Folks, apparently there was a chain fork within the last 24 hours. Thanks to Wang Chun of F2Pool for reporting it.

The Zcash core developers — notably @str4d — reproduced the problem and confirmed that it is an instance of the cache invalidation bug from zcashd (“MagicBean”) v1.0.2.

I suspect that this was triggered by a malicious act, because I don't think the cache invalidation bug would be likely to strike by accident, but that's just a guess on my part. Others (especially Zcash core team engineers) might know better than me about that. In any case, I don't think it is most important to determine whether it was triggered maliciously or accidentally, but it is most important to make yourself safe against it. As Sun Tzu said “The art of war teaches us to rely not on the likelihood of the enemy's not coming, but on our own readiness to receive him”.

I'm not aware of anyone having been robbed or harmed during this event, but if you have any concerns please feel free to reach out to me privately or to the customer support team.

The most important thing you can do to protect yourself to upgrade! Go upgrade to zcash “MagicBean” v1.0.5 (the current stable release as of this moment) right now, and then come back and read the rest of this thread.

I'll post more in a follow-up message on this thread about some lessons-learned from this and improvements we're going to make, but for now, go upgrade to to the latest stable release, check whether your systems are functioning correctly, and join the community chat for real-time communication about security issues.