ZEBRA Consensus Vulnerability in Sighash Handling Leading to Network Split

A consensus vulnerability has been identified in ZEBRA, a Zcash node implementation in Rust, affecting versions prior to 4.4.0 and zebra-script versions prior to 6.0.0. The issue arises from inadequate error handling when the sighash type is invalid during computation. Instead of signaling an error, the process would continue, leaving the input sighash buffer unchanged. This could allow an invalid hash type to be accepted, creating a consensus divergence between ZEBRA and zcashd nodes. The vulnerability could be exploited by constructing a transparent output that takes advantage of the flawed sighash handling, leading to a rejection of the transaction by zcashd but acceptance by ZEBRA, thereby causing a split in the network consensus.

Impact

Exploitation of this vulnerability causes a consensus failure, creating a network partition where affected ZEBRA nodes accept invalid transactions that zcashd nodes reject, disrupting normal transaction processing and potentially allowing double-spending.

Reproduction

To reproduce this vulnerability, a transaction must be crafted that exploits the flawed sighash type handling in ZEBRA. This involves creating a transparent output spent by a script that uses a valid 'OP_CHECKSIGVERIFY' followed by an 'OP_CHECKSIG' with an undefined hash type. The first opcode will correctly initialize the C++ sighash buffer, while the second will cause ZEBRA to ignore the invalid hash type, allowing the transaction to be accepted by ZEBRA nodes but rejected by zcashd, thus creating a consensus split.

Remediation

Users should upgrade to ZEBRA version 4.4.0 or later. There are no known workarounds for this issue.