News linked to both this project and an event.
Odaily news: The Zcash Foundation has announced the release of Zebra 4.5.1 version update to fix a consensus-critical security vulnerability and strongly recommends that all node operators upgrade immediately. The vulnerability, identified as GHSA-2prc-cj5x-4443, involves a sigops (signature operation count) counting error in P2SH transactions, which could lead to potential consensus fork risks. This fix corrects an incomplete patch in the previously released 4.5.0 version, which was just released yesterday.The Zcash development team stated that the issue stems from discrepancies in sigop counting logic between different implementations, which could cause nodes to produce different results when verifying transactions, thereby affecting consensus consistency on the chain. The fix resolves this by reverting and adjusting the Rust implementation logic to ensure alignment with the expected protocol behavior.The Zcash Foundation emphasized that there is currently no workaround for this issue, and upgrading to 4.5.1 is the only method to ensure nodes remain on the correct chain and avoid potential fork risks.
The Zcash Foundation officially announced the release of Zebra 4.4.0, which addresses multiple critical consensus-level security vulnerabilities. All node operators are strongly advised to upgrade immediately. The vulnerabilities include a denial-of-service (DoS) flaw that could permanently halt the discovery of new blocks; a signature operation (sigop) counting error in block validation that may cause consensus divergence; abnormal handling of transparent transaction signature hashes; and a memory allocation amplification attack risk. The Zcash Foundation stated that some of these vulnerabilities could cause Zebra nodes to accept blocks rejected by zcashd, potentially triggering a chain fork. Without timely upgrades, nodes risk interruption of block discovery, consensus forks, and amplified resource consumption. No alternative mitigations are currently available.