

Ironwood (NU6.3)
Ironwood is a new shielded pool introduced by the NU6.3 network upgrade. The new pool replaces Orchard: after activation, wallets automatically route shielded payments to Ironwood instead. The two pools will use the same underlying cryptography, but Orchard becomes withdraw-only and wallets are encouraged to migrate user funds away from Orchard as soon as possible.
The purpose of Ironwood is threefold: to provide a shielded pool with a credibly sound supply (given the recently discovered counterfeiting vulnerability in Orchard), to provide evidence that no counterfeiting occurred in the Orchard pool, and to re-establish a bound on the circulating supply of ZEC.
Assurance and Formal Verification
Ironwood's pool starts fresh at NU6.3 using the patched version of the Orchard protocol with some minor modifications. In order to reassure users about the security of the new pool, our community has subjected it to intense auditing and other analysis.
The primary security guarantee is no undetectable counterfeiting bugs. The only components of the Ironwood protocol that could introduce an undetectable counterfeiting vulnerability—one that does not leave behind evidence of exploitation—must embed those vulnerabilities in the mathematics of the protocol. Project Tachyon has engaged in an intense effort to eliminate all bugs of this class up to the stated cryptographic assumptions, purely by analyzing this math using proof assistants like Lean.
This new guarantee alone motivates the upgrade. The now-patched soundness bug in Orchard could theoretically have allowed undetectable counterfeiting in the old pool. There is no evidence it was exploited, but exploitation cannot be ruled out retrospectively. Ironwood's formal analysis will avoid this situation. Formal verification, third-party audits, finding-level remediation, and report publication across Orchard, halo2, librustzcash, Zebra, and Zakura.Audit status
Meanwhile, Zcash has undergone intense audit scrutiny. Shielded Labs, who discovered the counterfeiting vulnerability in Orchard, used their own in-house security experience to subject Orchard to unprecedented analysis. They also obtained an audit report from Anthropic's frontier Mythos AI. Other teams, such as our own Valar Group and Project Tachyon, have engaged firms such as zkSecurity, OtterSec and Zellic to perform analysis of Ironwood and Orchard. OpenAI has also assisted Project Tachyon with access to models with similar capability to Mythos.
Supply Audits and Turnstiles
After activation of NU6.3, the Orchard pool enters a withdraw-only state. Payments cannot occur within the pool. This means that payments to Orchard receivers (payment keys located within unified addresses) are automatically routed to the Ironwood pool, which forces the turnstile mechanism of the protocol to account for all funds.
Over time, users migrating their funds from Orchard to Ironwood (through the same turnstile) decreases the upper bound of any hypothetical counterfeiting exploit. Given enough migration, there are few plausible explanations except that no counterfeiting occurred.
In the mean time, because payments cannot take place in the old pool (and because new funds cannot enter the pool) the amount of circulating ZEC is bounded above by 21M: it is either secured by shielded pools for which no counterfeiting bugs have been discovered or exploited, or is otherwise forcibly subjected to a turnstile.
Quantum Recoverability
Ironwood implements ZIP 2005 by default, meaning that Ironwood funds are all quantum recoverable: if advances in quantum computers are made, the pool can be suspended and users can retrieve their funds without worrying about a quantum computer being used to steal or counterfeit with the pool.