Zcash Zebra Node Orchard Transaction Verification Denial-of-Service Vulnerability

A denial-of-service vulnerability has been identified in Zcash Zebra nodes, specifically in versions prior to 4.3.1. The issue arises within Orchard transactions, which contain a randomized validating key (rk) that can be an elliptic curve point. The Zcash specification permits this field to be the identity value. However, the 'orchard' crate, used for verifying Orchard proofs, would panic when encountering an rk with the identity value. This flaw allows an attacker to craft a transaction that causes a Zebra node to crash.

Impact

Exploitation of this vulnerability leads to a crash of the affected Zebra node, causing a denial-of-service condition.

Reproduction

To reproduce this vulnerability, create an Orchard transaction with an identity rk value and submit it to a Zebra node running a version prior to 4.3.1. The node will crash upon processing the transaction.

Remediation

Users are advised to upgrade to Zebra version 4.3.1 or later. There are no known workarounds for this issue.