Security Announcement Information

In order to keep the Zcash userbase up-to-date with all recent and historical security issues, we document all security related events on this page. We also publicly share when a new event has been added to this page.

A bug related to transaction priority handling may allow an attacker to crash Zcash nodes (DoS) via a specially crafted transaction. A fix is implemented in zcashd release 1.0.8-1.
We have deployed detectors to learn more about the issue and still have no evidence of malicious exploitation. We are working with our partners on the continued investigation and we will post another update tomorrow.
We have identified a vulnerability in the Zcash client. We have not seen any evidence of this vulnerability being exploited in the wild and the engineering team is currently investigating the issue. We will post more information when available.
Users that are still running older versions of Zcash (in particular, <= 1.0.3) are at high risk of a blockchain fork or stalling event that could open them up to double-spending attacks. All users and miners are encouraged to update their Zcash clients to the latest version and to reindex if they are experiencing problems. Most miners have updated to the most recent version of Zcash, and there is no evidence of a persistent chain fork affecting updated clients.
The zcashd 1.0.3 release fixed a cache invalidation bug which an attacker could leverage to trigger a network fork. Mitigations and detectors are in place. This vulnerability is transient and fully mitigated once a majority of mining capacity upgrades.
There was a brief DDoS attack yesterday. Our website was down for a bit while we engaged DDoS defenses.
Live test of our urgent notification banner on this website.
This log will track important security announcements, please check back for updates.