diff --git a/protocol/protocol.tex b/protocol/protocol.tex
index 35c665c5..c9ee65fe 100644
--- a/protocol/protocol.tex
+++ b/protocol/protocol.tex
@@ -1592,7 +1592,8 @@ electronic commerce and payment, financial privacy, proof of work, zero knowledg
 \newcommand{\ValueNet}[1]{\Value^\mathsf{net}_{#1}}
 \newcommand{\ValueLength}{\ell_{\mathsf{value}}}
 \newcommand{\ValueType}{\binaryrange{\ValueLength}}
-\newcommand{\SignedValueType}{\range{-2^{63}}{2^{63}-1}}
+\newcommand{\SignedValueFieldType}{\range{-2^{63}}{2^{63}-1}}
+\newcommand{\SignedValueDifferenceType}{\range{-2^{64}+1}{2^{64}-1}}
 \newcommand{\ValueCommitTypeSapling}{\bigrange{-\SignedScalarLimitJ}{\SignedScalarLimitJ}}
 \newcommand{\ValueCommitTypeOrchard}{\bigrange{-\SignedScalarLimitP}{\SignedScalarLimitP}}
 \newcommand{\ValueCommitRand}{\mathsf{rcv}}
@@ -6134,10 +6135,11 @@ values, breaking the binding property of the \valueCommitmentScheme.
 The above argument shows only that $\Value^* = 0 \pmod{\ParamJ{r}}$; in order to show that
 $\vSum = 0$, we will also demonstrate that it does not overflow $\ValueCommitTypeSapling$.
 
-The $\spendStatements$ prove that all of $\vOld{\alln}$ are in $\ValueType$.
-Similarly the $\outputStatements$ prove that all of $\vNew{\allm}$ are in $\ValueType$.
+The $\spendStatements$ (\crossref{spendstatement}) prove that all of $\vOld{\alln}$
+are in $\ValueType$. Similarly the $\outputStatements$ (\crossref{outputstatement})
+prove that all of $\vNew{\allm}$ are in $\ValueType$.
 $\vBalance{Sapling}$ is encoded in the \transaction as a signed two's complement $64$-bit integer
-in the range $\SignedValueType$. $\ValueLength$ is defined as 64, so $\vSum$
+in the range $\SignedValueFieldType$. $\ValueLength$ is defined as 64, so $\vSum$
 is in the range $\range{-m \mult (2^{64}-1) - 2^{63} + 1}{n \mult (2^{64}-1) + 2^{63}}$.
 The maximum \transaction size is $2$ MB, and the minimum contributions of a \spendDescription
 and an \outputDescription to \transaction size
@@ -6331,13 +6333,14 @@ values, breaking the binding property of the \valueCommitmentScheme.
 The above argument shows only that $\Value^* = 0 \pmod{\ParamP{r}}$; in order to show that
 $\vSum = 0$, we will also demonstrate that it does not overflow $\ValueCommitTypeOrchard$.
 
-The $\actionStatements$ prove that all of $\vNet{\alln}$ are in $\SignedValueType$. Similarly,
-$\vBalance{Orchard}$ is encoded in the \transaction as a signed two's complement $64$-bit integer
-in the range $\SignedValueType$. Therefore, $\vSum$ is in the range $\range{-n \mult 2^{63}}{n \mult (2^{63}-1)}$.
-$n$ and $m$ are limited by consensus rule to at most $2^{16}-1$ (this rule is technically redundant due
+The $\actionStatements$ (\crossref{actionstatement}) prove that all $\vNet{\alln}$
+are in $\SignedValueDifferenceType$. $\vBalance{Orchard}$ is encoded in the \transaction as a
+signed two's complement $64$-bit integer in the range $\SignedValueFieldType$. Therefore, $\vSum$ is
+is in the range $\range{-n \mult (2^{64}-1) - 2^{63} + 1}{n \mult (2^{64}-1) + 2^{63}}$.
+$n$ is limited by consensus rule to at most $2^{16}-1$ (this rule is technically redundant due
 to the $2$ MB \transaction size limit, but it suffices here).
 
-This ensures that $\vSum \in \range{-604453686435277732577280}{604453686435277732511745}$,
+This ensures that $\vSum \in \range{-1208916596242592319864832}{1208916596242592319864833}$,
 a subrange of $\ValueCommitTypeOrchard$.
 
 Thus checking the \orchardBindingSignature ensures that the \actionTransfers in the \transaction
@@ -6909,6 +6912,9 @@ For details of the form and encoding of \actionStatement proofs, see \crossref{h
         In particular, $\DiversifiedTransmitBaseOld$ cannot be $\ZeroP$.
         The $\ValueCommitOutput{Orchard}$ and $\SpendAuthSigPublic{Orchard}$ types represent
         \pallasCurve points, i.e.\ $\GroupP$.
+  \item The scalar multiplication used in $\ValueCommitAlg{Orchard}$ must operate correctly on the
+        range $\SignedValueDifferenceType$, which is different to the range $\SignedValueFieldType$
+        of $\vBalance{Orchard}$.
   \item In the Merkle path validity check, each \merkleLayer does \emph{not} check that its
         input bit sequence is a canonical encoding (in $\range{0}{\ParamP{q}-1}$) of the integer
         from the previous \merkleLayer.
@@ -13848,6 +13854,8 @@ Peter Newell's illustration of the Jubjub bird, from \cite{Carroll1902}.
 \historyentry{2021.1.19}{}
 \begin{itemize}
 \nufive{
+    \item Correct the range of input to $\ValueCommitAlg{Orchard}$ in the \actionStatement, and
+          the corresponding security argument in \crossref{orchardbalance}.
     \item Update the consensus rules that prevent trivial transactions (with no inputs or outputs)
           to take into account \actionTransfers in the v5 \transaction format.
     \item Make $\DiversifyHash{Orchard}$ total, by replacing an output of $\ZeroP$ with another base.