GHSA-JV4H-J224-23CC Zebra's Block Validator Undercounts Coinbase and P2SH Sigops

Zebra's block validator undercounts transparent signature operations against the 20000-sigop block limit MAXBLOCKSIGOPS, allowing it to accept blocks that zcashd rejects with bad-blk-sigops. A miner who produces such a block can split the network: Zebra nodes follow the offending chain while zcas...

PT-2026-38619

Zebra's block validator undercounts transparent signature operations against the 20000-sigop block limit MAX BLOCK SIGOPS, allowing it to accept blocks that zcashd rejects with bad-blk-sigops. A miner who produces such a block can split the network: Zebra nodes follow the offending chain while...

Undefined Behavior in zencashjs

Versions of zencashjs prior to 1.2.0 may cause loss of funds when used with cryptocurrency wallets. The package relies on a string comparison of the first two characters of a Horizen address to determine the destination address type of a transaction P2PKH or P2SH. Due to the base58 address prefix...

Insecure String Comparison

zencashjs uses an insecure string comparison. This is due to a clash of address prefixes for testnet P2PKH and mainnet P2SH addresses. The package interprets transactions sent to a zt P2SH address on mainnet as P2PKH transactions erroneously. Any funds sent to a mainnet P2SH multisignature addres...