New releases remediate reminiscence exhaustion vulnerability in Zcash

2 views 8:39 am 0 Comments May 27, 2023


Releases 5.3.3 and 5.4.2 harden zcashd code and remediate vulnerabilities inherited from Bitcoin Core that will have affected greater than 280 chains, based on blockchain safety agency Halborn.

We now have no proof that an exploit has occurred on the Zcash community, and these bugs don’t compromise consumer privateness or affect Zcash provide. As at all times, in case you discover any uncommon exercise in your node, please report it to [email protected]

All Zcash node operators on 5.3.1 or 5.3.2 ought to replace to 5.3.3 instantly, and all Zcash node operators on 5.4.0 or 5.4.1 ought to replace to 5.4.2 instantly. Prebuilt binaries and Debian packages will probably be out there within the subsequent few hours.

The vulnerabilities, found by Halborn in a 2022 audit of Dogecoin, had been first disclosed to ECC and contributors to different affected networks on Feb. 14, and extra particulars had been relayed in a Feb. 17 name. ECC initiated our safety course of instantly and commenced coordinating with ZecSec.com, the impartial Zcash-community-funded safety staff, and with Zcash Basis, who analyzed the affect on zebrad, its personal implementation of a Zcash node. We additionally reached out to Horizen, Komodo, and different groups with whom we’ve disclosure agreements.

Inside days, we had zcashd patches prepared for third-party testing, however the public releases have been delayed to permit different tasks time to finish their very own remediations and to permit for coordinated comms, given the delicate nature.

Halborn discovered that the bugs may permit an attacker to make the most of peer-to-peer community messages to fill the reminiscence of a node and crash it. By crashing different individuals’s mining nodes, an attacker may doubtlessly cut back, by round one half, the quantity of hashpower they would wish to mount a 51% assault on the Zcash community. A profitable 51% assault may doubtlessly be used to execute a double-spend assault, which may lead to customers who acquired transactions from the attackers shedding their funds. We now have no motive to imagine that the Zcash community is at the moment weak to a 51% assault — with or with out the “one half low cost” on the assault value — however out of an abundance of warning, we’ve hardened the zcashd nodes in order that they can’t be crashed utilizing this bug.

ECC has a document of quick, coordinated responses to incidents like this and is well-known for delivering protected and safe know-how for Zcash customers and different privacy-minded tasks. For our newest information and product updates, please observe @electriccoinco on Twitter.

Leave a Reply

Your email address will not be published. Required fields are marked *