Zcash patches critical flaws as crypto hacks hit $651M in one month

Today, May 2, 2026, the Zcash Foundation just released Zebra 4.4.0, urging all node operators to upgrade immediately after fixing multiple security flaws, including several that could have split the network’s consensus.

The patch comes as April closes out as the worst month for crypto exploits so far. Blockchain security firm CertiK confirmed roughly $651 million in total losses across the industry.

What kind of Zcash flaws does Zebra 4.4.0 fix?

The update resolves five separate vulnerabilities in Zebra, the Rust-based Zcash node implementation built by the Zcash Foundation. Three of the bugs are consensus-critical, meaning that attackers could have exploited them and made Zebra nodes accept transactions that legacy zcashd clients would reject, thus splitting the network.

The most severe issue (GHSA-28xj-328h-72vm) allowed a remote hacker to permanently stop a node from discovering new blocks with just one connection. The attack combined three weaknesses in how Zebra shared and downloaded information. 

According to the Zcash Foundation’s notice, the exploit “produced zero misbehavior score, zero bans, and zero disconnections,” thus making it invisible to standard monitoring tools.

A second bug (GHSA-jv4h-j224-23cc) also made Zebra lose count of how many signatures were inside a block of transactions (it would usually count less than the 20,000-sigop block limit).

Apparently, Zebra’s system ignored two specific types of scripts (the Coinbase input’s scriptSig, and P2SH signatures) during block validation. Because of this, an attacker could create a block exploiting both gaps, passing Zebra’s checks but failing on zcashd and creating a chain split.

The third major issue (GHSA-gq4h-3grw-2rhv) happened because of a previous sighash fix that left stale data in a temporary storage area (buffer) readable across Zebra’s C++ foreign function interface. 

As such, an attacker could exploit this by using a valid signature to fill the buffer with correct information, and then send in a second transaction with an invalid hash type that would pass verification based on the leftover data. 

To resolve this, the Foundation applied a temporary fix that scatters the buffer with random bytes if a check fails, thus preventing the system from reusing old information until a permanent fix is deployed.

The last two bugs caused disagreements between other parts of the system. One bug overloaded the network by making it use too much memory when reading messages (GHSA-438q-jx8f-cccv). The other was a minor coding discrepancy in how Zebra verified certain transactions (GHSA-cwfq-rfcr-8hmp).

The Foundation noted the latter was not practically exploitable, but still went ahead to patch it to match zcashd behavior. Security researcher Sangsoo-osec was credited with discovering three of the five issues.

Could the release have come at a better time?

According to DeFiLlama, April 2026 was the most-hacked month in crypto history (by number of incidents), suffering an estimated 28 to 30 separate attacks. CertiK’s X post on April 30 put total losses at approximately $651 million, the highest since March 2022, excluding the Bybit breach in February 2025.

Two incidents were responsible for most of the damage. On April 1, Drift Protocol lost about $285 million in a social-engineering operation linked to North Korea’s Lazarus Group. By April 18, KelpDAO had suffered its own $293 million message-spoofing exploit targeting a LayerZero cross-chain bridge, according to Cryptopolitan. 

Notably, none of April’s exploits targeted Zcash directly. But the sheer volume of attacks across chains reflects why its Foundation chose to label the Zebra update as “critical” and push for immediate adoption.

What Zcash node operators should do

The Foundation advises all operators to upgrade to Zebra 4.4.0 immediately, as the release doesn’t introduce any other significant changes beyond the security fixes. 

Node operators running older versions remain exposed to all five vulnerabilities, including the block-discovery halt that requires only a single malicious connection to execute.

ZEC traded at $377.46 at the time of writing, according to CoinMarketCap, with a market cap of $6.28 billion.

Don’t just read crypto news. Understand it. Subscribe to our newsletter. It's free.