If you’re a proponent of decentralization but are still using Twitter and/or Facebook as your primary social networks, just know that I’m here quietly judging you.

Obviously financial privacy is needed under oppression, but it's also needed under peace—it's necessary for freedom. That's why Zcash fights to maintain legal status; not because we are willing to compromise on fundamentals, but because we want a society that upholds this right.

I am proud of the work of @nym and @brave to push out Brave’s Adblock engine ACROSS YOUR ENTIRE DEVICE with NymVPN. Looking forward to what’s coming next!

RT @zooko: Thanks, Anthropic, for helping protect Zcash users. At Shielded Labs’s request, they ran a security audit of Zcash with Mythos.…

Quick update on the last ~48 hours of Zcash Ironwood! 1. Protocol devs from across all the orgs met twice to discuss specification and implementation progress. Agreement on a couple additional changes: disabling Orchard pool bundles in coinbases, anchors as auth data for migration UX with hardware wallets, and the order that ZIPs and specs will be handled. 2. Ironwood circuit and ZIP 2005 integration drafts are going through the review process. @ValarGroup has already spun up testnets and his team has done a wonderful job scoping out and implementing some of the wallet-facing changes. We are beginning an Ironwood upgrade book for eventual consumption by auditors, wallets, protocol developers, etc.. 3. Formal verification work on Ironwood continues. A collection of different individuals who either have or will continue to work on formalization efforts will be meeting tomorrow where we'll settle on the specific strategy for getting the Ironwood SNARK formally verified. I'm hosting this and will post minutes and details after. Efforts from teams will be ideally combined where useful, existing approaches and progress unified and we'll figure out the easiest path for the next couple weeks. I've paused my own work on this to do Ironwood circuit stuff, but I'll be resuming on that tomorrow. These are the big pieces, there are also some major security auditing tasks taking place in the background -- at least three major firms are auditing Orchard currently, and multiple new AI auditing suites are hammering the codebases to ensure nothing else critical is sitting around anywhere. So far so good! Really proud of how much progress is being made every hour on this by all five of our major teams/orgs and our supporters inside and outside the community. Also love the general wartime vibe shift. Let's go!

The lore of Zcash has no equal.

Zcash will prove you can remove fatal inflation risk with formal verification and simplicity or panopticon is the future. Nothing in the laws of physics mandates soundness bugs. Place your bets ladies and gentlemen.

If you think you had a dizzying week as a Zcasher, imagine being a Bitcoiner: apparently, someone made an unusual UTXO that could technically be in violation of a future controversial BIP, so the forces of good and evil are debating the philosophy of softforks for the 68th time.

XMR devs knew about this issue as early as 2021, didn't warn community, left the bug unaddressed for four years, and the problem still hasn't been solved today. And these hypocritical envious mfs are blaming Zcash teams for being honest and patching the issue within a couple of days. Holy Shit 🙃glass jaw :)))

“yes, I got into $zec when there was a trusted setup ceremony and before the coin supply could even be verified. things sure were risky back then.”

One thing that makes this work where the turnstiles only partially worked before: we're forcing the *circulating supply* of ZEC to exist only within safe pools. Any hypothetical counterfeiting is snuffed out, and Orchard transactions automatically redirect through the new pool.

zec by far the most interesting asset to watch here now if it wasn’t already no other asset in the industry has more divergent opinions on merit, threat perception, orchard exploit odds, technical understanding, privacy as product vs feature, etc. going to be extremely volatile

This week's Zcash bug points to an unsolved problem with all open source blockchains. Remember Zcash maintainers had to take the Orchard pool offline before patch. The reason this needed to be done is that now AI can scan git commit logs to understand and exploit vulnerabilities instantly. For serious enough vulnerabilities, it is no longer possible to push silent updates: the method that Bitcoin and others have used for years. Every blockchain now has the potential for showstopper bugs that require taking the network offline. Has anyone seen a plan to fix this?

The Privacy Paradox: What Zcash Taught Crypto About Transparency The irony is almost too perfect. Zcash is built on zero-knowledge proofs (ZKPs)—a technology explicitly engineered to reveal as little information as possible. Its entire value proposition rests on verifying transactions without exposing the sender, receiver, or amount. In the popular imagination, Zcash is the ultimate "opaque cryptocurrency." Yet, during the recent Orchard pool vulnerability, Zcash arguably became one of the most transparent networks in existence. Faced with a critical flaw, the Zcash development teams chose radical candor. They publicly disclosed: The existence of the flaw and the affected component (the Orchard shielded pool). The precise nature of the risk and their mitigation strategy. The timeline spanning from discovery to response. The economic and technical rationale behind their temporary safety measures. By doing so, they effectively opened their internal war room to public scrutiny. Contrast this with the standard operating procedure of many "transparent ledger" cryptocurrencies. Their blockchains may be entirely visible, but critical information regarding software bugs, security exploits, exchange backrooms, and governance disputes is routinely hidden until long after the fact—if it is ever disclosed at all. This crisis highlighted a subtle but vital distinction: blockchain transparency and organizational transparency are not the same thing. A public ledger only tells you what happened on-chain. A transparent development process tells you: * What went wrong. * What risks currently exist. * What the developers actually know. * How decisions are being made. * Whether users are being treated honestly. The Orchard disclosure created a fascinating inversion. The cryptocurrency designed to hide transaction details became the most open project in the space regarding its own flaws. Meanwhile, networks whose entire marketing revolves around public visibility continued to operate behind closed doors when their systems faltered. There is an even deeper philosophical irony here. Zero-knowledge proofs are often misunderstood as mere tools for secrecy. In reality, they are tools for truth without disclosure. A ZKP says: "I can prove this statement is true without revealing the underlying data." That exact philosophy anchored the Orchard incident. The cryptography remained dedicated to minimizing unnecessary data leakage, while the developers maximized clarity about the system's reality. The result is a compelling paradox: Zcash uses cryptography to make transactions less transparent, but used engineering ethics to make its organization more transparent. Ultimately, the chain that reveals the least revealed the most. It is a powerful reminder that true transparency is not measured by how much raw data is exposed on a block explorer. It is measured by how honestly a community communicates when everything is on the line. In the Orchard episode, a privacy coin demonstrated a level of institutional courage that crypto's most "transparent" systems have yet to match.

This is a moat.

Somewhere in Pyongyang a Lazarus Group dev is explaining to his manager why they didn't find the Zcash inflation bug first. That meeting is not going well 😂

That’s what it took to find the Orchard bug by an expert security researcher.

Everyone will move into formally verified tachyon and it will be clear that no exploit happened. The shielded zec movement imo is pretty clear for no exploit. Shielded pool effectively ATH pre soft fork. Post hard fork its only 61k unshielded, and at least 35k of that is just sitting there not sold.

👉For 4 years, 1 day, and 10 hours, anyone who understood the Orchard circuit could have minted ZEC out of thin air, silently, with no on-chain signature. The bug was disclosed this week. It was found by an AI-driven audit running Opus 4.8, not by an attacker. 1. Call the bug what it is Two lines in halo2's variable-base scalar multiplication gadget used assign_advice() where copy_advice() was required. As a result, the diversified-address integrity check pk_d = [ivk]·g_d could be satisfied for arbitrary inputs. A malicious prover could spend the same note multiple times with different nullifiers, i.e. counterfeit ZEC inside the Orchard pool, undetectable on-chain because the privacy of the ZK proof hides exactly the inputs that would reveal the attack. We do not know whether it was exploited. We will probably never know. 2. Four years. Multiple audits. Top-tier reviewers. Orchard was reviewed by some of the strongest cryptographers in the field before activation. They missed it. Earlier automated audits with Opus 4.7 missed it. Opus 4.8 catches it in roughly 1 in 4 runs when prompted generically. The bug is hard. And ZK inflation bugs are not new. Zcash itself shipped a counterfeiting vulnerability in Sprout (BCTV14) that survived years before being silently neutralized during Sapling. Similar soundness issues have appeared in circom, halo2, and rollup verifiers since. The pattern is consistent: when the protocol is private, exploitation is undetectable. You patch the bug and hope. 3. What Zcash did right This was a textbook decentralized incident response: ▶️Audit: a full AI-assisted soundness audit of halo2 Orchard, scoped end-to-end. ▶️Discover: the agent flagged the missing constraint and worked out the algebra to turn it into an exploit. A working RPC-level PoC in ~6 hours, mostly waiting on tokens. ▶️Coordinate: a soft fork disabling Orchard, prepared and distributed without leaking the bug, activated 2 days and 15 hours after acknowledgement. Coordinating a soft fork across miners, exchanges, and nodes without disclosing why is genuinely hard. They did it. ▶️Disclose: timeline, code lines, math, open questions. No spin. Worth naming explicitly: Zcash's turnstile invariant caps the value that can ever leave a shielded pool by the value that entered it. Privacy and verifiability inside the same protocol. That is not an accident. That is good engineering, and it is what kept the worst case bounded. 4. The economics of security just changed AI does not change whether bugs like this exist. It changes the cost of finding them. I wrote about this x.com/P3b7_/status/203643721…: a missing constraint in a 4-year-old production ZK circuit used to require a top-tier cryptographer with months of context. It now requires a few tokens, an API key, and a well-framed prompt. The defender benefits. The attacker benefits more, they only need to find it once, and they never disclose. Orchard is the optimistic version of this story: defense got there first. The pessimistic version is the one we cannot rule out, because the chain is private by design. 5. The only real exit You do not patch your way out of this asymmetry. You raise the floor. Formal verification of consensus-critical circuits, every assign_advice audited by SAT solvers and AI for under-constraint, as the reporter himself recommends. Proof-grade engineering that used to be too expensive is now cheap enough to be mandatory. Hardware roots of trust, secure enclaves, certified secure elements, WYSIWYS. Cryptographic guarantees the user can actually verify, not promises a host can lie about. Continuous AI-assisted audit of every consensus-critical commit, re-run immediately on the release of any new frontier model. Zcash didn't just patch a bug. They demonstrated the new defensive playbook: AI-driven audits, decentralized coordination, radical transparency, verifiable invariants. That is the direction the rest of the industry needs to follow. And those who don't raise the bar for security will be rekt in this new world. Stay safe. Stay honest about your trust assumptions.

The commits weren’t pushed until after the hard fork Your reading the git timestamp there, PRs reflect actual push times to GH