Zcash founder Zooko Wilcox says the network’s proposed Ironwood upgrade will let any full-node user immediately and trustlessly verify that ZEC’s circulating supply is correct from the first block of activation — an answer to community worries after a recently patched Orchard vulnerability.
In posts on X and the Zcash Community Forum, Wilcox framed Ironwood not as a forensic tool to prove whether Orchard was ever exploited, but as a mechanism to make the current supply independently auditable by anyone running a full node. “When Zcash Ironwood activates, you will immediately, on Day 1 of Ironwood, gain trustless verification from your own full node that the actual supply of Zcash is correct,” he wrote, referencing “16M ZEC now, 21M ZEC eventually.”
Why that matters
The Orchard pool is shielded by design, giving users privacy but making it harder to tell from the public ledger whether a past soundness bug could have been abused without leaving visible traces. That ambiguity led to two distinct concerns being conflated: (1) whether counterfeit coins were ever created inside Orchard, and (2) whether the present circulating supply can be verified today. Wilcox emphasized he’s prioritizing the second issue — making the supply provably sound regardless of past events.
How Ironwood achieves this
Under the Ironwood proposal:
- The old Orchard pool would be disabled as an internal circulation venue: transactions that create new outputs in the old Orchard pool would be rejected after activation.
- Funds would need to exit the old pool via Zcash’s turnstile accounting mechanism before they can enter the new Ironwood pool.
- The turnstile records how much ZEC legitimately entered and exited each pool and prevents any attempt to move out more than what was recorded as having entered.
Wilcox says that mechanism means users don’t need to wait for every Orchard user to migrate, nor rely on assumptions about attacker behavior. He argued Ironwood will “snuff out any excess ZEC in the Orchard pool” on the very first block of activation — meaning any ZEC above the amount he identifies as legitimately part of Orchard (about 4.5 million ZEC) would be immediately rendered economically unusable under the new rules. “It will snuff out any excess ZEC immediately, trustlessly, and globally,” he wrote. “It will snuff out any excess ZEC regardless of whether there actually is any excess ZEC. If there isn’t, then all Ironwood does is give you the ability to prove to yourself that there isn’t.”
Two possible worlds, one verification
Wilcox laid out two hypothetical scenarios: one where an unlimited amount of counterfeit ZEC was created inside Orchard before the bug was closed, and one where it was not. In either case, he argues, Ironwood allows node operators to verify on Day 1 that no more than 16 million ZEC are currently circulating. Over time, migration behavior could also provide evidence about whether Orchard was ever exploited: if excess ZEC tries to leave the old pool, the turnstile should reject it, preserving the circulating supply while exposing that counterfeiting occurred; if no excess attempts to exit, that supports the view that Orchard was never abused.
Wilcox said he personally believes no counterfeit ZEC was created, noting reasons he has previously given, but stressed that Ironwood intentionally removes the need for trust in any individual’s judgment.
Context and next steps
The comments are intended to address community unease following the disclosure and remediation of the Orchard vulnerability and to explain how Ironwood’s design provides trustless, local verification of supply. The upgrade also changes how private pool balances are handled during migration to prevent hidden or illicit balances from undermining supply integrity.
At press time, a specific ZEC price was not provided.
Read more AI-generated news on: undefined/news
