Zcash is preparing to activate its Ironwood network upgrade on July 28 at block height 3,428,143, a direct response to a serious bug that could have allowed unlimited counterfeit ZEC to be minted from thin air. The privacy-focused blockchain discovered the vulnerability in late May, and the past two months have been a masterclass in crisis management, or at least an attempt at one.

The bug resided in the Orchard shielded pool, the very layer designed to keep Zcash transactions private. In a cruel irony, the privacy feature that made ZEC attractive was also the mechanism that could have let someone quietly print fake coins without anyone noticing.

What happened and how Zcash responded

Researcher Taylor Hornby uncovered the soundness flaw in late May 2026. The vulnerability was particularly alarming because it exposed a fundamental weakness in a system that relied heavily on developer trust rather than cryptographic guarantees for supply integrity.

The Zcash team moved quickly with emergency patches in early June. A soft fork temporarily disabled the Orchard pool entirely, followed by a hard fork to further lock down the vulnerability.