Over the past two weeks we shipped two Zebra releases, Zebra v4.5.0 and a follow-up patch v4.5.1, fixed a handful of CI and infrastructure issues, and shipped two releases addressing multiple security vulnerabilities reported through the advisory process. On the FROST side, we added support for a new transaction format in the signing tool.
Security
We shipped Zebra v4.5.0 and a same-day hotfix v4.5.1 — together addressing 13 security issues, nearly all reported through responsible disclosure. All Zebra node operators should upgrade to v4.5.1.
The issues cover a range of areas: several could allow a remote peer to crash the node through specific transaction or RPC inputs; others involved uncapped memory allocations that a peer could exploit; and there were networking bugs around peer inventory poisoning and mempool queue limits. v4.5.1 followed the same day with the P2SH script signature count fix. Full details on all advisories are in the release post.
These issues were reported by @ipwning, @x15-eth, @sangsoo-osec, @robustfengbin, @Haxatron, @ouicate, @samsulselfut, @dingledropper, and @AnticsDecoded.
Zebra — CI & Infrastructure
We fixed a networking issue where our GCP-hosted nodes weren’t advertising their correct external IP to peers, making them invisible to the rest of the network. We also updated CI dependencies and cleared two build blockers caused by a deprecated crate and a stale dependency audit config,and temporarily disabled the link-checking job which was generating constant false failures from rate-limited external sites.
Zebra — Other Changes
Alongside the security fixes, v4.5.0 added support for ZIP-213 (Shielded Coinbase), which allows mining rewards to go directly to a shielded address. We also precompute the coinbase transaction for the next block so that when the chain tip changes, miners receive a new template immediately — this matters most when mining to a shielded address. v4.5.0 also shows a startup warning on Linux when a TCP kernel setting that can slow syncing is enabled, and includes a small config rename: testnet_parameters is now [network.params], though the old format still works.
A significant amount of time this period went into investigating a sync stall issue. This was a major engineering effort — code-level root cause analysis, coordination with other teams, local reproduction, patch development. Several fix attempts were opened and refined during this period. Early internal testing of a targeted fix showed zero sync errors across multiple fleet nodes over 11+ hours — we expect to have more to share on this soon.
FROST Tools
We added PCZT (Partially Created Zcash Transaction) support to the zcash-sign tool. PCZT is a format for transactions that are being assembled and signed in stages, and this change lets zcash-sign work with that format directly.
Other Repos
We released reddsa 0.5.2, which includes a fix that prevents signing key material from appearing in debug output—a straightforward but important security improvement.
In zcash_script, we fixed sig_op_count() to match zcashd’s behavior, correcting a divergence in how signature operations are counted.
In z3, we added a CI job to run cargo tests for the rpc-router component and updated push triggers to run from the main branch.
We migrated the z.cash DNS zone to a new configuration and replaced an existing page rule as part of ongoing infrastructure maintenance.
External Contributors
Thank you to everyone outside the Foundation who contributed this period!
@dingledropper contributed two security fixes to Zebra: capping upfront memory allocation in the shared deserializer so a malicious peer cannot force large memory reservations by sending a lying length prefix, and setting protocol-level maximums for block locator and headers preallocation to complement that fix at the per-type level.
@zmanian fixed two bugs: a potential panic in the address book that could be triggered when a misbehaving peer hit the ban threshold under certain connection configurations, and a silent error drop in value balance calculations where a failed transaction calculation was being swallowed instead of propagated.
@ValarDragon cleaned up variable names in the difficulty calculation function to make it clearer that the code is splitting a floating-point value into mantissa and exponent parts.
@dmidem fixed several CI issues in the ZSA (Zcash Shielded Assets) branch, including pinning action versions, restricting workflow token permissions, and separating network-sensitive tests to reduce flakiness.