Zebra's halo2_gadgets circuit has a soundness bug letting a malicious prover forge Orchard's viewing-key binding
A missing copy constraint in halo2_gadgets' variable-base scalar multiplication gadget let a malicious prover submit a valid Orchard Action proof with an under-constrained base point, bypassing the check that binds the action to the correct incoming viewing key — and therefore to the correct nullifier and spend-validating key (CVSS 9.3). This is a circuit-soundness bug in Zcash's shielded-pool stack (zebrad, halo2_gadgets, orchard, zcash_primitives), a different failure class from today's earlier web-app and agent-tooling bugs — the exposure is forged proofs the network would otherwise trust. No patched version is listed yet; if you depend on any of these crates, treat Orchard proof validation as unverified until a fix lands.