discovery Is Outpacing Human Remediation

These two incidents, arriving in the same week, are not outliers. They are the new baseline for a systemic shift in cybersecurity.

Speed and cost asymmetry: Depthfirst's agent found 21 bugs for ~$21,000 ; Hornby found a catastrophic crypto flaw the day after a new model launched . Human teams had missed both for years. The economics now strongly favor attackers, who can run similar autonomous agents at negligible marginal cost to discover and weaponize vulnerabilities.

Volume overload for maintainers: The same week, Google patched a record 429 bugs in Chrome 149 . But open-source projects like FFmpeg and Debian are already showing "postponed" patching statuses for AI-discovered CVEs . The discovery pipeline is gushing faster than volunteer maintainers can handle.

A pattern, not an accident: This follows a May 2026 incident where Depthfirst's autonomous AI found an 18-year-old heap overflow in NGINX (CVE-2026-42945, CVSS 9.2) in just six hours . The technology is consistently finding ancient, critical bugs that have survived every previous audit.

The unresolved question: Whether the Zcash Orchard bug was ever secretly exploited remains fundamentally unverifiable . That uncertainty alone has damaged market confidence and raises a profound question for all privacy-focused blockchains: can an AI-discovered soundness bug in a shielded pool ever be fully cleaned up if no one can prove it wasn't used?