Recent highlights from the engineering team include the Zebra 4.3.1 release, which patches four security vulnerabilities, we did a significant overhaul of how Zebra nodes are deployed on GCP, and some clean up of FROST PRs in preparation for the next release.
Zebra
CI and Deployment Infrastructure
Node deployments now roll out one zone at a time instead of all at once. Each combination of environment, branch, network, and zone gets its own deployment group, so a problem in one zone can’t take down the whole fleet. We also hardened the pre-flight and health checks to prevent race conditions when deployments run in parallel, and fixed several issues that had been blocking manual production deployments.
Every PR now runs security advisory scanning, license compliance, and supply-chain auditing to catch known vulnerabilities and licensing issues. We automated checkpoint updates and end-of-support height calculation, which used to require digging through CI logs: a draft PR now opens each week with the new values captured as a CI artifact for human review. Build times also dropped after we switched RocksDB to dynamic linking against the system package instead of compiling from source.
Security Fixes and Releases
The main highlight was the Zebra 4.3.1 release. This includes several security fixes: removing a bypass in mempool transaction verification that allowed some transactions to skip consensus checks; adding validation of Sapling rk points at parse time rather than deferring it; fixing a missing limit on the number of peer addresses that could be sent in a single P2P message; and correcting how transaction sighashes are computed for V4 vs V5 transactions to match zcashd’s behavior. The release also includes a fix for a denial-of-service vulnerability in the JSON-RPC server, where an authenticated attacker could trigger a panic in the entire Zebra process by dropping a TCP connection during body reading..
We added a Dockerized setup for running Zebra alongside S-NOMP, a Zcash mining pool, using Docker Compose — making it easier for miners to get a local setup running quickly. This image can be used for Mainnet or Testnet. We also updated the Docker and docker-compose configuration to expose the P2P port (8233 for mainnet, 18233 for testnet), which was missing. Exposing the P2P port is optional — nodes that only need to sync don’t require it — but publishing it allows other nodes on the network to connect inbound, which helps overall network health by increasing the number of reachable peers. Without it, a containerized Zebra node only makes outbound connections.
Finally, we added a public encryption key to SECURITY.md for the security contact address at security@zfnd.org.
FROST
We added ZeroizeOnDrop to the dkg::round2::Package type in the FROST library. This ensures that sensitive key material from the Distributed Key Generation is automatically zeroed in memory when it goes out of scope. We also updated the FROST documentation book to mdbook 0.5. This is in preparation for the FROST v3.0.0 release.
librustzcash and zcash_script
We added accessor methods to JsDescription and derived Clone on TransactionData in librustzcash as prep for de-duplicating the transaction type. We also released zcash_script 0.4.4 with a new HashType::raw_bits() accessor — this version was used as part of the Zebra 4.3.1 security fixes to correctly handle V4 transaction sighash computation.
External Contributors
Thanks to @BeeFlea for creating the FROST issue to Implement Zeroize for round2::Package in DKG module that we closed this week.
Thanks for reading!