protocol
Zcash locks NU6.3 Ironwood activation to block 3,428,143 on July 28
Core devs pin NU6.3 to mainnet block 3,428,143 (~Jul 28, 08:00 EST). Orchard becomes spend-only; new shielded value flows through a turnstile into the Ironwood pool.
Zcash developers have locked in the NU6.3 network upgrade — codenamed Ironwood — for mainnet activation at block height 3,428,143, expected around 08:00 EST on July 28, 2026. The consensus rules are specified in ZIP-258 on the Zcash improvement proposals repo, owned by Daira-Emma Hopwood and created on 2026-06-19. NU6.3 closes the legacy Orchard shielded pool to new value, opens a fresh Ironwood pool built on a re-verified circuit, and forces migration between the two through a turnstile — a public accounting checkpoint that caps outflows at what legitimately entered. The upgrade is Zcash's response to the Orchard counterfeiting vulnerability disclosed on June 5, 2026 after being latent in the shielded pool for roughly four years.
What ZIP-258 actually does
ZIP-258 sets one testnet activation height (4,134,000) and one mainnet activation height (3,428,143), and coordinates a set of dependent proposals rather than shipping the changes in a single monolithic ZIP. The consensus branch ID is 0x37A5165B. Three rule changes take effect at the activation height on mainnet:
- The Orchard pool becomes spend-only. No new value may enter Orchard through transfers or coinbase transactions, per the pool-balance rule updates coordinated with ZIP-2006.
- Cross-address transfers inside Orchard are disabled. An Orchard action that both spends and outputs to a different address is invalid. Newly created shielded value has to go into Ironwood.
- Value can leave Orchard only across the turnstile, into the Ironwood pool, subject to the accounting constraints in ZIP-209 (turnstile / pool balance) and ZIP-221 (chain history commitments).
The Ironwood pool itself is defined by ZIP-229 (version-6 transaction format) and ZIP-2005 (quantum-recoverable note plaintexts), with wallet-side handling covered in ZIP-318 and ZIP-326. Every Ironwood output note uses the new plaintext format from the activation height onwards.
Why the upgrade exists — the Orchard "infinity" bug
The story starts on May 29, 2026, when security engineer Taylor Hornby found a soundness flaw in the Orchard circuit — the zero-knowledge component of Zcash's most advanced shielded pool. Two lines of code inside the elliptic-curve arithmetic could, in theory, be used to mint arbitrary counterfeit ZEC directly inside the shielded pool, with no signature on-chain to reveal it. Hornby disclosed to the Zcash Open Development Lab; an ecosystem-wide emergency patch shipped between June 1 and June 2, 2026, and the disclosure was made public via the Zcash community forum on June 5. ZEC fell roughly 38% on the news. The bug had been present since Orchard's activation in May 2022, undetected for four years.
The patch stopped further exploitation. It did not answer the harder question: can anyone prove no counterfeit ZEC entered the pool between 2022 and June 2026? With Orchard's zero-knowledge properties intact, the answer is no — there is no cryptographic way to distinguish legitimate ZEC from counterfeit ZEC still sitting in Orchard notes. Ironwood's turnstile is the concrete answer. Every ZEC crossing the turnstile is publicly counted; the total that can leave Orchard is capped at the total that verifiably went in. If more tries to leave than went in, the excess is refused at consensus.
Numbers
- Upgrade : NU6.3 (codename Ironwood)
- Spec : ZIP-258 (Draft, created 2026-06-19)
- Mainnet activation : block 3,428,143 (~Jul 28, 08:00 EST)
- Testnet activation : block 4,134,000
- Consensus branch ID : 0x37A5165B
- Related ZIPs : 229, 209, 221, 318, 326, 2005, 2006
- Orchard status post-fork : spend-only, no new value in, no cross-address transfers
- Migration mechanism : turnstile → Ironwood pool
- Underlying bug : Orchard counterfeiting vulnerability (patched Jun 1–2)
- Bug disclosure : Jun 5, 2026 (Zcash Foundation / Shielded Labs / ECC)
- Time bug was latent : ~4 years (since Orchard activation, May 2022)
Figures per ZIP-258, the Zcash Foundation community forum disclosure thread, and cross-verified against The Block's Ironwood coverage and independent write-ups from Decrypt and Crypto Briefing.
What to watch
- Wallet upgrades before block 3,428,143. Zebra 6.0.0, zcashd successors, Ywallet and Zashi all need to ship NU6.3 support before the activation height. Nodes that don't will fork off at block 3,428,143.
- The turnstile counter, published in real time. The point of the mechanism is public verifiability of Orchard outflow vs. inflow. Any divergence between the two before all legitimate Orchard notes have been drained is the strongest available signal that pre-fix counterfeiting occurred.
- How much value actually crosses to Ironwood, and how fast. Users have to sign transactions to migrate — nothing moves automatically. Shielded pool illiquidity during migration is expected; exchanges and custodians typically pause ZEC deposits and withdrawals for a few days across a Zcash network upgrade.
- Post-activation audits from Least Authority and NCC Group referenced in the community disclosure thread. Ironwood ships with formal-verification work on the new circuit, but the independent audit reports are what actually close the loop on "did we fix the class of bug, not just the instance."
- The final ZIP-258 status flip from Draft to Final, and any last-minute activation-height amendments. A late-cycle re-target has happened before on Zcash upgrades; the current lock is Jul 28 but the ZIP status is still Draft as of publication.
Context — the second privacy-pool reset in three years
Zcash has been through this cycle before. NU5 in May 2022 introduced Orchard itself, migrating value away from the older Sapling pool for exactly the same class of reason — a cleaner circuit and a stronger security posture. Ironwood is the equivalent step forward: a new pool, a re-verified circuit, and an accounting checkpoint that makes any historical counterfeit visible on exit rather than invisible inside the pool. The broader pattern for shielded-pool chains is unavoidable — zero-knowledge circuits are complex enough that "no known bug" is not the same as "no bug." Monero shipped a similar architectural response after the 2017 CryptoNote inflation bug. Zcash's answer, formalized in ZIP-258, is that after four years of latent risk, the fix is not a patch but a pool.