We’ve got just lately launched Zebra 4.5.3 and Zebra 5.0.0. These two releases work collectively to deal with a crucial bug within the Orchard Motion circuit: 4.5.3 carried out an emergency tender fork that quickly disabled Orchard actions whereas the repair was being ready, and 5.0.0 activated NU6.2, which re-enables Orchard utilizing the corrected circuit.
We strongly urge all node operators to improve to Zebra 5.0.0 as quickly as potential, or to 4.5.3 in case you are unable to improve to five.0.0 earlier than the NU6.2 activation top.
What occurred
On Friday, Could 29, Taylor Hornby — an unbiased safety researcher conducting an ongoing protocol audit on behalf of Shielded Labs — found a crucial soundness vulnerability within the Orchard zero-knowledge proof circuit. Taylor responsibly disclosed the problem to ZODL core engineers that night.
Inside hours, ZODL engineers Daira-Emma Hopwood, Kris Nuttycombe, and Jack Grigg confirmed the problem and commenced evaluating remediation choices. Over the next days, engineers, infrastructure operators, miners, and different ecosystem members labored collectively to arrange a coordinated improve, all whereas holding particulars of the flaw personal to reduce the danger of exploitation earlier than a repair could possibly be deployed.
Non-public coordination with miners and exchanges started on the night of Sunday, Could 31. A primary soft-fork activation try encountered coordination challenges throughout patch deployment; ZODL engineers rapidly produced a second patch focusing on block top 3,363,426, which efficiently activated at roughly 02:00 UTC on June 2. This tender fork quickly rejected all Orchard-containing transactions and blocks.
On Wednesday, June 3, at 00:05 EDT, the NU6.2 hard-fork community improve activated efficiently, re-enabling Orchard with the corrected circuit. This was the second security-driven protocol improve in Zcash historical past since its launch in 2016.
The vulnerability was caught earlier than any identified exploitation occurred. There isn’t a proof of unauthorized worth creation. Zcash’s turnstile mechanism (which tracks the entire ZEC steadiness throughout all worth swimming pools) confirmed that the entire provide remained intact all through. Consumer privateness was not affected. Sapling and clear transactions continued working usually all through the incident.
The Vulnerability
The difficulty was a soundness bug within the implementation of the Orchard zero-knowledge proof circuit within the halo2_gadgets crate.
In a protocol like Zcash, soundness means the system ought to solely settle for legitimate transactions and state transitions. A soundness vulnerability is one that might enable the system to simply accept one thing it ought to reject. On this case, profitable exploitation may have allowed the Orchard pool to simply accept invalid state transitions, probably allowing double-spending of funds inside Orchard, although with no means to inflate the entire ZEC provide, which is protected by Zcash’s turnstile mechanism.
Affected variations
This vulnerability impacts:
- All variations of
halo2_gadgetsprevious to v0.5.0 - All variations of
orchardprevious to v0.14.0 - All variations of
zcash_primitivesprevious to v0.28.0 zcashdv5.0.0–v6.12.3zebradvariations under v4.5.1 (all earlier releases)
Zebra 4.5.3: Emergency Delicate Fork
Zebra 4.5.3 implements the tender fork that quickly disables Orchard actions. After the activation top, nodes reject any transaction or block containing Orchard actions. To protect community connectivity throughout the improve window, 4.5.3 doesn’t improve the DoS rating of friends that proceed to relay Orchard-containing blocks or transactions.
A direct patch would have revealed an excessive amount of concerning the nature of the flaw to anybody with entry to the up to date code. Disabling Orchard as a primary step restricted the disclosure of vulnerability particulars whereas the circuit repair was finalized.
Safety
- GHSA-jfw5-j458-pfv6 (Important): Briefly disables Orchard actions through tender fork at top 3,363,426 on Mainnet to mitigate a crucial soundness bug within the Orchard Motion circuit. Orchard is re-enabled within the follow-on NU6.2 improve in Zebra 5.0.0.
Modified
- Set the soft-fork activation top for Orchard-disabling to dam top 3,363,426 on Mainnet.
- Nodes operating 4.5.3 don’t penalize friends for relaying Orchard-containing knowledge throughout the interim window.
Upgrading
Node operators who can not instantly transfer to Zebra 5.0.0 ought to improve to 4.5.3 to remain on the right chain. You will discover the discharge on GitHub.
Zebra 5.0.0: NU6.2 Community Improve
Zebra 5.0.0 prompts the NU6.2 community improve, which re-enables Orchard actions utilizing the corrected circuit and completely closes the vulnerability addressed by the 4.5.3 tender fork. A tough fork was required as a result of remediating a zero-knowledge proof circuit bug requires updating the pinned verifying key, a change that can’t be made by a node software program patch alone.
NU6.2 prompts at:
- Mainnet: block top 3,364,600
- Testnet: block top 4,052,000
We suggest all node operators improve earlier than the mainnet activation top. If the activation top has already handed and your node adopted a fork, you will have to sync from scratch, or from a backed-up state taken earlier than the activation top.
Added
- Activate the NU6.2 community improve (consensus department ID
0x5437f330) at top 3,364,600 on Mainnet and 4,052,000 on Testnet. NU6.2 re-enables Orchard actions with the mounted Orchard Motion circuit and routes Orchard proofs to a per-circuit verifying key (InsecurePreNu6_2 / FixedPostNu6_2). - Promote community protocol model 170150 for NU6.2 on Mainnet, Testnet, and Regtest.
Modified
- Set the default Testnet short-term Orchard-disabling soft-fork top to 4,048,500; the disable window runs till NU6.2 re-enables Orchard actions at top 4,052,000.
Safety
- GHSA-jfw5-j458-pfv6: Add a consensus rule that rejects Orchard bundles whose proof has a non-canonical dimension, efficient from the NU6.2 activation top. This completely closes the vulnerability that the 4.5.3 tender fork mitigated.
Upgrading
We strongly suggest all Zebra node operators improve to five.0.0 earlier than block top 3,364,600 on Mainnet. Upgrading is the one approach to make sure your node follows the right chain after NU6.2 prompts. You will discover the discharge on GitHub.
Why the Orchard pool issues
The Orchard shielded pool is the centerpiece of Zcash’s privateness structure, launched with NU5 in 2022. Constructed on the Halo 2 proving system, it’s the first Zcash pool to require no trusted setup, a long-standing objective for the ecosystem. Over the previous yr it has grown considerably, and right now holds a considerable fraction of circulating ZEC.
Zcash’s turnstile mechanism, which tracks the entire ZEC steadiness throughout all worth swimming pools (Sprout, Sapling, Orchard, clear, and lockbox) and enforces invariants on how a lot worth can move between them, was an vital a part of what made this incident manageable. It offered a floor fact that ecosystem members may use to verify the provision cap remained intact, even whereas the Orchard circuit repair was being developed.
Coordinated response
This improve succeeded as a result of the required items have been already in place: ongoing safety evaluation by unbiased researchers, established accountable disclosure procedures, skilled protocol engineers, and a community of unbiased members who acted rapidly when required.
ZODL developed the remediation and led coordination, however the improve required voluntary cooperation from miners, node operators, infrastructure operators, exchanges, pockets suppliers, and different community members, all appearing independently round a shared objective of defending customers and preserving the integrity of the community.
Not like contentious forks generally seen throughout the business, this was a safety response. The difficulty was found, responsibly disclosed, confirmed, remediated, and resolved in just a few days. We’re pleased with how the ecosystem got here collectively.
Acknowledgments
The Zcash Basis extends its honest due to Taylor Hornby for locating and responsibly disclosing this vulnerability, and to Shielded Labs for supporting the unbiased safety analysis that made it potential.
We’re grateful to the ZODL engineers whose deep protocol experience made a speedy remediation potential, particularly Jack Grigg, Daira-Emma Hopwood, and Kris Nuttycombe.
Particular recognition goes to Arya Solhi of the Zcash Basis, who was instrumental in creating the Zebra patches that enabled the community improve.
We additionally thank the miners, node operators, exchanges, pockets suppliers, and infrastructure groups who reviewed and adopted the improve rapidly, and all ecosystem companions who have been notified and coordinated alongside us.
Thank You to Our Contributors
Zebra 4.5.3 and 5.0.0 have been made potential by the work of @arya2 and @conradoplg, in addition to the ZODL engineers. Thanks to your continued dedication to Zebra.
Zebra is the Zcash Basis’s unbiased, Rust-based implementation of the Zcash protocol. Be taught extra at github.com/ZcashFoundation/zebra.
