Zcash races to fix a hidden counterfeiting flaw — why 'verify the supply' matters
Zcash, one of the best-known privacy coins, is preparing a network upgrade called Ironwood to close a hidden flaw that c…
Zcash, one of the best-known privacy coins, is preparing a network upgrade called Ironwood to close a hidden flaw that could, in theory, have let someone create counterfeit ZEC without anyone noticing. Developers say the upgrade is nearing a testnet trial, but the harder part — getting exchanges, wallets and mining pools onto new software — may push the timeline.
In May, researchers disclosed a four-year-old bug in Orchard, Zcash's main private-transaction pool. Security researcher Taylor Hornby found it using Anthropic's Claude Opus 4.8. The flaw could have allowed an unlimited amount of counterfeit ZEC to be minted inside the pool without detection. Developers patched it on June 1 and say there is no evidence it was ever used.
The catch is that the same privacy features that make Zcash appealing also make it hard to check: transaction details are hidden so well that no one can prove, after the fact, whether fake coins were ever created. The price reacted anyway — ZEC fell from more than $600 to around $300 in two days, and recently traded near $457.
Ironwood opens a new shielded pool with an accounting checkpoint: coins leaving the old Orchard pool must pass a check that stops more ZEC from exiting than originally entered. That lets anyone confirm the circulating supply stays within Zcash's intended limit, without exposing who holds what.
At the same time, Zcash is retiring its old software, zcashd, for a new stack made up of Zebra, Zaino and Zallet. Shielded Labs' Jason McGee says some exchanges and wallets expect to be ready by late July while others need more time, and no delay has been finalized. Co-founder Zooko Wilcox says security reviews have found no further serious bugs so far.
For a beginner, the lesson isn't the price swing — it's that “can I verify the total supply?” is a real question, even for a coin built on privacy. If you hold ZEC, watch official Zcash channels for wallet-upgrade instructions, use only your wallet provider's official update, and never rush a migration because a stranger told you to.