We’re releasing Zebra 4.5.1 immediately. This launch comprises a repair for a consensus-critical safety vulnerability, and we strongly encourage all node operators to improve instantly.
Word that 4.5.0 was launched yesterday, so when you have simply up to date, sadly you will have to replace once more.
Safety Advisories
GHSA-2prc-cj5x-4443: P2SH Sigop Undercount Not Appropriately Fastened (Vital)
The repair for GHSA-gf9r-m956-97qx was not right; the sigop counting was mounted by switching to a pure C++ implementation which ought to match zcashd implementation. Nevertheless the actual perform used counted sigops in “legacy” mode, however for consensus, an correct rely is required. Thus the opportunity of a consensus divergence nonetheless existed.
We mounted this by reverting to the Rust implementation beforehand used, however mounted the unique discrepancy that it had (it stopped counting sigops when it encountered a disabled opcode, nevertheless it ought to preserve counting).
Because of @sangsoo-osec for reporting this situation.
Upgrading
We strongly advocate all Zebra node operators improve to 4.5.1 as quickly as doable, because of the consensus vulnerability described above. There aren’t any identified workarounds — upgrading is the one approach to make sure your node stays on the proper chain and is protected towards the problems listed on this launch. You’ll find the discharge on GitHub.
Acknowledgments
Thanks @sangsoo-osec for shortly figuring out the problem.
Zebra is the Zcash Basis’s impartial, Rust-based implementation of the Zcash protocol. Study extra at github.com/ZcashFoundation/zebra.