Zcash's infinite-mint bug, Morpho's rebrand and Midnight launch, and the pERC20 private token standard

The TLDR Crypto digest on June 8 was a masterclass in why privacy chains and DeFi protocols are never as settled as they look. A security researcher found a critical infinite-mint vulnerability in Zcash's Orchard shielded transaction pool that would have allowed unlimited ZEC to be minted without any on-chain trace. Morpho rebranded to "the open credit network for the world" and shipped the Midnight whitepaper, a fixed-rate lending protocol with an explicit $200T-onchain ambition. And a new Ethereum token standard, pERC20, deliberately breaks ERC-20 compatibility to put privacy at the protocol level.

What You Need to Know: A security researcher found a critical vulnerability in Zcash's Orchard shielded transaction pool that could have allowed attackers to mint unlimited ZEC undetectably. Morpho rebranded to "the open credit network for the world" and released the Morpho Midnight whitepaper, targeting $200T of global credit onchain. A new pERC20 standard was proposed, replacing ERC-20's public balance/transfer functions with a ZK note-based interface for native privacy.

Why It Matters

• Privacy is not a feature. It is a protocol-level commitment, and it can be broken at the math layer. The Zcash Orchard bug sat inside the ZK proving system, the layer that enforces supply integrity. The same privacy properties protecting users would also have concealed inflation from public detection. The patch took days. The detection took a commissioned audit. That is a fragile model.
• Morpho Midnight is the most ambitious DeFi rebrand of 2026, and the architectural choices are the real story. Fixed-rate, fixed-term lending with fungible maturities, on top of the same isolated, immutable, permissionless Morpho Blue architecture, and a $200T TAM claim that is either visionary or delusional depending on your priors.
• pERC20 is the first serious proposal to break ERC-20 compatibility in the name of privacy. Replacing balanceOf, approve, allowance, and transferFrom with ZK note-based interfaces is a non-trivial migration, and the compliance primitive (a sparse Merkle blacklist enforced by the ZK circuit) is the part that will get the most scrutiny.
• For builders: privacy is hard, supply integrity is harder, and the safest place to fail is in the parts of the protocol that are auditable by construction. ZK is not a substitute for adversarial testing. It is a multiplier on it.

What Actually Happened

Zcash's Orchard infinite-mint bug

A security researcher commissioned by Shielded Labs to audit the Zcash Orchard circuit found a vulnerability that would have permitted unlimited ZEC minting without any on-chain trace. The flaw sat inside the Orchard shielded-pool zero-knowledge proving system, the layer that enforces supply integrity. The same privacy properties that protect users would also have concealed inflation from public detection, which is the nightmare scenario for a privacy chain. The bug was patched within days, but prior discovery or exploitation cannot be ruled out and is not provable without deeper forensic analysis. The Block reported that the disclosure triggered a 31% drop in ZEC as the community explores a network upgrade to verify supply integrity and migrate to a new shielded pool. The researcher later added Monero to his audit scope, directing attention toward similar ZK circuit risks across privacy-focused chains. The bug had been present since Orchard launched in May 2022, which is roughly four years of exposure window.

Morpho rebrands and ships Midnight

Morpho rebranded to "the open credit network for the world" and released the whitepaper and codebase for Morpho Midnight, a fixed-rate, fixed-term lending protocol built on the same isolated, immutable, permissionless architecture as Morpho Blue. The explicit scope is putting $200T of global credit onchain. Midnight's core mechanic, "offered capital," keeps lender funds earning variable rates on Morpho Blue until a fixed-rate offer is matched, with positions sharing a maturity made fungible to allow early exit and late entry. That directly addresses the capital commitment and liquidity fragmentation problems that caused prior fixed-rate protocols to fail. May integrations include Kraken's Bitcoin Vault, Trezor's Stablecoin Earn, Stable's StableEarn, and Circle Arc credit products running on Morpho, plus NASDAQ-listed Figure deploying home-equity-backed PRIME as collateral. The rebrand is bigger than the product launch. Morpho is positioning itself as the credit layer of crypto, not just a lending primitive.

pERC20: a privacy-native token standard

pERC20 is a proposed Ethereum token standard that deliberately breaks ERC-20 compatibility. It replaces public balanceOf, approve, allowance, and transferFrom with a ZK note-based interface using Orchard-style Groth16 proofs. Tokens exist only as encrypted ZK-UTXO notes with no public-to-private shielding step required, and note-to-note transfers keep amounts and counterparties hidden on-chain. totalSupply remains public, and a valueBalance == 0 constraint enforced on every transfer blocks covert inflation while preserving balance privacy. Compliance integrates via frozen-root binding, where each action commits to a cmxFrozenRoot and the ZK circuit must prove the spent note is absent from an admin-maintained sparse Merkle blacklist, enabling targeted note freezes without exposing other users' balances. The design is the first credible attempt to make privacy a protocol-level commitment in an EVM-compatible chain. It is also the first one that does not pretend you can have compliance as an afterthought.

The Take

Here is the part that matters and the part that is easy to miss: the Zcash bug, the Morpho launch, and the pERC20 proposal are all reactions to the same underlying tension, which is that crypto wants the privacy guarantees of ZK and the audit guarantees of public chains, and the two are fundamentally in conflict. Zcash just learned what happens when the ZK circuit is the only line of defense and the audit comes four years too late. Morpho is choosing the other side of the trade-off, building a credit layer where privacy is not the primary primitive and the audit story is built into the architecture. pERC20 is trying to thread the needle with a compliance primitive that is enforced at the protocol level. The crypto stack of 2027 is going to be defined by which of these trade-offs the institutional money accepts. ZK privacy is the most powerful primitive in the space, but the Zcash bug is the clearest demonstration yet that ZK is not a substitute for adversarial testing, it is a multiplier on it. Audit the proofs, then trust the proofs.

Quick Summary

Zcash patched a critical infinite-mint bug in its Orchard shielded pool that had been present since May 2022 and could have minted unlimited ZEC undetectably. Morpho rebranded and shipped Midnight, a fixed-rate lending protocol with a $200T-onchain ambition, on the same Morpho Blue architecture. pERC20 was proposed as a privacy-native Ethereum token standard that breaks ERC-20 compatibility and enforces compliance at the ZK circuit level. The theme is the trade-off between privacy and auditability, and it is unresolved.

Sources

• The Block: Security researcher finds Zcash vulnerability allowing unlimited counterfeit minting; ZEC drops 31%
• Thread Reader: Researcher Finds Undetectable Infinite-Mint Bug in Zcash Orchard Circuit
• Morpho on X: Morpho rebrands and releases Morpho Midnight
• Thread Reader: pERC20 - A Privacy-Native Fungible Token Standard for Ethereum
• Polygon: How Intent-Based Payment Routing Works for X-Chain Money Movement