New releases remediate memory exhaustion vulnerability in Zcash

Releases 5.3.3 and 5.4.2 harden zcashd code and remediate vulnerabilities inherited from Bitcoin Core that may have affected more than 280 chains, according to blockchain security firm Halborn.

We have no evidence that an exploit has occurred on the Zcash network, and these bugs do not compromise user privacy or impact Zcash supply. As always, if you notice any unusual activity in your node, please report it to [email protected].

All Zcash node operators on 5.3.1 or 5.3.2 should update to 5.3.3 immediately, and all Zcash node operators on 5.4.0 or 5.4.1 should update to 5.4.2 immediately. Prebuilt binaries and Debian packages will be available in the next few hours.

The vulnerabilities, discovered by Halborn in a 2022 audit of Dogecoin, were first disclosed to ECC and contributors to other affected networks on Feb. 14, and more details were relayed in a Feb. 17 call. ECC initiated our security process immediately and began coordinating with ZecSec.com, the independent Zcash-community-funded security team, and with Zcash Foundation, who analyzed the impact on zebrad, its own implementation of a Zcash node. We also reached out to Horizen, Komodo, and other teams with whom we have disclosure agreements.

Within days, we had zcashd patches ready for third-party testing, but the public releases have been delayed to allow other projects time to complete their own remediations and to allow for coordinated comms, given the sensitive nature.

Halborn found that the bugs could allow an attacker to utilize peer-to-peer network messages to fill the memory of a node and crash it. By crashing other people’s mining nodes, an attacker could potentially reduce, by around one half, the amount of hashpower they would need to mount a 51% attack on the Zcash network. A successful 51% attack could potentially be used to execute a double-spend attack, which could result in users who received transactions from the attackers losing their funds. We have no reason to believe that the Zcash network is currently vulnerable to a 51% attack — with or without the “one half discount” on the attack cost — but out of an abundance of caution, we’ve hardened the zcashd nodes so that they cannot be crashed using this bug.

ECC has a record of fast, coordinated responses to incidents like this and is well-known for delivering safe and secure technology for Zcash users and other privacy-minded projects. For our latest news and product updates, please follow @electriccoinco on Twitter.