We now have not too long ago launched Zebra 4.5.3 and Zebra 5.0.0. These two releases work collectively to deal with a crucial bug within the Orchard Motion circuit: 4.5.3 applied an emergency gentle fork that quickly disabled Orchard actions whereas the repair was being ready, and 5.0.0 activated NU6.2, which re-enables Orchard utilizing the corrected circuit.
We strongly urge all node operators to improve to Zebra 5.0.0 as quickly as attainable, or to 4.5.3 if you’re unable to improve to five.0.0 earlier than the NU6.2 activation top.
What occurred
On Friday, Could 29, Taylor Hornby — an impartial safety researcher conducting an ongoing protocol audit on behalf of Shielded Labs — found a crucial soundness vulnerability within the Orchard zero-knowledge proof circuit. Taylor responsibly disclosed the difficulty to ZODL core engineers that night.
Inside hours, ZODL engineers Daira-Emma Hopwood, Kris Nuttycombe, and Jack Grigg confirmed the difficulty and commenced evaluating remediation choices. Over the next days, engineers, infrastructure operators, miners, and different ecosystem contributors labored collectively to arrange a coordinated improve, all whereas retaining particulars of the flaw personal to reduce the danger of exploitation earlier than a repair may very well be deployed.
Personal coordination with miners and exchanges started on the night of Sunday, Could 31. A primary soft-fork activation try encountered coordination challenges throughout patch deployment; ZODL engineers shortly produced a second patch concentrating on block top 3,363,426, which efficiently activated at roughly 02:00 UTC on June 2. This gentle fork quickly rejected all Orchard-containing transactions and blocks.
On Wednesday, June 3, at 00:05 EDT, the NU6.2 hard-fork community improve activated efficiently, re-enabling Orchard with the corrected circuit. This was the second security-driven protocol improve in Zcash historical past since its launch in 2016.
The vulnerability was caught earlier than any recognized exploitation occurred. There isn’t a proof of unauthorized worth creation. Zcash’s turnstile mechanism (which tracks the overall ZEC stability throughout all worth swimming pools) confirmed that the overall provide remained intact all through. Consumer privateness was not affected. Sapling and clear transactions continued working usually all through the incident.
The Vulnerability
The problem was a soundness bug within the implementation of the Orchard zero-knowledge proof circuit within the halo2_gadgets crate.
In a protocol like Zcash, soundness means the system ought to solely settle for legitimate transactions and state transitions. A soundness vulnerability is one that might permit the system to simply accept one thing it ought to reject. On this case, profitable exploitation might have allowed the Orchard pool to simply accept invalid state transitions, doubtlessly allowing double-spending of funds inside Orchard, although with no means to inflate the overall ZEC provide, which is protected by Zcash’s turnstile mechanism.
Affected variations
This vulnerability impacts:
- All variations of
halo2_gadgetsprevious to v0.5.0 - All variations of
orchardprevious to v0.14.0 - All variations of
zcash_primitivesprevious to v0.28.0 zcashdv5.0.0–v6.12.3zebradvariations beneath v4.5.1 (all earlier releases)
Zebra 4.5.3: Emergency Gentle Fork
Zebra 4.5.3 implements the gentle fork that quickly disables Orchard actions. After the activation top, nodes reject any transaction or block containing Orchard actions. To protect community connectivity in the course of the improve window, 4.5.3 doesn’t improve the DoS rating of friends that proceed to relay Orchard-containing blocks or transactions.
A direct patch would have revealed an excessive amount of concerning the nature of the flaw to anybody with entry to the up to date code. Disabling Orchard as a primary step restricted the disclosure of vulnerability particulars whereas the circuit repair was finalized.
Safety
- GHSA-jfw5-j458-pfv6 (Vital): Quickly disables Orchard actions through gentle fork at top 3,363,426 on Mainnet to mitigate a crucial soundness bug within the Orchard Motion circuit. Orchard is re-enabled within the follow-on NU6.2 improve in Zebra 5.0.0.
Modified
- Set the soft-fork activation top for Orchard-disabling to dam top 3,363,426 on Mainnet.
- Nodes working 4.5.3 don’t penalize friends for relaying Orchard-containing knowledge in the course of the interim window.
Upgrading
Node operators who can not instantly transfer to Zebra 5.0.0 ought to improve to 4.5.3 to remain on the proper chain. You’ll find the discharge on GitHub.
Zebra 5.0.0: NU6.2 Community Improve
Zebra 5.0.0 prompts the NU6.2 community improve, which re-enables Orchard actions utilizing the corrected circuit and completely closes the vulnerability addressed by the 4.5.3 gentle fork. A tough fork was required as a result of remediating a zero-knowledge proof circuit bug requires updating the pinned verifying key, a change that can not be made by way of a node software program patch alone.
NU6.2 prompts at:
- Mainnet: block top 3,364,600
- Testnet: block top 4,052,000
We suggest all node operators improve earlier than the mainnet activation top. If the activation top has already handed and your node adopted a fork, you’ll need to sync from scratch, or from a backed-up state taken earlier than the activation top.
Added
- Activate the NU6.2 community improve (consensus department ID
0x5437f330) at top 3,364,600 on Mainnet and 4,052,000 on Testnet. NU6.2 re-enables Orchard actions with the fastened Orchard Motion circuit and routes Orchard proofs to a per-circuit verifying key (InsecurePreNu6_2 / FixedPostNu6_2). - Promote community protocol model 170150 for NU6.2 on Mainnet, Testnet, and Regtest.
Modified
- Set the default Testnet non permanent Orchard-disabling soft-fork top to 4,048,500; the disable window runs till NU6.2 re-enables Orchard actions at top 4,052,000.
Safety
- GHSA-jfw5-j458-pfv6: Add a consensus rule that rejects Orchard bundles whose proof has a non-canonical measurement, efficient from the NU6.2 activation top. This completely closes the vulnerability that the 4.5.3 gentle fork mitigated.
Upgrading
We strongly suggest all Zebra node operators improve to five.0.0 earlier than block top 3,364,600 on Mainnet. Upgrading is the one means to make sure your node follows the proper chain after NU6.2 prompts. You’ll find the discharge on GitHub.
Why the Orchard pool issues
The Orchard shielded pool is the centerpiece of Zcash’s privateness structure, launched with NU5 in 2022. Constructed on the Halo 2 proving system, it’s the first Zcash pool to require no trusted setup, a long-standing objective for the ecosystem. Over the previous yr it has grown considerably, and right this moment holds a considerable fraction of circulating ZEC.
Zcash’s turnstile mechanism, which tracks the overall ZEC stability throughout all worth swimming pools (Sprout, Sapling, Orchard, clear, and lockbox) and enforces invariants on how a lot worth can circulate between them, was an necessary a part of what made this incident manageable. It supplied a floor fact that ecosystem contributors might use to substantiate the provision cap remained intact, even whereas the Orchard circuit repair was being developed.
Coordinated response
This improve succeeded as a result of the required items had been already in place: ongoing safety overview by impartial researchers, established accountable disclosure procedures, skilled protocol engineers, and a community of impartial contributors who acted shortly when required.
ZODL developed the remediation and led coordination, however the improve required voluntary cooperation from miners, node operators, infrastructure operators, exchanges, pockets suppliers, and different community contributors, all performing independently round a shared objective of defending customers and preserving the integrity of the community.
Not like contentious forks typically seen throughout the trade, this was a safety response. The problem was found, responsibly disclosed, confirmed, remediated, and resolved in a couple of days. We’re happy with how the ecosystem got here collectively.
Acknowledgments
The Zcash Basis extends its honest due to Taylor Hornby for locating and responsibly disclosing this vulnerability, and to Shielded Labs for supporting the impartial safety analysis that made it attainable.
We’re grateful to the ZODL engineers whose deep protocol experience made a speedy remediation attainable, specifically Jack Grigg, Daira-Emma Hopwood, and Kris Nuttycombe.
Particular recognition goes to Arya Solhi of the Zcash Basis, who was instrumental in growing the Zebra patches that enabled the community improve.
We additionally thank the miners, node operators, exchanges, pockets suppliers, and infrastructure groups who reviewed and adopted the improve shortly, and all ecosystem companions who had been notified and coordinated alongside us.
Thank You to Our Contributors
Zebra 4.5.3 and 5.0.0 had been made attainable by the work of @arya2 and @conradoplg, in addition to the ZODL engineers. Thanks in your continued dedication to Zebra.
Zebra is the Zcash Basis’s impartial, Rust-based implementation of the Zcash protocol. Be taught extra at github.com/ZcashFoundation/zebra.