Zcash released emergency Zebra upgrades to fix a critical Orchard bug, protecting the network before exploitation and restoring operations.

Zcash Foundation Releases Zebra Emergency Upgrade to Fix Critical Orchard Bug

By /

Zcash released emergency Zebra upgrades to fix a critical Orchard bug, protecting the network before exploitation and restoring operations.

The Zcash Foundation moved fast to protect its network. The team released two new versions of its Zebra node software, versions 4.5.3 and 5.0.0, to fix a critical security bug in the Orchard Action circuit. The fix worked. The vulnerability was not exploited by any attacker until it was patched by the team. It is the second security-related protocol upgrade since the launch of the Zcash network in 2016.

Who was responsible for the discovery of the vulnerability?

Independent security researcher Taylor Hornby found the bug. While Hornby was performing an on-going protocol audit for Shielded Labs, he noticed a critical soundness issue in the Orchard zero-knowledge proof circuit.

Hornby acted responsibly. He reported it to the ZODL core engineers the same evening he discovered it.

What did engineers do about the bug?

The engineering team was very fast. ZODL engineers Daira-Emma Hopwood, Kris Nuttycombe and Jack Grigg were able to confirm the problem within hours. They started to assess the problem and what they could do about it.

Reading more: SEC Closes Zcash Investigation Without Taking Action – Ledger Tribune

For the next few days, engineers, infrastructure operators, miners, and ecosystem members worked in secret. They have not shared the details of the flaw to minimise the possibility of it being exploited before they can release a fix.

What Did Zebra 4.5.3 Do?

The team started with an emergency soft fork. Private coordination with miners and exchanges started on Sunday, May 31st at night.

The first soft fork attempt faced coordination issues when deploying patches. A second patch was quickly created by engineers. This one targeted block height 3,363,426 and successfully activated at around 02:00 UTC on June 2.

Zebra 4.5.3 temporarily disabled all transactions and blocks that contained Orchard. This prevented any potential exploitation until the complete fix was ready.

What Did Zebra 5.0.0 Do?

The permanent solution came with Zebra 5.0.0. The NU6.2 hard fork successfully activated at block height 3,364,600 on Wednesday, June 3 at 00:05 EDT.

This upgrade restored Orchard transactions with the corrected circuit. The bug was gone. The network was fully operational again. Zebra node operators should upgrade to 5.0.0 as soon as possible.

The ZEC supply remained unchanged during the entire incident, as confirmed by Zcash’s turnstile mechanism. The mechanism monitors the total balance in all value pools, and will instantly identify any unauthorized value creation.

Was there a privacy or other transaction impact from the Bug?

There was no impact on user privacy at any stage. Sapling transactions and transparent transactions continued to run normally during the incident.

The emergency soft fork window only temporarily paused Orchard transactions. Orchard was then brought back online by the NU6.2 hard fork in Zebra 5.0.0.

The market reacted positively to the news. As per CoinGecko, the price of Zcash is currently trading at around $564.30, which is about 7.81 percent up in the last 24 hours.

What Does This Mean for the Zcash Network?

This incident shows how responsible disclosure and fast coordination can protect a network before damage occurs. The Zcash team, independent researchers, miners, and exchanges were all working diligently and effectively in the background, all under pressure.

The successful response also highlights the robustness of Zcash’s privacy architecture. The team maintained the privacy of users and other transaction types during an emergency protocol upgrade.

Leave a Comment

Your email address will not be published. Required fields are marked *

Scroll to Top