Edition #7Sunday, May 3, 2026

Zcash Weekly — May 3, 2026

Zebra 4.4.0 patches consensus-critical vulnerabilities. ZCG earmarks $1M for bug bounties. Hardware wallet ecosystem explodes with three independent projects. ZEC crosses $398.

Jump to section

Zebra 4.4.0 — Critical Security Release Patches Five Vulnerabilities

The Zcash Foundation released Zebra v4.4.0 on May 2 with fixes for multiple security vulnerabilities, including consensus-critical issues. All node operators should upgrade immediately.

Five CVEs were patched: denial-of-service via gossip queue saturation and syncer poisoning (GHSA-28xj-328h-72vm), a V5 sighash callback consensus bypass (GHSA-gq4h-3grw-2rhv), allocation amplification in inbound deserializers (GHSA-438q-jx8f-cccv), a transparent input/output alignment bug, and RPC hardening including a cookie file permission fix (GHSA-jg86-rwhm-fhg4). The V5 sighash bypass was the most severe — a consensus-critical issue that could potentially cause chain splits if left unpatched.

Sources: ZF Forum · GitHub Release · ZF Tweet

GHSA-28xj-328h-72vm

ZCG Earmarks $1M for Security Bug Bounties

Zcash Community Grants announced a $1 million USD earmark to fund payouts for responsibly disclosed vulnerabilities affecting core Zcash repositories. The program covers Zebra, librustzcash, and related consensus-critical code. Payouts flow through a formalized pipeline: remediation team → ZCG → FPF → researcher.

This is the largest coordinated security funding initiative in Zcash history and follows an April disclosure cycle that saw three independent researchers find vulnerabilities, one of whom (Alex Sol) had rewards retroactively doubled from 300 to 600 ZEC. ZCG, ZODL, ZF, and Shielded Labs are in active discussions on triage, severity classification, and coordination to ensure the program runs smoothly.

Sources: ZCG Tweet · Forum Discussion

ZCG Tweet

Three Independent Hardware Wallet Projects Now Active

The Zcash hardware wallet ecosystem went from near-zero to three simultaneous projects this week:

1. Hito ($50k ZCG grant under review, #280) — Dedicated Orchard cold signing module. Architecture published, 5,000+ units in production planning. Forum thread has the highest engagement score of any current grant application.

2. wh00hw's Open-Source SDK (FPF retroactive grant #28) — libzcash-orchard-c and zcash-hw-wallet-sdk targeting embedded platforms: FlipZcash (ARM Cortex-M4) and ESP32 (Xtensa LX7). Code-complete, MIT-licensed, 49 KAT vectors and 17 integration tests. Posted via the FPF Coinholder Grants track.

3. Zafu/Zigner (FPF retroactive grant #29) — Chrome MV3 extension with sub-12-second client-side Halo2 Orchard proving, end-to-end FROST t-of-n multisig, and air-gap device pairing via PCZT (ZIP-324). The most technically ambitious browser wallet in the Zcash ecosystem.

Meanwhile, Ledger's Orchard device-app integration remains on track for mid-May signing completion, with full launch targeted for July. Four different teams, four different approaches — all converging on Orchard signing.

Sources: Hito Forum · wh00hw Forum · Zafu Forum

Hito Forum

Ecosystem

Zcash Used to Pay for Chipotle at a Bitcoin Conference

Vladcostea paid for two Chipotle meals with ZEC while attending a Bitcoin conference. His posts were amplified by Cypherpunk and became one of the week's most-discussed adoption moments. Real-world merchant usage, at a Bitcoin event, using a privacy coin. Tweet 1 · Tweet 2

Tweet 1

ZcashIND Holds First IRL Event — 184 Attendees

Zcash India hosted its first-ever in-person meetup with 184+ students using live wallets and conducting real ZEC transactions. A significant grassroots signal from one of the world's largest markets. Tweet

Zcash Sponsors Istanbul Blockchain Week

ZCG confirmed Zcash as a sponsor of IBW2026, adding to the Berlin Blockchain Week (June 14–21) presence. Two major European conferences now have confirmed Zcash presence this summer. Tweet

ZecMap Launches

Batuhan's merchant discovery map app went live, aiming to become the directory for ZEC-accepting businesses worldwide. Forum

Forum

Shielded Labs Hires Protocol Engineer

Giovanni joins Shielded Labs as a platform/core protocol engineer, expanding the engineering capacity working on Zcash protocol development. Tweet

ZF Hires New Platform Engineer

Andrés Rodríguez joined the Zcash Foundation as Platform Engineer this week. Two hires across two organizations signal growing development investment. Tweet

ZecHub × NYM Privacy Hangout Scheduled May 6

Topics include "What's up with Zcash," the Palantir Manifesto, and age verification. ZecHub

ZecHub

Women in DeFi Summit 2026

Zcash was Gold Sponsor at the Lagos event. Ambassador CQ_Elzz gave a presentation on privacy, reporting strong audience engagement and new followers. Tweet

Governance & Grants

Approved

BTCPayServer Multi-Account & 0conf (#269) — ZCG voted to approve the Zcash plugin upgrade for multi-account support and mempool notifications. Forum · GitHub
DWeb Camp Grassroots Marketing (#283) — Zcash presence at DWeb Camp this summer. GitHub

Forum

Declined

VOTERAX (#279), Formal Verification of CompactSize (#278), ZEC Builders Hub UNIABUJA (#277), Revocable Private Delegation (#282), and several others from the ZCG April 27 meeting backlog were formally declined.

Under Review

Pesa ya Siri Tanzania (#290) — WhatsApp-native ZEC onboarding with voucher system. $3,210 startup + milestones. Forum
Zcash Arabia (#289) — Arabic-language community engagement, May–September 2026. Forum
Quantir (#288) — Privacy-safe risk intelligence and infrastructure monitoring for Zcash. $48k, 3-month engagement. Forum
Tor Project Crowdfunding (#287) — Using Zcash in an internet freedom crowdfunding campaign targeting 4.8M daily Tor users. Campaign launch May 19. Forum
KBCC Kenya (#286), Mexico University (#284), Zush (#281), Hito (#280), TIBA Africa (#276) — All under active ZCG review.

Forum

Retroactive Grants

Two retroactive applications were submitted via the FPF Coinholder Grants track: wh00hw's hardware wallet SDK (#28) and Zafu browser wallet (#29). These use a separate funding stream from ZCG. The Q2 2026 Retroactive Grants deadline is May 14 — 11 days away.

Protocol & Development

Zebra v4.4.0

Critical security release. See Top Stories.

librustzcash Batch Release

Published April 28: zcash_client_backend 0.22.0, zcash_client_sqlite 0.20.0, zcash_proofs 0.27.0, pczt 0.6.0, zcash_keys 0.13.0. A major SDK refresh that downstream wallets and services should audit.

orchard 0.13.1

Released April 27 with bug fixes following the 0.13.0 release that added the unstable-frost feature flag.

librustzcash Consensus Warning (PR #2332)

daira merged a top-level API warning on May 1 clarifying that "the only way to check Zcash consensus validity is to use a Zcash consensus node." Signals ongoing effort to prevent misuse of librustzcash as a standalone validator.

ZIP-316 Revision 2 Discussion

Now at 12 posts in forum thread #55515. The proposal adds zu (unified, no transparent receivers) and tu (transparent + metadata) address types, address expiration metadata, and MUST-understand typecodes. Community feedback is active with constructive discussion on UX implications. No formal ZF or ZODL position yet.

ZingoLabs HackFest (Rome, May 1–7)

ZingoLabs and other Zcash teams are convening in Rome alongside the Zcash Dev Summit, ZkProof8, and Eurocrypt. Watch for zaino/zingolib protocol decisions emerging this week.

Zcash Arborist Call

April 30 recording published by ZF. Bi-weekly protocol development meeting covering deployment logistics, consensus node issues, and research. Tweet

Zebra Coverage-Guided Fuzzing

Forum thread #54972 saw continued discussion on ZF's fuzzing infrastructure hardening effort.

Tweets of the Week

"A significant number of Zcash miners sell what they receive each day to cover costs and generate profit. At $380 per ZEC, that's under $550k. Peanuts. Most Zcash holders are Zodling, and many accumulating as the asset is massively under priced."
— @jswihart · link

"For the first time it is possible for billions of humans to be not only monitored, but also controlled by AIs as living slaves of their corporate and government masters."
— @cypherpunk · link

"Bitcoin has been captured."
— @jswihart · link

Forum Highlights

Pesa ya Siri Tanzania (#55558)

A new grant proposal targeting WhatsApp-native ZEC onboarding for everyday use in Tanzania. Voucher-based system with agent networks. A genuine grassroots adoption experiment in a market where mobile money dominates.

Quantir Privacy-Safe Risk Intelligence (#55568)

Ilya Berdar proposed infrastructure monitoring and anomaly detection for Zcash — explicitly not deanonymizing shielded users. Opt-in telemetry and public signals only. A thoughtful approach to the tension between transparency and privacy.

Ara Foundation Computer-to-Computer Communication (#55509)

An experimental "malleable computing environment" where computers coordinate through blockchain semantics. Early-stage, but the machine-to-machine payment coordination concept connects to emerging x402 and agent wallet patterns.

ZIP-316 Rev. 2 UX Concerns (#55515)

Community members flagged that raw unified addresses are "not really intuitive" and that address expiration needs to be abstracted silently for mainstream adoption. The thread is becoming the de facto feedback channel for the next generation of Zcash address standards.

Privacy Corner

The Shield-and-Spend Trap

Shielding your ZEC is essential for privacy — but what you do immediately after matters just as much.

Here's the trap: you receive ZEC at a transparent address, shield it into Orchard, and then spend it within minutes. An observer watching the transparent pool sees funds disappear. An observer watching the Orchard pool sees a new spend appear moments later at roughly the same amount. Even though the shielded pool hides the connection cryptographically, the timing and amount correlation make it statistically trivial to link the two.

This is called a shield-and-spend pattern, and CipherScan's Privacy Risk Analysis actively detects it. This week, CipherScan flagged over 3,100 linkable shield-deshield pairs on the Zcash network — most with medium to high risk scores.

How to protect yourself:

1. Wait before spending. Let your ZEC sit in the shielded pool for hours or days, not minutes.
2. Use Orchard, not Sapling. Orchard has a larger anonymity set and better amount hiding.
3. Avoid round numbers. Shielding exactly 10.0 ZEC and deshielding 10.0 ZEC is a fingerprint. Let change and fees create natural variation.
4. Check your blend. CipherScan's Blend Check tool shows how well your transaction amount blends with recent pool activity.

The shielded pool protects you — but only if you give it time to work.

Network Snapshot

ZEC Price

$397.95 · +12.6%

Market Cap

$6.64B · —

24h Volume

$706.7M · —

Block Height

3,329,708 · +7,389

Network Upgrade

NU6.1 (Zebra 4.4.0) · —

Chain Size

257.4 GB · -0.1 GB

Zcash Privacy Index

Privacy Score

31 · 31

Shielded Pool

5,155,496 ZEC · 5,175,242 ZEC

Orchard Pool

4,530,281 ZEC · —

Avg Shielded TX/Day

1,479 · 1,250

Daily Shielded %

29.6% (today) · 38.3% (7d ago)

Privacy Metrics

Privacy Score

31 · 31

Shielded Pool

5,155,496 ZEC · 5,175,242 ZEC

Orchard Pool

4,530,281 ZEC · —

Avg Shielded TX/Day

1,479 · 1,250

Daily Shielded %

29.6% (today) · 38.3% (7d ago)

Cross-Chain Activity (24h)

Total Volume

$1.48M

Total Swaps

455

All-Time Swaps

116,026

All-Time Volume

$1.46B

Top Inflow

Ethereum ($463K)

Top Outflow

Ethereum ($213K)

Network Health

Active Nodes

263 · -0.8%

Countries

34 · +3

Tor Nodes

15 · +12

Top Country

US (92 nodes) · —

Avg Ping

174ms · -40ms

The standout number this week is Tor nodes — jumping from 3 to 15 in seven days. Someone is deploying Zcash infrastructure through Tor at scale, a meaningful signal for censorship-resistant network topology. Meanwhile, average shielded transactions per day surged 18.4% week-over-week, even as the shielded pool itself saw a slight drawdown of ~20K ZEC — likely profit-taking amid the price rally. Cross-chain swap volume is running strong at 455 swaps/day across 15 chains, with all-time volume crossing $1.46B.

cipherscan.app/privacy

Tool Updates

CipherScan

Zcash Names integration is now live — search any address by its registered name directly in the explorer. This feature has been organically promoted by Spanish-language community accounts, bringing CipherScan to a new audience in Latin America. The Rich List feature launched last week continues to drive engagement. — cipherscan.app

CipherPay

No new feature releases this week. CipherPay's agent wallet and x402 integration from previous weeks continues to generate organic community discussion, with users independently explaining the payment flow to broader audiences on Twitter.

What's Ahead

May 6ZecHub × NYM Privacy Hangout
May 7ZingoLabs HackFest wraps up (Rome)
May 14Q2 2026 Retroactive Grants deadline
Mid-MayLedger Orchard device-app signing target
May 19Tor Project crowdfunding campaign launch
June 14–21Berlin Blockchain Week
July 2026Ledger Orchard full launch target
OngoingZIP-316 Rev. 2 community deliberation, Crosslink Season 1 testnet, ZCG security coordination