These last two weeks we dealt with some security reports for Zebra, released Zebra v4.3.0, made several bug fixes across Zebra and FROST and continued to work on infrastructure tooling. We are also preparing for an upcoming FROST v3.0.0 release.
Zebra Security
We resolved two security issues this period. The first was a consensus bug where V5 transactions could be automatically treated as verified using only their mined transaction IDs — the fix ensures the full verification path is always followed. The second involved computing V5 transaction hashes, which could cause panics triggerable remotely via the p2p network. We updated the transaction deserializer to check that V5 branch IDs are valid and that the encoded format can be read back correctly by librustzcash.
To support these fixes, the property-based test generators were updated to fix the range used for arbitrary input data lengths and to add NU5 branch ID generation to the V5 transaction generator. We also added links to the newly published security advisories in the changelogs.
Zebra
We fixed a performance issue where checkpoint data was being parsed repeatedly instead of being cached, which was causing a thread to run at 100% CPU.
We added a dedicated profiling build profile and updated the documentation to make profiling easier to run.
CI and Infrastructure
We moved Zebra’s lint configuration from .cargo/config.toml into Cargo.toml, using Rust’s workspace lint system. This fixes an issue where environment variables set by some CI tooling could silently override the lint rules, making it possible for lints to pass in one context but not another. The fix makes lint behavior consistent across all build environments.
FROST
We made a set of miscellaneous defensive fixes to the FROST library, adding checks to prevent certain internal functions from being called with invalid inputs. This reduces the chance of subtle bugs when the library is used in unexpected ways. We plan to release v3.0.0 of FROST next week.
z3
On the z3 repository, which provides Docker-based tooling to run Zebra together with other Zcash infrastructure components, we redesigned the Docker Compose setup. The regtest environment was reorganized into its own top-level directory, Zebra and Zaino submodules were updated, and Zaino was added to the regtest stack with both gRPC and JSON-RPC endpoints exposed. A follow-up PR fixed some remaining issues to get the regtest environment fully working.
External Contributors
Thank you to @judah-caruso for implementing ZIP-235, the Network Sustainability Mechanism, in Zebra. This was a significant piece of work originally part of a much larger PR.
Thanks for reading!