An exchange on X between Polygon’s CTO Mudit Gupta and Zcash founder Zooko Wilcox reignited a long-simmering debate over whether privacy-preserving shielded pools can be perfectly audited — and, by extension, whether ZEC’s 21 million cap can be trusted under all conceivable failure modes. The dispute hinged on a familiar fault line in privacy-coin design: zero-knowledge protocols can obfuscate individual balances and flows, but they still must preserve a hard monetary base.
Polygon CTO Attacks Zcash
Gupta opened with a stark framing: “Nobody knows how many Zcash tokens actually exist. Shielded assets like Zcash are hard to audit. In March 2019, an infinite mint bug was detected in Zcash shielded assets. It was fixed in October 2019 but there is no guaranteed way to tell if the bug was ever exploited.”
Nobody knows how many zcash tokens actually exist.
Shielded assets like zcash are hard to audit.
In March 2019, an infinite mint bug was detected in zcash shielded assets. It was fixed in October 2019 but there is no guaranteed way to tell if the bug was ever exploited.
— Mudit Gupta (@Mudit__Gupta) October 26, 2025
He later softened the immediate risk assessment — “Based on heuristic, it’s unlikely the bug was exploited so no reason to panic” — while stressing what he called an enduring category risk: “I’m just highlighting an attack vector with Zcash and similar privacy pools… I’m not claiming any bug was exploited, just mentioning the possibility and risk.”
Wilcox pushed back, calling the initial post “not accurate,” and pointed Gupta to “publicly-verifiable on-chain audits” that track the monetary base. “They show the integrity of the Zcash monetary base. A straightforward game-theoretic analysis further shows zero counterfeiting,” he wrote, linking to community dashboards and documentation.
In a follow-on, Wilcox encapsulated the ZEC position with a thought experiment about the legacy Sprout pool: “Suppose someone counterfeited ZEC in the Sprout pool before October 28, 2018. Then there is a ‘race to the exits’ between the counterfeiter and his victims. Whoever moves their ZEC out of the Sprout pool first gets to keep all the money. Conclusion: there was no counterfeiting.” He added that “even if there was counterfeiting… there would still be only 16,355,911 ZEC in existence, and still only 21 M ever. Thanks, turnstiles!”
Stripped to its essentials, the technical disagreement is less about Zcash’s intended monetary policy and more about the edge-case guarantees when privacy meets auditability. Zcash’s published economics mirror Bitcoin’s: a fixed 21 million upper bound and a halving-style issuance schedule. That cap is unambiguous in official materials.
The Backstory
The controversy traces back to the counterfeiting vulnerability affecting ZEC’s earliest shielded pool, Sprout. According to the Electric Coin Company (ECC) and the Zcash Foundation, the flaw was discovered privately in 2018 and publicly disclosed on February 5, 2019; critically, the Sapling upgrade that activated on October 28, 2018 removed the vulnerable construction, and Zcash introduced “turnstile” accounting to constrain exits from shielded pools to, at most, the amount verifiably entered.
ECC reported at disclosure that it had seen “no evidence that counterfeiting has occurred,” a stance it has reiterated, and it described turnstile enforcement as a defense to preserve the monetary base even under hypothetical counterfeiting.
This is the heart of Wilcox’s argument. Because ZEC can only enter or leave a shielded pool via transfers that reveal values at the boundary, the chain can compute an expected pool balance. If more value tries to exit than has ever entered, the discrepancy becomes observable at the turnstile.
The “race to the exits” intuition — while informal — captures the idea that any attacker who minted bogus ZEC inside Sprout would be competing against legitimate holders to withdraw before the turnstile constraint bites; absent an unexplained drain to zero or a negative reconciliation, long-lived counterfeiting is inconsistent with observed pool totals. Zcash’s documentation describes these value-pool turnstiles and their role in monitoring pool integrity, and community discussions dating back years have treated them as the canonical mitigation.
Gupta’s rejoinder is about epistemic certainty, not policy intent. “Perhaps I should have been clearer,” he wrote. “Due to [the] possibility of bugs, there’s no guarantee that the shielded pools have the same amount of Zcash circulating inside them as transparent Zcash that went in. Therefore, you can’t be 100% sure of the actual total supply… [though] the likelihood of a bug like this being exploited is essentially 0.”
At press time, ZEC traded at $325.
Featured image created with DALL.E, chart from TradingView.com
Editorial Process for bitcoinist is centered on delivering thoroughly researched, accurate, and unbiased content. We uphold strict sourcing standards, and each page undergoes diligent review by our team of top technology experts and seasoned editors. This process ensures the integrity, relevance, and value of our content for our readers.
