Major Security Release: Zebra 4.4.0 Now Available

In a move to bolster network integrity, the Zcash Foundation has deployed Zebra version 4.4.0. This release is categorized as critical, containing patches for several security vulnerabilities that could impact network consensus and node resilience. All node operators are urged to implement this update without delay.

In-Depth Look at Critical Fixes

The update addresses multiple core issues that posed risks to the network's fundamental operations:

  • Consensus Vulnerability Patch: Fixed an insufficient sigops counting issue within the block validator. This flaw previously created a discrepancy where Zebra could accept blocks that other major clients would reject, a potential vector for chain splits.
  • Denial-of-Service Mitigation: Resolved a vulnerability that could be exploited to cause a node to permanently halt discovery of new blocks, effectively crippling its functionality.
  • FFI Bridge Correction: Remedied inadequate error handling in a Foreign Function Interface bridge, which was a source of consensus divergence on transparent signature hash calculations.
  • Memory Safety Enhancement: Patched a memory allocation amplification risk during inbound network message deserialization, improving node stability under load.

Performance Tweaks and Maintenance

Alongside security patches, version 4.4.0 introduces functional improvements:

  • Implemented resource limits for the indexer gRPC server and RPC request body sizes to prevent resource exhaustion attacks.
  • Added an nTx field to getblock responses to directly report the number of transactions in a block.
  • Updated the librustzcash dependency stack to clear a documented security advisory, proactively maintaining the codebase's security posture.

The release of Zebra 4.4.0 represents a necessary step in fortifying the Zcash network. Prompt adoption by the node operator community is essential for collective security.