The Zcash Foundation has issued a critical security alert, urging all node operators to immediately upgrade to Zebra version 4.5.0. The release fixes multiple vulnerabilities discovered during an external security review, including a serious parser bug that risked chain disagreements. The update also adds support for miners to receive rewards directly to shielded addresses, enhancing the network’s privacy features.
The Zcash Foundation has instructed Zebra node operators to install version 4.5.0 immediately. Developers stated the release fixes flaws that could disrupt operations or halt synchronization.
A critical bug in Zebra’s transparent script parser was the most serious issue addressed. This might lead to a disagreement among nodes regarding the validity of chain data, according to the foundation’s announcement.
Several denial-of-service vulnerabilities that could cause node instability were also resolved. The foundation credited security researcher Samsulselfut for discovering the critical parser flaw.
The fixes followed a broad security review conducted through the ZCG Vulnerability Disclosure Initiative. Over 80 reports from researchers helped identify issues in Zebra’s validation, networking, and wallet components.
The upgrade enables miners to receive block rewards with shielded addresses for the first time. This change reduces the public visibility of reward payments on the network.
The foundation reported having $36.7 million in liquid assets at the end of Q1 2026. This included approximately $21 million in ZEC and $12.6 million in cash and USDC.
