A four-year-old bug in Zcash's Orchard ZK-proof circuit let a prover substitute a free constant for the real elliptic curve base point, meaning a crafted proof could verify as valid while encoding a fraudulent scalar multiplication — and because the Orchard pool is shielded by design, there's no way to prove from the outside whether anyone used it. The emergency patch, completed via a two-stage hard fork in four days, fixes future exploitation but can't retroactively audit what's already inside the pool, which is exactly why the proposed Ironwood upgrade matters: by deprecating old Orchard as a payment destination and routing all transactions through a fresh pool, it forces any hypothetical counterfeit ZEC through the turnstile's public accounting before it can be spent — an economic chokepoint, not a new cryptographic proof. That's the Zcash story right now: not just a bug patched, but whether a supply-audit-by-forced-migration can do what cryptography alone structurally cannot.