Electric Coin Company will announce any breaking security issues on this website’s Security Announcements page.
Each release contains a ./doc/security-warnings.md document describing security issues known to affect that release. You can find the most recent version of this document here. Zcash has been subjected to formal third-party security reviews. Audit reviews can be found in the Zcash Foundation and Electric Coin Company blogs.
The Zcash protocol has a system to issue security alerts. These will be sent to all nodes. In the event the Electric Coin Company website is down or hacked, please also check these Twitter/X handles: @ElectricCoinCo, @zooko.
Contact [email protected] (security.asc) to submit security vulnerabilities or for sensitive discussions with our security team. The security disclosures process can be found here.Â
Key fingerprint = AF85 0445 546C 18B7 86F9 2C62 88FB 8B86 D8B5 A68C
Below are keys we use to sign the software in our package repository.
Key fingerprint = 3FE6 3B67 F85E A808 DE9B 880E 6DEF 3BAF 2727 66C0
Key fingerprint = AF85 0445 546C 18B7 86F9 2C62 88FB 8B86 D8B5 A68C
Key fingerprint = 01A2 20DF 0EA9 A42C 4EAEÂ 6B1D ED41 7FBE 79C9 9E8C
Key fingerprint = 3D6A 08E9 1262 3E9A 00B2Â 1BDC 067F 4920 98CF 2762
Key fingerprint = 0395 DE0A 5027 BE0C 1F5A FB03 9568 4257 D8F8 B031
Key fingerprint = 2253 E2A1 EEB4 0E2A 3D22Â EB1D 0EC5 1FCD A94F B53E
In order to keep the Zcash userbase up-to-date with all recent and historical security issues, we document all security related events on this page. We also publicly share when a new event has been added to this page.
We have updated the version of libzmq that we use to one that has a fix for the issue CVE-2019-6250. If the ZeroMQ interface was enabled (which it is not by default), this issue allowed an attacker network access to that interface to execute arbitrary code as the user running Zcashd. This fix is included in version 2.0.3 of Zcashd.
We have fixed a counterfeiting vulnerability that affected Zcash prior to the Sapling network update. We have published a blog post with more detail. There is no evidence of exploitation. Users need take no action. We have raised CVE-2019-7167 for this issue.
A bug related to transaction priority handling may allow an attacker to crash Zcash nodes (DoS) via a specially crafted transaction. A fix is implemented in zcashd release 1.0.8-1.
We have deployed detectors to learn more about the issue and still have no evidence of malicious exploitation. We are working with our partners on the continued investigation and we will post another update tomorrow.
We have identified a vulnerability in the Zcash client. We have not seen any evidence of this vulnerability being exploited in the wild and the engineering team is currently investigating the issue. We will post more information when available.
Users that are still running older versions of Zcash (in particular, <= 1.0.3) are at high risk of a blockchain fork or stalling event that could open them up to double-spending attacks. All users and miners are encouraged to update their Zcash clients to the latest version and to reindex if they are experiencing problems. Most miners have updated to the most recent version of Zcash, and there is no evidence of a persistent chain fork affecting updated clients.
Zcash is cash
for a new era.