ZIP: 256
Title: Deployment of Consensus Bug Fixes Between NU6.1 and NU6.2
Owners: Daira-Emma Hopwood <daira@jacaranda.org>
Status: Proposed
Category: Consensus / Network
Created: 2026-06-09
License: MIT
Discussions-To: <https://github.com/zcash/zips/issues/1294>

Terminology

The key words “MUST” and “MUST NOT” in this document are to be interpreted as described in BCP 14 1 when, and only when, they appear in all capitals.

The term “network upgrade” in this document is to be interpreted as described in ZIP 200. 2

The character § is used when referring to sections of the Zcash Protocol Specification. 3

The terms “Mainnet” and “Testnet” are to be interpreted as described in § 3.12 ‘Mainnet and Testnet’. 4

Abstract

This ZIP retrospectively documents the deployment and specification of several consensus and denial-of-service bug fixes that were applied to the Zcash node implementations, after the activation of NU6.1 5, up to but not including the Orchard Temporary Vulnerability Mitigation and the NU6.2 network upgrade. The latter are documented in ZIP 257. 6.

Motivation

Between the activation of NU6.1 and that of NU6.2, several consensus enforcement bugs and denial-of-service vulnerabilities were reported and mitigated in the zcashd and zebra full node implementations. This period corresponded to a sudden spike in vulnerability reports, precipitated by the widespread use of capable AI models for vulnerability discovery and mitigation.

These vulnerabilities were fixed and deployed in zcashd releases v6.12.0 to v6.12.4 inclusive, and in zebra releases v4.2.0 to v4.5.1 inclusive.

This ZIP records the nature of those fixes, the releases in which they were deployed, and corresponding specification changes and clarifications, so that the behaviour of the network across this period is fully documented.

Specification

Consensus rule changes

The changes in this ZIP include the constricting consensus rule changes described here. The corresponding consensus changes in the Zcash Protocol Specification are described in that section.

Orchard identity rk

An Orchard action with \(\mathtt{rk}\) encoding the zero point on the Pallas curve caused a panic during proof verification. Both zcashd and zebra now reject \(\mathtt{rk}\) encoding \(\mathcal{O}_{\mathbb{P}}\kern-0.05em\textsf{.}\) This is a constricting consensus rule change, since the specification previously permitted \(\mathtt{rk}\) to encode the zero point. It is enforced by zcashd from v6.12.1, by zebra from v4.3.1, and reflected in the orchard crate from version 0.13.0. 7

Changes to chain value balance accounting rules (ZIP 209)

As a consequence of the integer-overflow and value-range hardening described below for zcashd v6.12.1, the following change was made to ZIP 209.

In ZIP 209’s Specification section, replace

If any of the “Sprout chain value pool balance”, “Sapling chain value pool balance”, or “Orchard chain value pool balance” would become negative in the block chain created as a result of accepting a block, then all nodes MUST reject the block as invalid.

with

If any of the Sprout chain value pool balance, Sapling chain value pool balance, Orchard chain value pool balance, transparent chain value pool balance, or deferred development fund chain value pool balance would become negative in the block chain created as a result of accepting a block, then all nodes MUST reject the block as invalid.

If the sum of these chain value pool balances (i.e. the total supply, computed without possibility of overflow) would become greater than \(\mathsf{MAX\_MONEY}\) zatoshis in the block chain created as a result of accepting a block, then all nodes MUST reject the block as invalid.

The extension of the non-negativity rule to the deferred development pool balance had already been implemented for NU6 8 9.

The extension of the non-negativity rule to the transparent balance, and the rule on the total supply, were implemented in zcashd v6.12.1 10, in response to weaknesses in zcashd’s chain value pool balance accounting 7:

An intended effect of the latter hardening was to enforce the stricter consensus rules described above in zcashd. Zebra had already been using checked arithmetic consistently, representing each chain value pool balance as an amount required to be non-negative and at most \(\mathsf{MAX\_MONEY}\kern-0.05em\textsf{,}\) and constraining each intermediate value to its correct range.

Consensus changes in the Zcash Protocol Specification

This section includes only consensus changes; additional clarifications to the Zcash Protocol Specification are given in a later section.

rk-related changes

Add a consensus rule in § 4.6 ‘Action descriptions’:

In the same section, change the non-normative note

to

Add a non-normative note:

Also add a note to § 4.18.4 ‘Action Statement (Orchard)’ explaining that the case \(\mathsf{rk} = \mathcal{O}_{\mathbb{P}}\) will not occur due to the above consensus rule.

ZIP 209-related changes

Make changes in § 4.17 ‘Chain Value Pool Balances’ 12 corresponding to the changes to ZIP 209. These mirror the changes described above and are not spelled out here.

Additional consensus node implementation conformance fixes

Each of the following makes an implementation enforce a rule the protocol specification already defines, restoring agreement of zcashd and zebra to the specification and to each other.

No consensus rule change is introduced for these implementation flaws. Clarifications to the Zcash Protocol Specification relating to two of these flaws are given in that section below.

Denial-of-service and node-crash hardening

The following issues allowed remotely triggered crashes or unbounded resource use. They affect node liveness but do not change which blocks or transactions are valid.

Zcashd

Zebra

Clarifications to the Zcash Protocol Specification

These clarifications do not change consensus rules.

§ 7.1.2 ‘Transaction Consensus Rules’

In reference to this rule:

If \(\mathsf{effectiveVersion} = 4\) and there are no Spend descriptions or Output descriptions, then \(\mathtt{valueBalanceSapling}\) MUST be \(0\kern-0.05em\textsf{.}\)

add the note:

zcashd prior to v6.12.1 misimplemented the rule that requires \(\mathtt{valueBalanceSapling} = 0\) for a v4 transaction with no Spend descriptions and no Output descriptions. It incorrectly normalized the value to \(0\) when no Spend or Output descriptions were present, with the consequence that the failure case for this rule was never reached. For clarification, \(\mathtt{valueBalanceSapling}\) refers to the value as encoded in the transaction, which is not normalized in this way; it does not refer to \(\mathsf{v^{balanceSapling}}\kern-0.05em\textsf{.}\)

Various sections

The consensus rule “Elements of an Action description MUST be canonical encodings of the types given above.” in § 4.6 ‘Action descriptions’, properly belongs in § 7.5 ‘Action Description Encoding and Consensus’ 25.

Similarly, the corresponding rules in § 4.3 ‘JoinSplit Descriptions’, § 4.4 ‘Spend Descriptions’, and § 4.5 ‘Output Descriptions’, belong in § 7.2, § 7.3, and § 7.4 respectively.

Add a non-normative note in section § 7.5 documenting the invalid \(\mathsf{ephemeralKey}\) issue and the versions of zcashd it affected.

Wherever else Pallas curve points are decoded, add cross-references to § 5.4.9.6 ‘Pallas and Vesta’, and include implementation notes on validation in that section. Similarly, wherever points on other elliptic curves are decoded, add cross-references to the relevant sections.

Deployment

These fixes were enforced immediately on upgrade in each release below; none was gated on a block height or network-upgrade activation.

Release Date Fixes
zcashd v6.12.0 2026–03–27 Sprout transaction verification
zcashd v6.12.1 2026–04–17 Orchard zero \(\mathtt{rk}\) / \(\mathtt{ephemeralKey}\kern-0.05em\textsf{;}\) chain value-pool accounting; integer-overflow / value-range hardening
zcashd v6.12.2 2026–05–06 Sapling valueBalanceSapling normalization; strengthened \(\mathtt{ephemeralKey}\) check; block-body poisoning (initial)
zcashd v6.12.3 2026–05–07 CVE-2024–52911 use-after-free
zcashd v6.12.4 2026–06–01 block-body poisoning (structural); coinbase value-balance crash; out-of-range pool-value delta
zebra v4.2.0 2026–03–12 input-ordering validity fix
zebra v4.3.1 2026–04–17 Orchard zero \(\mathtt{rk}\) / \(\mathtt{ephemeralKey}\)
zebra v4.4.0 2026–05–01 coinbase Sapling spend; transparent input/output alignment; v5-verification
zebra v4.5.0 2026–05–28 preallocation / duplicate-delivery DoS
zebra v4.5.1 2026–05–29 P2SH input sigop count

Backward compatibility

Most of these fixes tighten validity checks or harden the node, rejecting inputs that were already invalid under the specification but were previously accepted (or mishandled) by one or both full node implementations. Honest blocks and transactions remain valid, so upgraded nodes do not diverge from each other. Where one implementation previously accepted a malformed encoding, the fix restores agreement with the other (for example the Sapling \(\mathtt{valueBalanceSapling}\) and Orchard \(\mathtt{ephemeralKey}\) cases, where the specification already required the relevant encodings to be rejected).

The exclusion of Orchard \(\mathsf{rk}\) = \(\mathcal{O}_{\mathbb{P}}\) is a soft fork: it removes transactions from the valid set rather than adding any, so it cannot cause an upgraded node to reject a block that conforming miners produce. \(\mathsf{rk}\) is the spend authorization validating key randomized by \(\alpha\kern-0.05em\textsf{.}\) When, as specified, \(\alpha\) is generated uniformly at random, \(\mathsf{rk}\) = \(\mathcal{O}_{\mathbb{P}}\) only with negligible probability — so in practice no honest transaction is affected.

The changes to chain value balance accounting would only affect consensus in the event of another violation of intended consensus security properties.

The denial-of-service hardening changes do not affect block or transaction validity.

References


  1. Information on BCP 14 — “RFC 2119: Key words for use in RFCs to Indicate Requirement Levels” and “RFC 8174: Ambiguity of Uppercase vs Lowercase in RFC 2119 Key Words”  ↩︎

  2. ZIP 200: Network Upgrade Mechanism  ↩︎

  3. Zcash Protocol Specification, Version 2025.6.3 or later  ↩︎

  4. Zcash Protocol Specification, Version 2025.6.3 [NU6.1]. Section 3.12: Mainnet and Testnet  ↩︎

  5. ZIP 255: Deployment of the NU6.1 Network Upgrade  ↩︎

  6. ZIP 257: Deployment of the Orchard Temporary Vulnerability Mitigation and NU6.2 Network Upgrade  ↩︎

  7. Several Zcash Vulnerabilities Successfully Remediated (Zcash Open Development Lab, 2026–04–17; zcashd v6.12.1, zebra v4.3.1)  ↩︎

  8. Add lockbox funding streams and chain lockbox value pool tracking for NU6 (zcash/zcash#6912)  ↩︎

  9. Track the balance of the deferred chain value pool (ZcashFoundation/zebra#8729)  ↩︎

  10. zcashd v6.12.1 post-release merge (zcash/zcash#7141)  ↩︎

  11. ZIP 209: Prohibit Negative Shielded Chain Value Pool Balances  ↩︎

  12. Zcash Protocol Specification, Version 2025.6.3 [NU6.1]. Section 4.17: Chain Value Pool Balances  ↩︎

  13. zcashd v6.12.0 post-release merge (zcash/zcash#7133)  ↩︎

  14. Zcash Vulnerability Successfully Remediated (Zcash Open Development Lab, 2026–03–31; zcashd v6.12.0)  ↩︎

  15. Zcash Protocol Specification, Version 2025.6.3 [NU6.1]. Section 4.6: Action Descriptions  ↩︎

  16. Hotfix v6.12.2 (zcash/zcash#7157)  ↩︎

  17. Zcash Protocol Specification, Version 2025.6.3 [NU6.1]. Section 7.1.2: Transaction Consensus Rules  ↩︎

  18. Zcashd release v6.20.0, which published the v6.12.4 security fixes (zcash/zcash#7174)  ↩︎

  19. Urgent Zcash hotfixes v6.12.4 & v6.20.0 (zcashd, affected v5.0.0–v6.13.0)  ↩︎

  20. Zebra CHANGELOG — Zebra 4.5.1 (2026–05–29)  ↩︎

  21. Zebra CHANGELOG — Zebra 4.2.0 (2026–03–12)  ↩︎

  22. Zebra CHANGELOG — Zebra 4.4.0 (2026–05–01)  ↩︎

  23. Bitcoin Core disclosure of CVE-2024–52911  ↩︎

  24. Zebra CHANGELOG — Zebra 4.5.0 (2026–05–28)  ↩︎

  25. Zcash Protocol Specification, Version 2025.6.3 [NU6.1]. Section 7.5: Action Description Encoding and Consensus  ↩︎