Security Announcement 2017-04-13

Synopsis: A bug related to transaction priority handling may allow an attacker to crash Zcash nodes (DoS) via a specially crafted transaction. A fix is implemented in zcashd release 1.0.8-1.

There is a separate release post documenting the included changes.

ZcashCo, and several exchanges, wallet vendors, and miners have already deployed a mitigation as well as detectors for this attack vector. No attacks have been detected.

Who is at Risk: Users are at risk who rely on zcashd releases starting with 1.0.4 up to and including 1.0.8.

We have collaborated with major exchanges, wallet providers, and miners and they have already mitigated this issue for their services.

Who is not at Risk: Users who have upgraded to zcashd 1.0.8-1, or rely on a service which has done so are not at risk.

How can at-risk users protect themselves?

  1. Upgrading to zcashd release 1.0.8-1 is the most certain protection.
  2. For users of third party services (such as exchanges, wallets, or mining pools), check if the service has announced upgrading to zcashd 1.0.8-1.

How can I tell if an attack is occurring? ZcashCo and several large exchanges, wallet providers, and miners have deployed sensors which detect attacks against this vector. In the event that an attack is detected, the ZcashCo will take the following actions:

  • The Zcash developers will issue an in-band alert, causing all zcashd nodes to announce the potential attack.

  • ZcashCo will always announce known ongoing attacks in these places:

  • ZcashCo will coordinate in private channels with major exchanges, wallet vendors, and mining outfits to alert them of the attack and to post their own announcements.

Note: The major exchanges, wallet vendors, and miners we are in communication with are already protected against such an attack.

Impact: If an attack transaction is successfully executed then only the users running vulnerable clients which have accepted the transaction in their mempool will be vulnerable. Accepting an attacker’s transaction with an old client may cause the Zcash client to crash.

Technical Background: Zcash, like Bitcoin, assigns a priority to transactions in order to decide whether they should be accepted into a node’s mempool. In practice the current transaction volume for Zcash is sufficiently low that this rarely has an effect, but the mechanism is still enabled. In Zcash 1.0.4, a change was made to this calculation to boost the priority of shielded transactions. However, an error in this code can –in circumstances that are normally rare, but can be forced by an attacker– result in an out-of-bounds memory access, which causes a segmentation fault.

Followup Announcements:

  • See the security notifications page for further updates on this issue, and any future security issue.
  • Continue to check this blog.

Acknowledgements

The Zcash Company would like to thank Juliano Rizzo from Coinspect and @movcrx from the Zclassic project for collaborating with us in analyzing and mitigating this issue.