Key Highlights
- Zebra 4.4.0 addresses multiple bugs, including consensus-related issues that could impact network stability.
- The update fixes a vulnerability that could stall block discovery through gossip queue saturation.
- Updates resolve discrepancies in sigops counting and sighash behavior that could lead to chain splits.
The Zcash Foundation has released Zebra version 4.4.0, a Rust-based implementation of the Zcash protocol, addressing multiple security vulnerabilities, including various consensus-critical issues.
In a post on X, the team stated, “Zebra 4.4.0 contains fixes for multiple security vulnerabilities, including several consensus-critical issues. We strongly encourage all node operators to upgrade immediately.”
The main fixes
As per the official release, Zebra acts as an alternative to the reference zcashd client, offering a full node implementation written in Rust for improved safety and performance characteristics. The release also aims to patch vulnerabilities that could affect network stability and consensus integrity.
One of the critical fixes includes a permanent block discovery halt vulnerability (GHSA-28xj-328h-72vm). This issue opened the way for a remote attacker using a single TCP connection to saturate the gossip queue and degrade the syncer, hindering new block discovery without any bans or disconnections.
The fix rolls out stricter handling of empty resources to FindBlocks and FindHeaders messages. Yet another notable fix relates to the problem with the consensus counting of block sigops (GHSA-jv4h-j224-23cc).
Previously, Zebra did not account for sigops in Coinbase transactions, as well as aggregate P2SH redeem script sigops in regard to the 20,000 sigop threshold. Consequently, there was a possibility that the blocks that were considered valid by Zcashd were rejected by Zebra.
This update addresses a consensus difference with regard to the transparent sighash hash-type behavior (GHSA-gq4h-3grw-2rhv), which arises due to stale buffer problems in the foreign function interface to the Bitcoin Script validation logic.
Additional fixes
Another bug fix corrects SIGHASH_SINGLE corresponding output processing for V5 transparent transactions, thus resolving another possible difference. Moreover, there is an optimization that aims to mitigate allocation amplification in network inbound deserializers (GHSA-438q-jx8f-cccv).
In some cases, the deserialization process was using excessive buffer sizes, considering transport upper bounds before imposing stricter limits in accordance with the protocol requirements, thus allowing untrusted nodes to generate memory pressure.
blockchains but Zcash developers recently patched four vulnerabilities after flagging a series of vulnerabilities crashing nodes and risk network splits. The emergency fixes were released as zcashd v6.12.1 and Zebra v4.3.1, addressing four flaws recognized via a coordinated disclosure process, prompting quick upgrades across the ecosystem.
Upgrade recommended
The Zcash Foundation stated that there are currently no workarounds for the consensus-related vulnerabilities, urging all node operators to upgrade immediately to maintain chain consistency and security.
Zebra 4.4.0 can be downloaded from the GitHub page of the official project. It should be noted that although the development team continues to support Zebra and the whole Zcash environment, the network faces difficulties in gaining popularity as opposed to other privacy-oriented and smart-contract-oriented blockchains, but still manages to retain its users due to its focus on privacy features.
Also Read: Shiba Inu Sees 211B SHIB Flow Into Exchanges as Sell Pressure Builds
