What do we do about legacy value pools?

paper currency gets forked… try buying something with a really old $20 note

1 Like

For what it is worth, I don’t know what other people’s reasons are for the turnstile, but my reason for the turnstile was formed before Zcash launched in 2016. While designing Zcash with the original team, I came to believe that widespread, long-term confidence in the soundness of the monetary base would require regular turnstiles. Everything that’s happened since then has reinforced my belief about that.


This directly conflicts with this

So if I understand you correctly, there is a hard cap at 21m and under no scenario can there be more than 21m. Any counterfeiting that occurs would be related to increasing the supply for coins not yet mined; but even if there was counterfeiting zcash hard cap at 21m would be enforced . is that right?

1 Like

No, consider the following (extremely unlikely but theoretically possible) scenario. There is a bug that allows “counterfeiting” within the Sapling pool, and an attacker spends 50,000 ZEC out of thin air. There is now 50,000 more ZEC in existence than there is supposed to be, but no one knows it except for the attacker.

The bug (but not the attack that took advantage of the bug) is subsequently uncovered, and a new pool is created without the bug. Users are encouraged to migrate to the new pool, and it is decided that the Sapling pool will be deprecated within a year. As users move their coins from Sapling to the new pool, ZIP 209 preserves the integrity of the money supply going forward. That is, the incorrect “surplus” of 50,000 ZEC will not carry over to the new pool.

The “loss” of 50,000 ZEC is borne by the users who are last out the door of the Sapling pool. For simplicity, let’s say that everyone successfully migrated out except for one whale, who legitimately stored 100,000 ZEC in the Sapling pool. The whale decides to migrate to the new pool, 10,000 ZEC at a time. The first five migration transactions work fine, but when she tries to make the sixth migration transaction, it will be rejected because it would cause the expected balance of the Sapling pool to be negative. (Specifically, a block containing that sixth migration transaction will be rejected by nodes as a violation of the consensus rules.) So the whale is out 50,000 ZEC.

I like ZIP 209, because it restores the integrity of the money supply going forward. But there are other potential approaches, like “socializing” the harm caused by the attack (allowing the surplus of 50,000 ZEC to carry over to the new pool).


Got it—If someone is going to counterfeit and it’s private. It’s going to be massive—millions of coins. Seems like there has to be a better way. Such as connecting the creation of zec to time/block/something. It’s gets a stamp that can be traced back to its creation. If there is a conflict, then at least the bad actors can be more easily identified??

When was the last migration (date we know the supply is good)?

But that would seem to contradict the entire reason for a shielded pool in the first place, which is enhanced privacy and/or fungibility.

Because the Sprout pool has not been deprecated, such a “migrate and deprecate” process has never occurred. So it is impossible to definitively rule out the possibility of CVE-2019-7167 having been exploited. With that said, given the nature of the bug and the complete lack of any evidence that it was ever exploited, I myself believe that it was never exploited.

On the issue of deprecating old pools, the discussion in this recently started topic is excellent:


+1 Let’s have discussion about shielded pools in ebfull’s thread.


I don’t think this is a big deal since you can just write implementation details in a spec and have it continuously updated. For anything more specific, people can always just ask about it.

I’m missing something.

Cant we:

  1. drop support for previous value pools and maybe their snarks
  2. let you move funds out (transparently if necessary) forever?

Safety - people need to know when they buy zcash their money is safe. If someone bought 10,000 ZEC and put it into a trust, they need to know the investment is safe in 10, 20, 50 or 100 years from now. They should be able to put it onto a safe and know they don’t have risk associated with not moving to a new pool. Protocols need to be put in place to ensure people are protected from both inflation and changes made. It seems like something is missing here?

I’m having a hard time understanding how owners are not just moved automatically from Sprout to Sapling. If not automatically moved, it adds to the risk of owning Zcash doesn’t it? Although People should be given the choice to opt out (for who knows why they would).


Sure, but:

This either requires a SNARK, or revealing the transaction graph for all unspent notes (in order to just open their value commitments). And the latter can’t be protected by having people spend to new notes before revealing, because doing that requires the SNARK that was just removed.

Some shielded pools might be amenable to implementing the removal process somewhat efficiently on a newer SNARK, but you still need one or more SNARKs that implement at least some parts of the prior protocols, and you need them around as long as you support moving funds out.

Right, it would be in the clear. So you’d have x years to get your money out of e.g. sprout in a private way. Then after that the money is gone unless you want to do it in a non-private way. Bad, maybe. Seems better than just saying the money is gone and you should have known because the plans “have been on display at your local planning department … for 50 of your Earth year”


Can you elaborate on ‘do it in a non-private way’, how would that work?

What @str4d implied. You explicitly point to your UTXO in the merkle tree and go yep, that one’s mine and open it. Shielded payments do this inside a snark, so no one else learns about it. I’m just suggesting doing it without the snark. So no privacy.

It may not be a good idea. Might, for example, require weird code paths and be annoying to support. But it should be considered.

OK - got it.

I was comparing that to what happened many (many) years ago when England changed to decimal currency - no more shillings, crowns, farthings & weird things. (Yes, I’m that old)

For a time you could spend both (ie: sprout & sapling),

For a while after that you could change the old money into new by taking it to a bank (sprout-to-sapling migration with impaired privacy).

After that you had to send it to the Bank Of England (which would be slow, expensive & suck).

After that…the old money was worthless.

Its pretty much what we’re suggesting here, the UK Pound is still chugging along.

1 Like

I see this more like this is all pounds; but the way pounds are processed or the bank holding the pounds are changed. Zcash owners should not be forced to do anything (meaning it should not get left behind)…It seems like by doing nothing, my investment gets impaired. So, As a non technical person, I want the coins to automatically move and I’ll just sell if I don’t like where zcash is going.

Maybe I don’t understand how this all works. But anything to make it as simple as possible for end users/investors.


How about this: as long as you keep your node software up to date, or you put your ZEC into an exchange or bank or staking service or something that keeps their software up to date, then your coins will get automatically migrated to the current version of the technology?


What about anyone with a brain wallet or hardware wallet or really anyone who both wants to own the keys them selves and (understandably) doesn’t want to keep keys live on a server to get hacked?
They’d lose their funds right?

I think we have three options

  1. keep things around forever with privacy ( a pain)
  2. allow moving money non-privately out of a pool after private support goes away l (possibly still too much of a pain)
  3. admit we are making you give up your money either explicitly or implicitly. Your suggestion is just doing it implicitly.
1 Like

So the main reason to force migration sounds like inflation? If it’s done at the same time everyone shares the loss equally (kinda how it works now with currencies)…and ideally you find a way to better identify inflation if thats even possible. But other than that, If I put zec in a hardware wallet and leave it for 50 years, any upgrades won’t matter because it won’t be affected?