Zebra Consensus Split Vulnerability Due to SIGHASH_SINGLE Handling

A critical vulnerability exists in Zebra, a Zcash node implementation, where it diverges from zcashd in handling SIGHASH_SINGLE for V5+ transparent spends. Specifically, when an input index in a transaction has no corresponding output, Zebra incorrectly computes a digest instead of failing, as zcashd does according to ZIP-244. This divergence allows Zebra to accept malformed transactions into its mempool and include them in block templates. The vulnerability, present in Zebra versions prior to 4.4.0, can lead to Zebra mining and accepting blocks that zcashd rejects, causing a consensus split in the Zcash network. This poses a significant risk to network stability and data integrity. The issue was identified through analysis of Zebra commit a905fa19e3a91c7b4ead331e2709e6dec5db12cb and zcashd commit 2c63e9aa08cb170b0feb374161bea94720c3e1f5.

Attack Chain

1. An attacker crafts a V5 transaction with multiple transparent inputs and fewer transparent outputs.
2. The attacker signs the first input normally.
3. The attacker signs subsequent inputs using SIGHASH_SINGLE (or SIGHASH_SINGLE|ANYONECANPAY).
4. For an input where there’s no corresponding output, Zebra calculates a digest using transparent_outputs_hash::<TxOut>(&[]).
5. Zebra accepts the transaction into its mempool because it sees a valid signature.
6. Zebra includes the malformed transaction in a block template via getblocktemplate.
7. An external miner mines a block containing the invalid transaction based on Zebra’s template.
8. Zebra accepts this block, while zcashd rejects it, leading to a consensus split.

Impact

This vulnerability creates a consensus split between Zebra and zcashd, potentially leading to network instability. Zebra can accept blocks that zcashd considers invalid, compromising the integrity of the Zcash blockchain. The primary impact is on Zebra node operators, who may unknowingly mine and propagate invalid blocks. This also affects external miners who rely on Zebra’s getblocktemplate for block construction, as they could unknowingly mine invalid blocks.

Recommendation

• Upgrade Zebra nodes to version 4.4.0 or later to incorporate the fix for this vulnerability.
• Monitor Zebra mempools for transactions with a higher number of inputs than outputs, signed using SIGHASH_SINGLE, and deploy the Sigma rule Detect Zebra SIGHASH_SINGLE Mismatch to identify potential exploitation attempts.
• Implement monitoring for block validation errors related to transparent transaction signatures in zcashd to detect consensus splits, referencing the observed difference between Zebra and zcashd behavior.