Zcash has locked in July 28 for its Ironwood network upgrade, a move meant to close out the Orchard privacy bug fallout and give the project a cleaner path forward without pretending the mess never happened.
- Ironwood activates July 28
- Block height: 3, 428, 143
- Orchard will stop accepting new activity
- New private pool adds an accounting checkpoint
- No evidence the bug was exploited
Sean Bowe, a Zcash core developer, said the network will activate Ironwood at block height 3, 428, 143, with rollout expected at around 8 a.m. EST on July 28. That confirms a one-week delay from the originally planned July 21 date and gives exchanges, mining pools, and wallet providers a bit more room to get their act together.
That breathing room matters because Zcash is juggling two headaches at once: a serious privacy-system repair and a broader infrastructure shift away from zcashd to the newer Z3 stack, which includes Zebra, Zaino, and Zallet. In plain English, some operators are upgrading the plumbing while also dealing with a leak in the vault.
The trouble began with an “infinity” bug in Orchard, Zcash’s primary shielded pool and privacy transaction system. According to Shielded Labs, the flaw could theoretically have allowed an attacker to create unlimited counterfeit ZEC. That is not a cute little edge-case. If a monetary system starts looking soft on supply integrity, confidence can evaporate fast.
At the same time, the most careful reading matters here. Shielded Labs also said it found no evidence that the vulnerability had been exploited. That distinction is huge. A theoretical flaw is bad enough. An actual exploited flaw in a privacy pool is the kind of thing that turns a network upgrade into a trust exercise with real stakes.
Zcash first disabled Orchard transactions through a temporary network update, then activated the NU6.2 hard fork on June 3 to fix the underlying issue and restore the pool. Ironwood is the next step in that cleanup: it shuts down the current Orchard setup for new activity and moves users into a newly created private pool.
The mechanism that makes this interesting is the accounting checkpoint. Once Ironwood is live, coins leaving Orchard must pass through this checkpoint before entering the new pool. Shielded Labs said this could help reveal whether counterfeit ZEC had ever been created through the earlier bug.
That is the whole point of the design. If fake coins were somehow minted inside Orchard, moving real funds forward may force any hypothetical counterfeiter to either try to move those fake coins through the checkpoint and risk exposure, or leave them behind with nowhere useful to go. It is not a magic lie detector, but it is a practical way to make hidden abuse harder to keep hidden.
Privacy systems create a nasty little paradox when things break. Users want shielded transactions precisely because they hide details on-chain. But when a bug threatens issuance, the same privacy that protects honest users can make post-incident forensics a pain in the neck. That is not a failure of decentralization. It is the tradeoff when you build a private monetary system that actually tries to be private.
There is also an important technical nuance that should not get flattened into clickbait. The public discussion around the Orchard bug has used phrases like “unlimited counterfeit ZEC, ” but the key takeaway is more precise: the flaw was serious enough to raise fears about invalid issuance inside Orchard, while multiple reports also say there is no evidence it was exploited on mainnet. Serious bug, real risk, no confirmed abuse. That is the correct frame.
The timing also lands as Zcash crosses a meaningful supply milestone. A post from ruZCASH on Monday showed circulating supply had reached 16, 806, 723 ZEC, meaning more than 80% of the cryptocurrency’s maximum 21 million supply has now been issued. For a capped asset, that is not just trivia. Supply integrity is the promise.
The market did what crypto markets do: it overreacted, then calmed down, then tried to look smart about it. Following public disclosure on June 3, ZEC fell about 50% from $602.68 to $299.25, before later recovering to $492.61 at the time of writing. A privacy coin getting hit with a supply-integrity scare is not exactly a shocker. Traders love scarcity until somebody asks whether the ledger is still doing basic math.
Still, the bigger story is not just the price action. Zcash moved from emergency containment to a formal hard fork, and now to a more permanent network change that aims to preserve privacy while restoring confidence in how shielded funds are accounted for. That is not easy. It is also exactly the kind of work a serious protocol has to do when the code gets ugly.
The rollout concerns from Shielded Labs also make sense in context. Exchanges, mining pools, and wallet providers do not just flip a switch and call it engineering. They have to coordinate software versions, deposit and withdrawal support, chain compatibility, and user-facing wallet behavior. During a sensitive upgrade, one sloppy operator can create confusion for everyone else. Crypto infrastructure likes to pretend it’s all automation right up until someone forgets to update the right node software.
Key takeaways
-
Why does July 28 matter?
That is when Zcash’s Ironwood upgrade activates at block height 3, 428, 143, one week later than the original July 21 target. -
What was wrong with Orchard?
Developers disclosed an “infinity” bug in Orchard, Zcash’s primary shielded pool, which could theoretically have allowed counterfeit ZEC creation. -
Was the bug exploited?
Shielded Labs said it found no evidence of exploitation. That does not prove nothing happened, but it does mean there is no reported evidence of abuse. -
What changes with Ironwood?
The existing Orchard pool stops taking new activity, and users move into a new private pool that includes an accounting checkpoint. -
Why does the checkpoint matter?
It could help expose any counterfeit ZEC that may have been created before the fix, making hidden supply issues harder to carry forward. -
Why is the Z3 migration a big deal?
Exchanges, mining pools, and wallet providers are also shifting from zcashd to Zebra, Zaino, and Zallet, which adds operational risk during a delicate upgrade. -
Why does the supply milestone matter?
With 16, 806, 723 ZEC already in circulation, more than 80% of the 21 million cap has been issued. For a fixed-supply asset, confidence in issuance is not optional.
Zcash is getting a real stress test here. If Ironwood works as intended, it will do more than patch a bug, it will show that a privacy-first monetary system can absorb a serious failure without losing its credibility. If it stumbles, critics will have plenty to say. Either way, this is what separates actual protocol engineering from the usual crypto clown show.
Further reading
For more on the Orchard bug fallout, the Ironwood upgrade, and the privacy-vs-integrity tradeoffs around Zcash, these reports and breakdowns are worth a look:
- Zcash confirms July 28 Ironwood activation after Orchard bug
- Claude AI Finds Critical Vulnerability in Zcash
- Zcash targets July 28 launch for Ironwood network upgrade
- Why Zcash (ZEC) Crash? The Orchard Bug
- Zcash Ironwood Upgrade Finalizes to Patch Orchard Pool
- Zcash Orchard Bug Could Have Minted Unlimited ZEC
- Arkham Says It Tracked $420B in Zcash Activity, Exposing