Zcash formally announces the “Ironwood” proposal: can letting anyone verify ZEC circulating supply save confidence?

Last week, after the Orchard pool was found to have a counterfeit vulnerability, Zcash founder Zooko personally advanced a proposal called Ironwood, which provides the ability for users to verify whether the circulation of Zcash is correct.
(Background: The engineer who uncovered the four-year Zcash vulnerability: Monero (XMR) also needs auditing)
(Additional background: Arthur Hayes called out the "Holy Trinity Coins" and then liquidated ZEC, NEAR, WLD)

Table of Contents

Toggle

• Goals of Ironwood
• Three things Ironwood will do
  • ① Open a new shielded pool
  • ② Lock the old Orchard pool’s new outputs
  • ③ Establish higher guarantees for the code
• What will happen to the old Orchard pool
  • What is Turnstile
• Why this design is useful
• By the way: Has the vulnerability been exploited?
  • Outcome A: No excess ZEC attempted to leave the old Orchard pool
  • Outcome B: Excess ZEC attempted to leave the old Orchard pool
• Impact on wallets and users
  • Wallets
  • Receiving addresses
• Timeline
• Conclusion: We don’t want you to just trust our judgment

Summary of key points

The privacy coin Zcash recently underwent a severe correction. The trigger for this crash was a technical audit report. On May 29, security engineer Taylor Hornby, hired by Shielded Labs, reviewed the Zcash Orchard shielded pool circuit and discovered a critical flaw of "insufficient constraints," allowing an attacker to forge arbitrary values for elliptic curve multiplication inputs, and still pass verification, theoretically enabling unlimited undetectable ZEC minting.

This vulnerability has existed since the Orchard protocol was activated in May 2022, lurking for four years. Although the official emergency fix has been implemented, Zcash founder Zooko Wilcox stated that the actual exploitation of this vulnerability is "extremely unlikely." However, community confidence has been severely shaken, so Zooko released a proposal called Ironwood on the 6th, which we translate and organize below.

Why is Ironwood needed

Shielded Labs is collaborating with the Zcash Foundation, Tachyon Group, Valar Group, and Zcash Open Development Lab (ZODL) to push forward a proposal called Ironwood — aiming to restore the community’s ability for users to verify the correctness of Zcash’s circulation.

Event recap:

• Last week, Zcash’s Orchard pool was found to have a counterfeit vulnerability
• An emergency network upgrade coordinated with ZODL and other ecosystem members has been completed, closing the issue, scheduled for June 2, 2026
• Although we believe the likelihood of exploitation is low (see other article for details), the privacy features of Orchard prevent users from verifying this themselves

Ironwood enables users to verify Zcash’s circulation independently.

Once activated, simply summing the balances of all active pools allows immediate verification — no need to guess whether others are malicious, nor wait for the Orchard pool migration to complete.

Goals of Ironwood

Allow every Zcash user to verify the “supply integrity” of Zcash themselves.

This capability was compromised due to the existence of the counterfeit vulnerability. When Ironwood is activated, users only need to run a node to independently verify that Zcash’s total circulation is “sound.”

Ironwood will do three things

① Open a new shielded pool

Use Orchard’s circuit, but patched against the recent counterfeit vulnerability.

② Lock the old Orchard pool’s new outputs

Any transaction attempting to create new outputs in the old Orchard pool will be considered invalid.

③ Establish higher guarantees for the code

Including AI-assisted security audits, formal verification, and other techniques, aiming to eliminate other potential counterfeit vulnerabilities.

What will happen to the old Orchard pool

From the moment Ironwood is activated, all transactions creating new outputs in the Orchard pool will be rejected.

In other words, ZEC can no longer circulate within this pool.

From that moment on, the only way for ZEC in the pool to exit is through turnstile.

What is Turnstile

Turnstile is Zcash’s on-chain mechanism for recording “transfers between pools”:

• Tracking how much ZEC comes in and goes out of each pool
• Rejecting any transaction attempting to move out more than the legitimate amount that entered

Why is this design useful

This set of rules results in: users do not need to wait for any Orchard funds to migrate. Once Ironwood is activated, it can be proven directly from consensus rules that — the currently circulating ZEC will not exceed the correct amount.

This provides an immediate, trustless guarantee:

• Excess ZEC cannot quietly circulate within the Orchard pool
• Nor can it escape into other pools

By the way: Has the vulnerability been exploited?

Ironwood might also provide evidence whether the vulnerability was exploited, but this is not the goal; whether the goal is achieved does not depend on whether evidence is found.

When legitimate users migrate funds from the old Orchard pool, assuming a counterfeit attacker exists, they face a choice:

• Attempt to move out counterfeit funds: risk exposing themselves
• Leave the funds there: risk being unable to move them out later

This leads to two possible outcomes:

Outcome A: No excess ZEC attempted to leave the old Orchard pool

→ This is strong evidence that “the vulnerability was not exploited.”

Reason: If an attacker exists, they would have a strong motivation to move out their counterfeit funds before legitimate users complete migration, making inaction unlikely.

Outcome B: Excess ZEC attempted to leave the old Orchard pool

→ These excess funds will be blocked, effectively destroyed.

Unfortunately, to maintain the goal of “correct total circulation in the pool,” this is necessary.

At the same time, this also constitutes publicly verifiable counterfeit evidence.

Because we believe the vulnerability was not exploited, the probability of Outcome B occurring is very low.

Impact on wallets and users

Wallets

We recommend that all wallets supporting the current Orchard pool also support the new pool.

Specific suggestions:

• Before Ironwood is activated, maintain normal operation
• After activation, migrate user funds from the old Orchard pool to the new pool

Migration will have privacy side effects — revealing transfer amounts and times. But we judge the privacy impact to be limited, and further mitigated through wallet behaviors.

Receiving addresses

Old Orchard receivers (addresses) remain valid, no need to change.

Addresses created before the upgrade will, even after Ironwood is activated and ZEC is received, automatically credit as “ZEC in the new pool.”

Timeline

Like most network upgrades, Ironwood requires development, testing, review, and ecosystem coordination.

Experience tells us that such work usually takes longer than expected — it’s better to be conservative with timelines than to overpromise and underdeliver.

An additional uncertainty is that zcashd’s phased deprecation is ongoing. Although Shielded Labs is not directly involved, the progress of exchanges, mining pools, wallets, and infrastructure migrating to Zebra will affect the timing of this network upgrade.

Once implementation plans are mature and discussions continue, the timeline will become clearer.

Conclusion: We don’t want you to just trust our judgment

We want to emphasize: We believe the likelihood that the Orchard vulnerability was exploited is low.

But users should not be forced to trust our judgment or anyone else’s when it comes to Zcash’s supply integrity.

The design of Ironwood aims to return this guarantee to every user: anyone can verify it themselves.

Whether or not the vulnerability was exploited, the goal remains — making Zcash’s supply integrity something that can be personally verified.

We believe Ironwood is the best path forward and look forward to discussing this proposal with the Zcash community.