Shielded Labs, in collaboration with the Zcash Foundation and other ecosystem stakeholders, submitted an Ironwood update proposal to restore the ability for users to independently verify the integrity of ZEC supplies following the discovery of a critical vulnerability in the Orchard pool.
This flaw has been active since Orchard was implemented in May 2022 and allowed an unlimited number of fake ZECs to be created without leaving any trace. This was not detected until May 2026 bugusing artificial intelligence (AI) tools by researcher Taylor Hornby to force Urgent update The team believes it is unlikely that this vulnerability was exploited by a hacker, but due to the privacy nature of the pool, it cannot be verified externally.
Ironwood seeks to address this lack of verifiability. The proposal considers the creation of new pools with bugs fixed, prohibiting old pools from producing new output, and the use of “turnstiles,” an auditing and defense mechanism to control and count cryptocurrencies going in and out of different groups of private addresses, known as shielded pools. In this way, Anyone running a node can see the total supply. Simply add your active pool balance without having to wait for mass migrations or rely on third-party valuations.
On-chain data analyzed by CipherScan revealed that approximately 380,000 ZECs were leaked from the Orchard pool after the incident. Of this, only 47,000 ZEC (0.28% of total supply) reached the exchanges, indicating limited selling pressure. At the same time, approximately 118,000 ZECs were shielded during the same period. This suggests that a significant portion of holders did not panic..
But this episode reignites structural questions about Zcash. The high concentration of mining (three pools control 79% of the hashrate) allowed Orchard pool suspensions to be quickly orchestrated, but it also became clear that effective governance relies on a small number of actors. In this sense, CriptoNoticias reported that Bitcoin developer Peter Todd has repeatedly criticized the decision to directly integrate the zk-SNARKs crypto into consensus, and that Bitcoin deliberately avoids attack surfaces by keeping a simpler design.
The fact that a vulnerability of this magnitude went undetected for four years despite multiple audits remains a major point of skepticism. nevertheless Ironwood represents a required technical patch Restoring verifiability of supply does not resolve fundamental questions about whether protocols that rely on complex cryptography and require frequent emergency updates can deliver the robustness and reliability they promise in the long term.
(Tag translation) Altcoin
