The Zcash Foundation has released an emergency update for Zebra 4.5.1 to fix a critical consensus-level security vulnerability

The Zcash Foundation announced the release of the Zebra 4.5.1 version update to fix a consensus-level security vulnerability and strongly recommends that all node operators upgrade immediately.

The vulnerability, identified as GHSA-2prc-cj5x-4443, involves a sigop (signature operation count) statistical error in P2SH transactions, which could lead to potential consensus fork risks. This fix corrects the incomplete patch issue from the previous 4.5.0 version, which was just released yesterday.

The Zcash development team stated that the problem originated from discrepancies in sigop counting logic across different implementations, which could cause nodes to produce different results when validating transactions, thereby affecting on-chain consensus consistency. The fix was implemented by reverting and adjusting the Rust implementation logic to ensure alignment with the expected behavior of the protocol.

The Zcash Foundation emphasizes that there is currently no workaround for this issue, and upgrading to 4.5.1 is the only way to ensure that nodes remain on the correct chain and avoid potential fork risks.