Zcash is preparing to activate its Ironwood network upgrade on July 28 at block height 3,428,143, a direct response to a serious bug that could have allowed unlimited counterfeit ZEC to be minted from thin air. The privacy-focused blockchain discovered the vulnerability in late May, and the past two months have been a masterclass in crisis management, or at least an attempt at one.
The bug resided in the Orchard shielded pool, the very layer designed to keep Zcash transactions private. In a cruel irony, the privacy feature that made ZEC attractive was also the mechanism that could have let someone quietly print fake coins without anyone noticing.
What happened and how Zcash responded
Researcher Taylor Hornby uncovered the soundness flaw in late May 2026. The vulnerability was particularly alarming because it exposed a fundamental weakness in a system that relied heavily on developer trust rather than cryptographic guarantees for supply integrity.
The Zcash team moved quickly with emergency patches in early June. A soft fork temporarily disabled the Orchard pool entirely, followed by a hard fork to further lock down the vulnerability.
These were stopgap measures. The real fix is Ironwood, which was initially proposed for activation on July 21 but was pushed back one week to July 28 to allow for additional testing and audits.
The upgrade introduces an entirely new shielded pool built on revised Orchard code. The headline feature is a turnstile, or accounting checkpoint, which requires any funds moving from the old Orchard pool to pass through a public checkpoint before entering the new Ironwood pool, allowing for real-time verification of total circulating ZEC supply.
Market reaction tells the story
The market did not take the initial disclosure well. ZEC’s price dropped approximately 50% after the bug was revealed, falling to lows near $300.
The recovery has been notable, though. After the emergency patches and the Ironwood upgrade proposal were announced, ZEC bounced back to the $400 to $500 range.
Major stakeholders appear to be rallying behind the fix. Zcash Open Development Lab, Project Tachyon, and Valar Group are all backing the upgrade with full developer support. Rigorous audits are reportedly underway, orchestrated primarily by Project Tachyon and its partners.
What investors should be watching
The July 28 activation date is the obvious milestone, but the migration process from the old Orchard pool to the new Ironwood pool will be a critical period. Users will need to move their funds through the public checkpoint.
Watch the audit results closely. Project Tachyon is coordinating these audits, and the findings will likely influence whether institutional investors who fled during the price crash are willing to return.
There’s also the question of whether any counterfeiting actually occurred before the bug was patched. Once funds migrate through the checkpoint, any counterfeit ZEC would theoretically be caught. If the total supply checks out after migration, it would be a powerful signal that the system’s integrity was maintained despite the vulnerability.
Disclosure: This article was edited by Editorial Team. For more information on how we create and review content, see our Editorial Policy.

2 hours ago
2
















English (US) ·