Zcash Turns 10. What if We Returned the Favor?

October 28 marks 10 years of Zcash. A full decade since the first block.

Zcash was born from Bitcoin’s codebase. Same UTXO model, same 21 million cap, same halving schedule. The difference was always about what Bitcoin left out: privacy as a protocol-level guarantee.

Ten years later, there’s a way to bring that guarantee back to Bitcoin holders directly.

Take a snapshot of Bitcoin’s UTXO set at a specific block height. Create a ZSA called zBTC with a hard cap of 21 million. Every BTC holder at the snapshot can claim their exact balance as zBTC on Zcash. Prove you own the private key, receive your tokens. No bridge. No custodian. One-way claim.

Same distribution. Same supply cap. But shielded.

So why would a Bitcoiner care?

About 25% of all Bitcoin sits in quantum-vulnerable addresses. Early P2PK outputs. Reused P2PKH addresses where the public key has already been exposed. That’s roughly 4 million BTC with public keys sitting in the open. When a quantum computer can run Shor’s algorithm at scale, those keys can be derived.

Bitcoin isn’t ignoring this. BIP-360 proposes a quantum-resistant address format and got its BIP number in 2025. But it’s still in draft. No activation timeline. No consensus on approach. A more aggressive proposal would freeze vulnerable addresses entirely, which nobody can agree on.

Zcash’s shielded pool doesn’t expose public keys on-chain. They’re encrypted inside notes. A quantum adversary scanning the blockchain can’t even identify which keys to target. That’s not full quantum resistance, but it’s a real asymmetry. And Quantum Recoverability (ZIP 2005) is laying the groundwork so that if the discrete log problem does get broken, a future protocol upgrade could recover funds.

zBTC would give Bitcoiners something that doesn’t exist today. Private Bitcoin transactions, right now. No chain analysis. No address clustering. And for the long term, a path toward quantum safety that Bitcoin itself hasn’t figured out yet.

Same monetary contract they already believe in. Same keys. No need to buy ZEC or trust anyone new. Just a claim on better infrastructure.

If over time people start treating zBTC as a more secure way to hold Bitcoin’s monetary properties, the value follows organically. Not because anyone was tricked into it. Because the properties speak for themselves.

Now, the elephant in the room. Bitcoin Private. In 2018, Zclassic merged with a BTC snapshot to create BTCP. A Coin Metrics investigation later found 2 million extra coins had been covertly minted at genesis and hidden in shielded addresses. Hundreds of thousands were moved to exchanges.

This would need to be the opposite. No extra minting. Open, verifiable snapshot. The claim mechanism would need to be fully auditable. Commit a UTXO Merkle root at a specific block height. Claimants prove key ownership with a secp256k1 signature. All transparent. All verifiable. Zcash’s history with this cautionary tale means the community knows exactly what to watch for.

ZSAs are finalizing for NU7. Quantum Recoverability is in the pipeline. Zcash turns 10 in October.

This isn’t a spec or a proposal. It’s a thought experiment. Could something like this work? Would Bitcoiners actually want it?

Zcash started as Bitcoin’s codebase with a privacy upgrade. Ten years later, it could return the favor.

What do you think?

This is good. Super controversial because it challenges the current assumptions of Bitcoin culture, but the kind of thing that I want to see.

There is a non-zero chance that the 21 million bitcoins will end up getting tokenized on other networks. And it’s better to prepare for that future than merely react to a disastrous outcome.

If Bitcoin’s value is the rules, not the chain, then it makes sense to explore where those rules might be better protected long term.

Wow. I swear I thought it was 8. This decade went fast.

There are 164 million Bitcoin UTXOs according to CryptoQuant. The number of active addresses is 754K. So the approach of eagerly transferring Bitcoin UTXOs to the Zcash chain (even with merging and only for active addresses) doesn’t work; that would be too many outputs spamming the Zcash chain.

Absent additional programmability features in Zcash, the ZSA issuer would therefore need to retain the private key(s) for unclaimed zBTC supply in order to lazily respond to requests to materialize a given Bitcoin address into Zcash. That means they could also forge zBTC, up to the 21m zBTC limit. So it’s not feasible with “no custodian” without programmability on Zcash (I guess a TZE is also possible). You could split the issuer and use FROST for issuance. You could also hold the private keys in TEEs (I don’t trust them, but use multiple TEEs combined with FROST and maybe you have something useful).

Thanks @daira. That’s the gap I didn’t see.

I was thinking of claims as a simple signature verification, but you’re right that without programmability, someone has to hold the issuance key. And FROST or TEEs just move the trust around, they don’t eliminate it. Nobody would adopt this over holding actual BTC if it comes down to “trust this multisig not to mint.”

So it really comes down to whether Zcash ever gets on-chain programmability. A contract that can verify a secp256k1 signature against a committed UTXO root and auto-mint would make this trustless for real. Without that, the idea doesn’t work as described.

Good to know where the wall is. Appreciate you taking the time.

Feel free to propose it as a TZE; that seems to be the most practical option.

Actually that doesn’t work because there can’t be a TZE representing unclaimed zBTC funds; TZEs are transparent-only and ZSAs are shielded-only. At least, I can’t see how to make it work without significant changes to the TZE mechanism.