Zcash Foundation Releases Urgent Patch for Critical Security Flaws Amid $651M Hack Surge

Severity: High (Score: 72.2)

Sources: Panewslab, Cryptonews, Chaincatcher, Cryptopolitan, Bitget

Summary

On May 2, 2026, the Zcash Foundation announced the release of Zebra version 4.4.0, addressing multiple critical security vulnerabilities in its Rust-based node implementation. This update comes in response to a record $651 million in losses from crypto hacks in April 2026, marking it as the worst month for crypto exploits. The vulnerabilities include a denial-of-service flaw that could prevent new block discovery and consensus-critical bugs that may allow Zebra nodes to accept blocks rejected by zcashd, potentially leading to network splits. The most severe issue could enable remote attackers to halt a node's ability to discover new blocks. The Foundation strongly urges all node operators to upgrade immediately to mitigate risks. Security researcher Sangsoo-osec identified three of the five vulnerabilities, emphasizing the urgency of the situation. Without timely updates, nodes face significant risks, including disruptions in block discovery and increased resource consumption. Key Points: • Zcash Foundation released Zebra 4.4.0 to fix critical vulnerabilities. • April 2026 saw $651 million in crypto hacks, the highest on record. • Node operators are urged to upgrade immediately to prevent potential network splits.

Key Entities

• Lazarus Group (apt_group)
• DDoS (attack_type)
• Denial-of-Service (attack_type)
• Bybit (company)
• Drift Protocol (company)
• KelpDAO (company)
• LayerZero (platform)
• Rust (platform)
• Zcash (platform)
• Zcashd (platform)
• Zebra (platform)
• North Korea (country)
• Cwe-125 - Out-of-bounds Read (cwe)
• CWE-200 - Exposure of Sensitive Information (cwe)
• cryptopolitan.com (domain)
• GHSA-28xj-328h-72vm (vulnerability)
• GHSA-438q-jx8f-cccv (vulnerability)
• GHSA-cwfq-rfcr-8hmp (vulnerability)
• GHSA-gq4h-3grw-2rhv (vulnerability)
• GHSA-jv4h-j224-23cc (vulnerability)