In the past two weeks, we have released Zebra v4.4.1 and FROST v3.0.0. Zebra was shipped with a batch of fixes addressing memory allocation issues during block deserialization, several RPC vulnerabilities, and bugs in the script and sighash validation code.
CI & Infrastructure
We added a new benchmark suite to Zebra using the Criterion benchmarking library, covering Sprout, Sapling, and Orchard proof verification, and transaction serialization across all supported formats. We also added a CI workflow that runs benchmarks on demand and compares results across pull requests. We then followed up with refinements to align the benchmark group names with the labels used in our production metrics, reduce duplicated code across the suite, and raise the noise threshold to keep CI results stable.
We aligned Zebra’s Sentry observability setup so that the running version and environment are tracked consistently across GitHub Actions, GCP, and Sentry. We also fixed the cargo-vet supply chain audit state that had drifted after the previous release.
Zebra
The majority of engineering work this sprint went into security fixes, all of which were bundled into the Zebra v4.4.1 release. We enforced the protocol’s 160-entry cap on block header messages in the network layer’s header-reading code, and we fixed several places in Zebra’s block and transaction deserializers where untrusted length fields were being used to allocate memory before the data was validated: this affected coinbase data size, the Equihash solution size field, and Sapling spend vectors inside coinbase transactions. We also fixed a stale sighash bug in the script validator where the output buffer was not filled correctly on failure, which could have allowed invalid signatures to slip through, and we fixed a panic risk in the transparent script verifier, where an out-of-range input index or a mismatched output vector length would crash rather than return an error. Beyond security, we cleaned up the remaining Groth16 abstractions left over from Zebra’s earlier Sapling migration.
On the RPC side, we fixed four separate security issues: the RPC cookie file now gets strict file permissions, and symlinks at the cookie path are rejected; HTTP request body sizes are bounded before reading; slow gRPC consumers are now dropped rather than buffered; and getrawtransaction was corrected to use the block hash supplied by the caller. We also fixed a bug in getrawtransaction confirmation counts.
Other Repos
In the FROST repository, we published the v3.0.0 release. We also added an optional zcashd compose profile to the ZcashFoundation/z3 repository, making it easier to run zcashd alongside the other node configurations already provided.
External Contributions
Thank you to @schell for updating Zebra’s librustzcash dependencies and @daira for adding the nTx field to Zebra’s getblock RPC.
Thanks for reading!