Zcash Weekly — May 3, 2026

//Top Stories

Zebra 4.4.0 — Critical Security Release Patches Five Vulnerabilities

The Zcash Foundation released Zebra v4.4.0 on May 2 with fixes for multiple security vulnerabilities, including consensus-critical issues. All node operators should upgrade immediately.

Five CVEs were patched: denial-of-service via gossip queue saturation and syncer poisoning (GHSA-28xj-328h-72vm), a V5 sighash callback consensus bypass (GHSA-gq4h-3grw-2rhv), allocation amplification in inbound deserializers (GHSA-438q-jx8f-cccv), a transparent input/output alignment bug, and RPC hardening including a cookie file permission fix (GHSA-jg86-rwhm-fhg4). The V5 sighash bypass was the most severe — a consensus-critical issue that could potentially cause chain splits if left unpatched.

Sources: ZF Forum · GitHub Release · ZF Tweet

ZCG Earmarks $1M for Security Bug Bounties

Zcash Community Grants announced a $1 million USD earmark to fund payouts for responsibly disclosed vulnerabilities affecting core Zcash repositories. The program covers Zebra, librustzcash, and related consensus-critical code. Payouts flow through a formalized pipeline: remediation team → ZCG → FPF → researcher.

This is the largest coordinated security funding initiative in Zcash history and follows an April disclosure cycle that saw three independent researchers find vulnerabilities, one of whom (Alex Sol) had rewards retroactively doubled from 300 to 600 ZEC. ZCG, ZODL, ZF, and Shielded Labs are in active discussions on triage, severity classification, and coordination to ensure the program runs smoothly.

Sources: ZCG Tweet · Forum Discussion

Three Independent Hardware Wallet Projects Now Active

The Zcash hardware wallet ecosystem went from near-zero to three simultaneous projects this week:

1. Hito ($50k ZCG grant under review, #280) — Dedicated Orchard cold signing module. Architecture published, 5,000+ units in production planning. Forum thread has the highest engagement score of any current grant application.

2. wh00hw's Open-Source SDK (FPF retroactive grant #28) — libzcash-orchard-c and zcash-hw-wallet-sdk targeting embedded platforms: FlipZcash (ARM Cortex-M4) and ESP32 (Xtensa LX7). Code-complete, MIT-licensed, 49 KAT vectors and 17 integration tests. Posted via the FPF Coinholder Grants track.

3. Zafu/Zigner (FPF retroactive grant #29) — Chrome MV3 extension with sub-12-second client-side Halo2 Orchard proving, end-to-end FROST t-of-n multisig, and air-gap device pairing via PCZT (ZIP-324). The most technically ambitious browser wallet in the Zcash ecosystem.

Meanwhile, Ledger's Orchard device-app integration remains on track for mid-May signing completion, with full launch targeted for July. Four different teams, four different approaches — all converging on Orchard signing.

Sources: Hito Forum · wh00hw Forum · Zafu Forum

//Ecosystem

• Zcash Used to Pay for Chipotle at a Bitcoin Conference — Vladcostea paid for two Chipotle meals with ZEC while attending a Bitcoin conference. His posts were amplified by Cypherpunk and became one of the week's most-discussed adoption moments. Real-world merchant usage, at a Bitcoin event, using a privacy coin. Tweet 1 · Tweet 2

• ZcashIND Holds First IRL Event — 184 Attendees — Zcash India hosted its first-ever in-person meetup with 184+ students using live wallets and conducting real ZEC transactions. A significant grassroots signal from one of the world's largest markets. Tweet

• Zcash Sponsors Istanbul Blockchain Week — ZCG confirmed Zcash as a sponsor of IBW2026, adding to the Berlin Blockchain Week (June 14–21) presence. Two major European conferences now have confirmed Zcash presence this summer. Tweet

• ZecMap Launches — Batuhan's merchant discovery map app went live, aiming to become the directory for ZEC-accepting businesses worldwide. Forum

• Shielded Labs Hires Protocol Engineer — Giovanni joins Shielded Labs as a platform/core protocol engineer, expanding the engineering capacity working on Zcash protocol development. Tweet

• ZF Hires New Platform Engineer — Andrés Rodríguez joined the Zcash Foundation as Platform Engineer this week. Two hires across two organizations signal growing development investment. Tweet

• ZecHub × NYM Privacy Hangout Scheduled May 6 — Topics include "What's up with Zcash," the Palantir Manifesto, and age verification. ZecHub

• Women in DeFi Summit 2026 — Zcash was Gold Sponsor at the Lagos event. Ambassador CQ_Elzz gave a presentation on privacy, reporting strong audience engagement and new followers. Tweet

//Governance & Grants

Approved

• BTCPayServer Multi-Account & 0conf (#269) — ZCG voted to approve the Zcash plugin upgrade for multi-account support and mempool notifications. Forum · GitHub
• DWeb Camp Grassroots Marketing (#283) — Zcash presence at DWeb Camp this summer. GitHub

Declined

VOTERAX (#279), Formal Verification of CompactSize (#278), ZEC Builders Hub UNIABUJA (#277), Revocable Private Delegation (#282), and several others from the ZCG April 27 meeting backlog were formally declined.

Under Review

• Pesa ya Siri Tanzania (#290) — WhatsApp-native ZEC onboarding with voucher system. $3,210 startup + milestones. Forum
• Zcash Arabia (#289) — Arabic-language community engagement, May–September 2026. Forum
• Quantir (#288) — Privacy-safe risk intelligence and infrastructure monitoring for Zcash. $48k, 3-month engagement. Forum
• Tor Project Crowdfunding (#287) — Using Zcash in an internet freedom crowdfunding campaign targeting 4.8M daily Tor users. Campaign launch May 19. Forum
• KBCC Kenya (#286), Mexico University (#284), Zush (#281), Hito (#280), TIBA Africa (#276) — All under active ZCG review.

Retroactive Grants

Two retroactive applications were submitted via the FPF Coinholder Grants track: wh00hw's hardware wallet SDK (#28) and Zafu browser wallet (#29). These use a separate funding stream from ZCG. The Q2 2026 Retroactive Grants deadline is May 14 — 11 days away.

//Protocol & Development

• Zebra v4.4.0 — Critical security release. See Top Stories.

• librustzcash Batch Release — Published April 28: zcash_client_backend 0.22.0, zcash_client_sqlite 0.20.0, zcash_proofs 0.27.0, pczt 0.6.0, zcash_keys 0.13.0. A major SDK refresh that downstream wallets and services should audit.

• orchard 0.13.1 — Released April 27 with bug fixes following the 0.13.0 release that added the unstable-frost feature flag.

• librustzcash Consensus Warning (PR #2332) — daira merged a top-level API warning on May 1 clarifying that "the only way to check Zcash consensus validity is to use a Zcash consensus node." Signals ongoing effort to prevent misuse of librustzcash as a standalone validator.

• ZIP-316 Revision 2 Discussion — Now at 12 posts in forum thread #55515. The proposal adds zu (unified, no transparent receivers) and tu (transparent + metadata) address types, address expiration metadata, and MUST-understand typecodes. Community feedback is active with constructive discussion on UX implications. No formal ZF or ZODL position yet.

• ZingoLabs HackFest (Rome, May 1–7) — ZingoLabs and other Zcash teams are convening in Rome alongside the Zcash Dev Summit, ZkProof8, and Eurocrypt. Watch for zaino/zingolib protocol decisions emerging this week.

• Zcash Arborist Call — April 30 recording published by ZF. Bi-weekly protocol development meeting covering deployment logistics, consensus node issues, and research. Tweet

• Zebra Coverage-Guided Fuzzing — Forum thread #54972 saw continued discussion on ZF's fuzzing infrastructure hardening effort.

//Tweets of the Week

"A significant number of Zcash miners sell what they receive each day to cover costs and generate profit. At $380 per ZEC, that's under $550k. Peanuts. Most Zcash holders are Zodling, and many accumulating as the asset is massively under priced."

"For the first time it is possible for billions of humans to be not only monitored, but also controlled by AIs as living slaves of their corporate and government masters."

"Bitcoin has been captured."

//Forum Highlights

• Pesa ya Siri Tanzania (#55558) — A new grant proposal targeting WhatsApp-native ZEC onboarding for everyday use in Tanzania. Voucher-based system with agent networks. A genuine grassroots adoption experiment in a market where mobile money dominates.

• Quantir Privacy-Safe Risk Intelligence (#55568) — Ilya Berdar proposed infrastructure monitoring and anomaly detection for Zcash — explicitly not deanonymizing shielded users. Opt-in telemetry and public signals only. A thoughtful approach to the tension between transparency and privacy.

• Ara Foundation Computer-to-Computer Communication (#55509) — An experimental "malleable computing environment" where computers coordinate through blockchain semantics. Early-stage, but the machine-to-machine payment coordination concept connects to emerging x402 and agent wallet patterns.

• ZIP-316 Rev. 2 UX Concerns (#55515) — Community members flagged that raw unified addresses are "not really intuitive" and that address expiration needs to be abstracted silently for mainstream adoption. The thread is becoming the de facto feedback channel for the next generation of Zcash address standards.

//Privacy Corner: The Shield-and-Spend Trap

Shielding your ZEC is essential for privacy — but what you do immediately after matters just as much.

Here's the trap: you receive ZEC at a transparent address, shield it into Orchard, and then spend it within minutes. An observer watching the transparent pool sees funds disappear. An observer watching the Orchard pool sees a new spend appear moments later at roughly the same amount. Even though the shielded pool hides the connection cryptographically, the timing and amount correlation make it statistically trivial to link the two.

This is called a shield-and-spend pattern, and CipherScan's Privacy Risk Analysis actively detects it. This week, CipherScan flagged over 3,100 linkable shield-deshield pairs on the Zcash network — most with medium to high risk scores.

How to protect yourself:

1. Wait before spending. Let your ZEC sit in the shielded pool for hours or days, not minutes.
2. Use Orchard, not Sapling. Orchard has a larger anonymity set and better amount hiding.
3. Avoid round numbers. Shielding exactly 10.0 ZEC and deshielding 10.0 ZEC is a fingerprint. Let change and fees create natural variation.
4. Check your blend. CipherScan's Blend Check tool shows how well your transaction amount blends with recent pool activity.

The shielded pool protects you — but only if you give it time to work.

//Network Snapshot

//Zcash Privacy Index

Privacy Metrics

Cross-Chain Activity (24h)

Network Health

Live data: cipherscan.app/privacy-stats

//Tool Updates

//What's Ahead

• May 6 — ZecHub × NYM Privacy Hangout
• May 7 — ZingoLabs HackFest wraps up (Rome)
• May 14 — Q2 2026 Retroactive Grants deadline
• Mid-May — Ledger Orchard device-app signing target
• May 19 — Tor Project crowdfunding campaign launch
• June 14–21 — Berlin Blockchain Week
• July 2026 — Ledger Orchard full launch target
• Ongoing — ZIP-316 Rev. 2 community deliberation, Crosslink Season 1 testnet, ZCG security coordination