We’re releasing Zebra 4.5.1 in the present day. This launch incorporates a repair for a consensus-critical safety vulnerability, and we strongly encourage all node operators to improve instantly.
Be aware that 4.5.0 was launched yesterday, so when you’ve got simply up to date, sadly you will have to replace once more.
Safety Advisories
GHSA-2prc-cj5x-4443: P2SH Sigop Undercount Not Appropriately Fastened (Crucial)
The repair for GHSA-gf9r-m956-97qx was not right; the sigop counting was mounted by switching to a pure C++ implementation which ought to match zcashd implementation. Nevertheless the actual operate used counted sigops in “legacy” mode, however for consensus, an correct rely is required. Thus the opportunity of a consensus divergence nonetheless existed.
We mounted this by reverting to the Rust implementation beforehand used, however mounted the unique discrepancy that it had (it stopped counting sigops when it encountered a disabled opcode, nevertheless it ought to preserve counting).
Because of @sangsoo-osec for reporting this difficulty.
Upgrading
We strongly suggest all Zebra node operators improve to 4.5.1 as quickly as doable, because of the consensus vulnerability described above. There are not any recognized workarounds — upgrading is the one method to make sure your node stays on the proper chain and is protected towards the problems listed on this launch. You could find the discharge on GitHub.
Acknowledgments
Thanks @sangsoo-osec for rapidly figuring out the difficulty.
Zebra is the Zcash Basis’s impartial, Rust-based implementation of the Zcash protocol. Be taught extra at github.com/ZcashFoundation/zebra.
