Conradoplg

**Name of the Vulnerable Software and Affected Versions** Zebra versions prior to 4.3.0 zebra-consensus versions prior to 5.0.1 **Description** A flaw exists in Zebra's transaction verification cache that could allow a malicious miner to induce a consensus split. By matching a valid transaction's `txid` while providing invalid authorization data, a miner could cause vulnerable Zebra nodes to accept an invalid block, leading to a consensus split from the rest of the Zcash network. This issue stems from a logic error in the `find verified unmined tx` function within `transaction.rs`, where the lookup mechanism used the `txid` as a unique key, excluding the Authorization Data Root for V5 transactions. This caused Zebra to skip the essential `check v5 auth()` call, incorrectly assuming the transaction was already verified. The vulnerability affects Zebra nodes utilizing the transaction verification cache optimization for V5 transactions. **Recommendations** Upgrade to Zebra version 4.3.0 or later. Upgrade to zebra-consensus version 5.0.1 or later.