The vulnerabilities, discovered by Halborn in a 2022 audit of Dogecoin, were first disclosed to ECC and contributors to other affected networks on Feb. 14, and more details were relayed in a Feb. 17 call. ECC initiated our security process immediately and began coordinating with ZecSec.com, the independent Zcash-community-funded security team, and with Zcash Foundation, who analyzed the impact on zebrad, its own implementation of a Zcash node. We also reached out to Horizen, Komodo, and other teams with whom we have disclosure agreements.
Within days, we had zcashd patches ready for third-party testing, but the public releases have been delayed to allow other projects time to complete their own remediations and to allow for coordinated comms, given the sensitive nature.
Halborn found that the bugs could allow an attacker to utilize peer-to-peer network messages to fill the memory of a node and crash it. By crashing other people’s mining nodes, an attacker could potentially reduce, by around one half, the amount of hashpower they would need to mount a 51% attack on the Zcash network. A successful 51% attack could potentially be used to execute a double-spend attack, which could result in users who received transactions from the attackers losing their funds. We have no reason to believe that the Zcash network is currently vulnerable to a 51% attack — with or without the “one half discount” on the attack cost — but out of an abundance of caution, we’ve hardened the zcashd nodes so that they cannot be crashed using this bug.