Electric Coin Company will announce any breaking security issues on this website’s Security Announcements page.
Zcash has two full node implementations, Zebra and zcashd. For Zebra-related security information, see the Zebra book. The zcashd implementation is maintained by Zcash Open Development Lab. Each zcashd release contains a doc/security-warnings.md document describing security issues known to affect that release. Both Zebra and zcashd have been subjected to formal third-party security reviews. Audit reviews can be found in the Zcash Foundation and ZODL blogs.
Use the following contacts on Signal to report security vulnerabilities: @pilizcash.01 for reports relating to Zebra and other Zcash Foundation-maintained software; @dairaemma.31 and @nuttycom.01 for reports relating to zcashd and other ZODL-maintained software. We no longer consider email to be a reliable or secure reporting mechanism. Also see Zcash Foundation’s coordinated security disclosure process.
Some of the keys below are no longer used.Key fingerprint = 3FE6 3B67 F85E A808 DE9B 880E 6DEF 3BAF 2727 66C0
Key fingerprint = AF85 0445 546C 18B7 86F9 2C62 88FB 8B86 D8B5 A68C
Key fingerprint = 01A2 20DF 0EA9 A42C 4EAE 6B1D ED41 7FBE 79C9 9E8C
Key fingerprint = 3D6A 08E9 1262 3E9A 00B2 1BDC 067F 4920 98CF 2762
Key fingerprint = 0395 DE0A 5027 BE0C 1F5A FB03 9568 4257 D8F8 B031
Key fingerprint = 2253 E2A1 EEB4 0E2A 3D22 EB1D 0EC5 1FCD A94F B53E
In order to keep the Zcash userbase up-to-date with all recent and historical security issues, we document all security related events on this page. We also publicly share when a new event has been added to this page.
This list of security-related events is no longer maintained. Please see the Zcash Foundation and ZODL blogs for newer announcements.The latest version of the ECC iOS SDK (Version 0.9.2) contains an important security update, and users are urged to update immediately. Unstoppable Wallet and Nighthawk Wallet have applied this fix and users of those apps should update to the latest versions immediately.
We have just released zcashd 2.1.1-1 to our Debian apt repository. It includes a soft-fork change to the consensus rules to address a security vulnerability that could be leveraged to cause consensus forks. We request miners and pools upgrade as soon as possible to ensure this soft-fork is activated. We also request all users to upgrade as soon as possible.
Please see the following for more information: https://electriccoin.co/blog/new-releases-2-1-1-and-hotfix-2-1-1-1/
Version 2.1.0-1 of Zcashd includes an important security fix in response to an issue that was published on November 8th 2019 on the bitcoin-dev mailing list and has the designation CVE-2017-18350.
Users should upgrade their nodes to this version immediately and discontinue use of older versions.
Version 2.0.7-3 of Zcashd includes an important security fix in response to an issue that was reported to us on Friday September 13th 2019 by Florian Tramèr, Dan Boneh, and Kenneth G. Paterson.
Users should upgrade their nodes to this version immediately and discontinue use of older versions.
Please note that the issue does not put funds at risk of theft or counterfeiting. More details of the issue will be released in coordination with the reporters of the issue at a future date.
Version 2.0.4 of Zcashd includes a fix for the bug described in the previous security announcement.
Users should install this update and then rescan the blockchain by invoking zcashd -rescan. Sprout address balances shown by the zcashd wallet should then be correct.
Thank you to Alexis Enston for bringing this to our attention.
Synopsis: A bug in the Zcashd wallet could result in Sprout z-addresses displaying an incorrect balance. Sapling z-addresses are not impacted by this issue. This would occur if someone sending funds to a Sprout z-address intentionally sent a different amount in the note commitment of a Sprout output than the value provided in the ciphertext (the encrypted message from the sender).
A code fix for the wallet has been written and the integration into an official Zcash release is targeted for our next release (version 2.0.4, expected March 25th).
Who is affected: Users that receive payments to their Sprout z-addresses using the Zcashd wallet are vulnerable. Users who do not receive payments to Sprout z-addresses are unaffected.
What can Sprout users do to protect themselves? Sprout users should suspend their trust in the receipt of funds to Sprout z-addresses until they upgrade to zcash v2.0.4, which is expected to be released on March 25th. If users need the fix earlier, they can manually build their own daemon with the code available now: https://github.com/zcash/zcash/pull/3897.
Once a fix has been applied, users are strongly advised to issue a rescan of the blockchain with “zcashd -rescan”.
Acknowledgements: Thank you to Alexis Enston for bringing this to our attention.