We’ve got lately launched Zebra 4.5.3 and Zebra 5.0.0. These two releases work collectively to handle a crucial bug within the Orchard Motion circuit: 4.5.3 carried out an emergency gentle fork that quickly disabled Orchard actions whereas the repair was being ready, and 5.0.0 activated NU6.2, which re-enables Orchard utilizing the corrected circuit.
We strongly urge all node operators to improve to Zebra 5.0.0 as quickly as doable, or to 4.5.3 in case you are unable to improve to five.0.0 earlier than the NU6.2 activation peak.
What occurred
On Friday, Could 29, Taylor Hornby — an impartial safety researcher conducting an ongoing protocol audit on behalf of Shielded Labs — found a crucial soundness vulnerability within the Orchard zero-knowledge proof circuit. Taylor responsibly disclosed the difficulty to ZODL core engineers that night.
Inside hours, ZODL engineers Daira-Emma Hopwood, Kris Nuttycombe, and Jack Grigg confirmed the difficulty and commenced evaluating remediation choices. Over the next days, engineers, infrastructure operators, miners, and different ecosystem individuals labored collectively to arrange a coordinated improve, all whereas conserving particulars of the flaw non-public to attenuate the danger of exploitation earlier than a repair may very well be deployed.
Personal coordination with miners and exchanges started on the night of Sunday, Could 31. A primary soft-fork activation try encountered coordination challenges throughout patch deployment; ZODL engineers rapidly produced a second patch concentrating on block peak 3,363,426, which efficiently activated at roughly 02:00 UTC on June 2. This gentle fork quickly rejected all Orchard-containing transactions and blocks.
On Wednesday, June 3, at 00:05 EDT, the NU6.2 hard-fork community improve activated efficiently, re-enabling Orchard with the corrected circuit. This was the second security-driven protocol improve in Zcash historical past since its launch in 2016.
The vulnerability was caught earlier than any recognized exploitation occurred. There is no such thing as a proof of unauthorized worth creation. Zcash’s turnstile mechanism (which tracks the full ZEC stability throughout all worth swimming pools) confirmed that the full provide remained intact all through. Person privateness was not affected. Sapling and clear transactions continued working usually all through the incident.
The Vulnerability
The problem was a soundness bug within the implementation of the Orchard zero-knowledge proof circuit within the halo2_gadgets crate.
In a protocol like Zcash, soundness means the system ought to solely settle for legitimate transactions and state transitions. A soundness vulnerability is one that might permit the system to simply accept one thing it ought to reject. On this case, profitable exploitation may have allowed the Orchard pool to simply accept invalid state transitions, probably allowing double-spending of funds inside Orchard, although with no capability to inflate the full ZEC provide, which is protected by Zcash’s turnstile mechanism.
Affected variations
This vulnerability impacts:
- All variations of
halo2_gadgetsprevious to v0.5.0 - All variations of
orchardprevious to v0.14.0 - All variations of
zcash_primitivesprevious to v0.28.0 zcashdv5.0.0–v6.12.3zebradvariations under v4.5.1 (all earlier releases)
Zebra 4.5.3: Emergency Comfortable Fork
Zebra 4.5.3 implements the gentle fork that quickly disables Orchard actions. After the activation peak, nodes reject any transaction or block containing Orchard actions. To protect community connectivity in the course of the improve window, 4.5.3 doesn’t improve the DoS rating of friends that proceed to relay Orchard-containing blocks or transactions.
A direct patch would have revealed an excessive amount of concerning the nature of the flaw to anybody with entry to the up to date code. Disabling Orchard as a primary step restricted the disclosure of vulnerability particulars whereas the circuit repair was finalized.
Safety
- GHSA-jfw5-j458-pfv6 (Crucial): Quickly disables Orchard actions through gentle fork at peak 3,363,426 on Mainnet to mitigate a crucial soundness bug within the Orchard Motion circuit. Orchard is re-enabled within the follow-on NU6.2 improve in Zebra 5.0.0.
Modified
- Set the soft-fork activation peak for Orchard-disabling to dam peak 3,363,426 on Mainnet.
- Nodes working 4.5.3 don’t penalize friends for relaying Orchard-containing knowledge in the course of the interim window.
Upgrading
Node operators who can’t instantly transfer to Zebra 5.0.0 ought to improve to 4.5.3 to remain on the right chain. You will discover the discharge on GitHub.
Zebra 5.0.0: NU6.2 Community Improve
Zebra 5.0.0 prompts the NU6.2 community improve, which re-enables Orchard actions utilizing the corrected circuit and completely closes the vulnerability addressed by the 4.5.3 gentle fork. A tough fork was required as a result of remediating a zero-knowledge proof circuit bug requires updating the pinned verifying key, a change that can’t be made by means of a node software program patch alone.
NU6.2 prompts at:
- Mainnet: block peak 3,364,600
- Testnet: block peak 4,052,000
We advocate all node operators improve earlier than the mainnet activation peak. If the activation peak has already handed and your node adopted a fork, you’ll need to sync from scratch, or from a backed-up state taken earlier than the activation peak.
Added
- Activate the NU6.2 community improve (consensus department ID
0x5437f330) at peak 3,364,600 on Mainnet and 4,052,000 on Testnet. NU6.2 re-enables Orchard actions with the fastened Orchard Motion circuit and routes Orchard proofs to a per-circuit verifying key (InsecurePreNu6_2 / FixedPostNu6_2). - Promote community protocol model 170150 for NU6.2 on Mainnet, Testnet, and Regtest.
Modified
- Set the default Testnet short-term Orchard-disabling soft-fork peak to 4,048,500; the disable window runs till NU6.2 re-enables Orchard actions at peak 4,052,000.
Safety
- GHSA-jfw5-j458-pfv6: Add a consensus rule that rejects Orchard bundles whose proof has a non-canonical dimension, efficient from the NU6.2 activation peak. This completely closes the vulnerability that the 4.5.3 gentle fork mitigated.
Upgrading
We strongly advocate all Zebra node operators improve to five.0.0 earlier than block peak 3,364,600 on Mainnet. Upgrading is the one manner to make sure your node follows the right chain after NU6.2 prompts. You will discover the discharge on GitHub.
Why the Orchard pool issues
The Orchard shielded pool is the centerpiece of Zcash’s privateness structure, launched with NU5 in 2022. Constructed on the Halo 2 proving system, it’s the first Zcash pool to require no trusted setup, a long-standing purpose for the ecosystem. Over the previous yr it has grown considerably, and immediately holds a considerable fraction of circulating ZEC.
Zcash’s turnstile mechanism, which tracks the full ZEC stability throughout all worth swimming pools (Sprout, Sapling, Orchard, clear, and lockbox) and enforces invariants on how a lot worth can circulate between them, was an essential a part of what made this incident manageable. It offered a floor reality that ecosystem individuals may use to verify the availability cap remained intact, even whereas the Orchard circuit repair was being developed.
Coordinated response
This improve succeeded as a result of the mandatory items have been already in place: ongoing safety evaluate by impartial researchers, established accountable disclosure procedures, skilled protocol engineers, and a community of impartial individuals who acted rapidly when required.
ZODL developed the remediation and led coordination, however the improve required voluntary cooperation from miners, node operators, infrastructure operators, exchanges, pockets suppliers, and different community individuals, all performing independently round a shared purpose of defending customers and preserving the integrity of the community.
Not like contentious forks generally seen throughout the business, this was a safety response. The problem was found, responsibly disclosed, confirmed, remediated, and resolved in a couple of days. We’re pleased with how the ecosystem got here collectively.
Acknowledgments
The Zcash Basis extends its honest because of Taylor Hornby for locating and responsibly disclosing this vulnerability, and to Shielded Labs for supporting the impartial safety analysis that made it doable.
We’re grateful to the ZODL engineers whose deep protocol experience made a speedy remediation doable, particularly Jack Grigg, Daira-Emma Hopwood, and Kris Nuttycombe.
Particular recognition goes to Arya Solhi of the Zcash Basis, who was instrumental in growing the Zebra patches that enabled the community improve.
We additionally thank the miners, node operators, exchanges, pockets suppliers, and infrastructure groups who reviewed and adopted the improve rapidly, and all ecosystem companions who have been notified and coordinated alongside us.
Thank You to Our Contributors
Zebra 4.5.3 and 5.0.0 have been made doable by the work of @arya2 and @conradoplg, in addition to the ZODL engineers. Thanks on your continued dedication to Zebra.
Zebra is the Zcash Basis’s impartial, Rust-based implementation of the Zcash protocol. Study extra at github.com/ZcashFoundation/zebra.
