February 18, 2021
This release fixes a downstream security issue which impacts Cosmos SDK users who are:
FilePV
implementation for their consensus keysUsers who fulfill all the above criteria were susceptible to leaking private key material in the logs. All other users are unaffected.
The root cause was a discrepancy between the Tendermint Core (untyped) logger and the Cosmos SDK (typed) logger: Tendermint Core's logger automatically stringifies Go interfaces whenever possible; however, the Cosmos SDK's logger uses reflection to log the fields within a Go interface.
The introduction of the typed logger meant that previously un-logged fields within
interfaces are now sometimes logged, including the private key material inside the
FilePV
struct.
Tendermint Core v0.34.7 fixes this issue; however, we strongly recommend that all validators
use remote signer implementations instead of FilePV
in production.
Thank you to @joe-bowman for his assistance with this vulnerability and a particular shout-out to @marbar3778 for diagnosing it quickly.
Friendly reminder: We have a bug bounty program.
February 18, 2021
Tendermint Core v0.34.5 and v0.34.6 have been recalled due to release tooling problems.
February 11, 2021
This release includes a fix for a memory leak in the evidence reactor (see #6068, below). All Tendermint clients are recommended to upgrade. Thank you to our friends at Crypto.com for the initial report of this memory leak!
Special thanks to other external contributors on this release: @yayajacky, @odidev, @laniehei, and @c29r3!
Friendly reminder: We have a bug bounty program.
/commit
and /validators
(@cmwaters)January 19, 2021
This release includes a fix for a high-severity security vulnerability, a DoS-vector that impacted Tendermint Core v0.34.0-v0.34.2. For more details, see Security Advisory Mulberry or https://nvd.nist.gov/vuln/detail/CVE-2021-21271.
Tendermint Core v0.34.3 also updates GoGo Protobuf to 1.3.2 in order to pick up the fix for https://nvd.nist.gov/vuln/detail/CVE-2021-3121.
Friendly reminder: We have a bug bounty program.
January 12, 2021
This release fixes a substantial bug in evidence handling where evidence could sometimes be broadcast before the block containing that evidence was fully committed, resulting in some nodes panicking when trying to verify said evidence.
Friendly reminder, we have a bug bounty program.
EnsureDir
now propagates IO errors and checks the file type (@erikgrinaker)LastHeightConsensusParamsChanged
when bootstrapping Tendermint state (@cmwaters)January 6, 2021
Special thanks to external contributors on this release:
@p4u from vocdoni.io reported that the mempool might behave incorrectly under a
high load. The consequences can range from pauses between blocks to the peers
disconnecting from this node. As a temporary remedy (until the mempool package
is refactored), the max-batch-bytes
was disabled. Transactions will be sent
one by one without batching.
Friendly reminder, we have a bug bounty program.
CLI/RPC/Config
Go API
Reader.ReadMsg()
(@erikgrinaker)keep-invalid-txs-in-cache
config option. When set to true, mempool will keep invalid transactions in the cache (@p4u)max-batch-bytes
(@melekes)MConnection
(@erikgrinaker)November 19, 2020
Holy smokes, this is a big one! For a more reader-friendly overview of the changes in 0.34.0 (and of the changes you need to accommodate as a user), check out UPGRADING.md.
Special thanks to external contributors on this release: @james-ray, @fedekunze, @favadi, @alessio, @joe-bowman, @cuonglm, @SadPencil and @dongsam.
And as always, friendly reminder, that we have a bug bounty program.
CLI/RPC/Config
prof_laddr
to pprof_laddr
and move it to rpc
section (@melekes)DuplicateVoteEvidence
(@marbar3778)tendermint lite
command has been renamed to tendermint light
(@marbar3778)round
in private_validator_state.json is no longer JSON string; instead it is a number (@marbar3778)/validators
are now sorted by voting power (@melekes)page
pagination param is 0 in /validators
, tx_search
(@melekes)gasWanted
and gasUsed
in ResponseCheckTx
and ResponseDeliverTx
have been made snake_case (gas_wanted
and gas_used
) (@marbar3778)/unsafe_start_cpu_profiler
, /unsafe_stop_cpu_profiler
and /unsafe_write_heap_profile
. Please use pprof functionality instead (@melekes)context.Context
as 1st param (@melekes)Apps
ListSnapshots
, LoadSnapshotChunk
, OfferSnapshot
, and ApplySnapshotChunk
for state sync snapshots. ABCIVersion
bumped to 0.17.0. (@erikgrinaker)Proof
within ResponseQuery
has been renamed to ProofOps
(@marbar3778)CheckTxType
Protobuf enum names are now uppercase, to follow Protobuf style guide (@erikgrinaker)P2P Protocol
MaxBatchBytes
new config setting defines the max size of one batch.p2p/pex
reactor to Protobuf encoding (@marbar3778)Blockchain Protocol
Pubkey
from DuplicateVoteEvidence
(@marbar3778)DataHash
, EvidenceHash
, and LastResultsHash
(@erikgrinaker)GasWanted
and GasUsed
into LastResultsHash
(@melekes)On-disk serialization
BlockStoreStateJSON
is now BlockStoreState
and is encoded as binary in the databaseLight client, private validator
privval
module to Protobuf encoding (@marbar3778)Go API
Round
, LockedRound
& CommitRound
are now int32
(@marbar3778)round
is now int32
(@marbar3778)SimpleHashFromMap()
and SimpleProofsFromMap()
(@erikgrinaker)[]byte
instead of [<size>]byte
. The byte method no longer returns the marshaled value but just the []byte
form of the data. (@marbar3778)Simple
prefixes from SimpleProof
, SimpleValueOp
& SimpleProofNode
. (@marbar3778)
merkle.Proof
has been renamed to ProofOps
.Proof
& ProofOp
has been moved to proto/crypto/merkle
SimpleHashFromByteSlices
has been renamed to HashFromByteSlices
SimpleHashFromByteSlicesIterative
has been renamed to HashFromByteSlicesIterative
SimpleProofsFromByteSlices
has been renamed to ProofsFromByteSlices
PrivKeyEd25519
is now PrivKey
PubKeyEd25519
is now PubKey
PrivKeySecp256k1
is now PrivKey
PubKeySecp256k1
is now PubKey
PrivKeySr25519
is now PrivKey
PubKeySr25519
is now PubKey
GenPrivKeySecp256k1
to GenPrivKeyFromSecret
to be consistent with other keys (@marbar3778)VerifyBytes
is now VerifySignature
on the crypto.PubKey
interface (@marbar3778)Bech32
pkg from Tendermint. This pkg now lives in the cosmos-sdk (@marbar3778)lite2
pkg to light
. Remove lite
implementation. (@marbar3778)NewClient
, NewHTTPClient
, VerifyHeader
and VerifyLightBlockAtHeight
now accept context.Context
as 1st param (@melekes)HashFromByteSlices
and ProofsFromByteSlices
now return a hash for empty inputs, following RFC6962 (@erikgrinaker)/proto
directory. (@marbar3778)
Validators
, TxSearch
page
/per_page
params become pointers (@melekes)
UnconfirmedTxs
limit
param is a pointerWriteRPCResponseArrayHTTP
(use WriteRPCResponseHTTP
instead) (@melekes)TxResult
is a Protobuf type defined in abci
types directory (@marbar3778)State.InitialHeight
field to record initial block height, must be 1
(not 0
) to start from 1 (@erikgrinaker)LoadStateFromDBOrGenesisFile()
and LoadStateFromDBOrGenesisDoc()
no longer saves the state in the database if not found, the genesis state is simply returned (@erikgrinaker)SignedMsgType
has moved to a Protobuf enum types (@marbar3778)ConsensusParams
, BlockParams
, EvidenceParams
, ValidatorParams
& HashedParams
are now Protobuf types (@marbar3778)SignBytes
is now func VoteSignBytes
& ProposalSignBytes
(@marbar3778)VerifyCommitTrusting
func + remove extra validation (@melekes)ABCIResult
(@melekes)PartsHeader
to PartSetHeader
to have consistency (@marbar3778)Total
in Parts
& PartSetHeader
has been changed from a int
to a uint32
(@marbar3778)ValidatorIndex
& Round
are now int32
(@marbar3778)POLRound
& Round
are now int32
(@marbar3778)Round
is now int32
(@marbar3778)AppVersion
to consensus parameters (@james-ray)
EndBlock
responseMockEvidence
in favor of testing with actual evidence types (DuplicateVoteEvidence
& LightClientAttackEvidence
) (@cmwaters)InitChain.InitialHeight
field giving the initial block height (@erikgrinaker)ResponseInitChain.app_hash
which is recorded in genesis block (@erikgrinaker)--consensus.double_sign_check_height
flag and DoubleSignCheckHeight
config variable. See ADR-51 (@dongsam)badgerdb
database backend (@erikgrinaker)initial_height
field to specify the initial chain height (defaults to 1
) (@erikgrinaker)SaveAs
func on NodeKey (@melekes)chainID
to requests from client. (@marbar3778)BlockByHash
query (@fedekunze)/tx_search
query (@melekes)/check_tx
endpoint to check transactions without executing them or adding them to the mempool (@melekes)[statesync]
config section.data/cs.wal/wal
) automatically in case of corruption (@alessio)
data/cs.wal/wal.CORRUPTED
.privValidator.GetPubKey
once per block (@melekes)signChallenge()
instead of panicNewSignerDialerEndpoint
can now be given SignerServiceEndpointOption
(@erikgrinaker)libs/json
, not Amino (@erikgrinaker)/dial_peers
has added private
and unconditional
as parameters. (@marbar3778)InitStateVersion
for the initial state version (@erikgrinaker)abci.EventAttribute
replaces KV.Pair
ValidateBasic
to validator and validator set (@cmwaters)Header.ValidateBasic()
for block protocol version (@marbar3778)Commit
and CommitSig
max sizes instead of vote max size to calculate the maximum block size. (@cmwaters)LastCommitRound
to be negative (@cuonglm)InitChain
(@erikgrinaker)time_iota_ms
default setting causing block timestamp drift (@erikgrinaker)application/json
as the Content-Type
header in RPC responses. (@alexanderbez)August 11, 2020
Go reported a security vulnerability that affected the encoding/binary
package. The most recent binary for tendermint is using 1.14.6, for this
reason the Tendermint engineering team has opted to conduct a release to aid users in using the correct version of Go. Read more about the security issue here.
August 4, 2020
RemoteSignerError
from remote signers are no longer retried (@melekes)July 2, 2020
This security release fixes:
Tendermint 0.33.0 and above allow block proposers to include signatures for the wrong block. This may happen naturally if you start a network, have it run for some time and restart it without changing the chainID. (It is a misconfiguration to reuse chainIDs.) Correct block proposers will accidentally include signatures for the wrong block if they see these signatures, and then commits won't validate, making all proposed blocks invalid. A malicious validator (even with a minimal amount of stake) can use this vulnerability to completely halt the network.
Tendermint 0.33.6 checks all the signatures are for the block with +2/3 majority before creating a commit.
Tendermint 0.33.1 and above are no longer fully verifying commit signatures during block execution - they stop after +2/3. This means proposers can propose blocks that contain valid +2/3 signatures and then the rest of the signatures can be whatever they want. They can claim that all the other validators signed just by including a CommitSig with arbitrary signature data. While this doesn't seem to impact safety of Tendermint per se, it means that Commits may contain a lot of invalid data.
This was already true of blocks, since they could include invalid txs filled with garbage, but in that case the application knew that they are invalid and could punish the proposer. But since applications didn't--and don't-- verify commit signatures directly (they trust Tendermint to do that), they won't be able to detect it.
This can impact incentivization logic in the application that depends on the LastCommitInfo sent in BeginBlock, which includes which validators signed. For instance, Gaia incentivizes proposers with a bonus for including more than +2/3 of the signatures. But a proposer can now claim that bonus just by including arbitrary data for the final -1/3 of validators without actually waiting for their signatures. There may be other tricks that can be played because of this.
Tendermint 0.33.6 verifies all the signatures during block execution.
Please note that the light client does not check nil votes and exits as soon as 2/3+ of the signatures are checked.
All clients are recommended to upgrade.
Special thanks to @njmurarka at Bluzelle Networks for reporting this.
Friendly reminder, we have a bug bounty program.
Please note that the fix for the False Witness issue renames the VerifyCommitTrusting
function to VerifyCommitLightTrusting
. If you were relying on the light client, you may
need to update your code.
May 28, 2020
Special thanks to external contributors on this release: @tau3,
Friendly reminder, we have a bug bounty program.
Go API
OldFilePV
(@melekes)Mempool#InitWAL
to return an error (@melekes)ConfigureRPC
returns an error (@melekes)lib
folder (@melekes)
Move lib/ folder to jsonrpc/.
Rename:
rpc package -> jsonrpc package
rpcclient package -> client package
rpcserver package -> server package
JSONRPCClient to Client
JSONRPCRequestBatch to RequestBatch
JSONRPCCaller to Caller
StartHTTPServer to Serve
StartHTTPAndTLSServer to ServeTLS
NewURIClient to NewURI
NewJSONRPCClient to New
NewJSONRPCClientWithHTTPClient to NewWithHTTPClient
NewWSClient to NewWS
Unexpose ResponseWriterWrapper
Remove unused http_params.goHeader#ValidateBasic
(@alexanderbez)/validators
, /consensus_params
and /status
(@melekes)fast_sync
option (@erikgrinaker)ErrSignedHeaderNotFound
and ErrValidatorSetNotFound
on corresponding RPC errors (@erikgrinaker)VerifyCommitTrusting
(@melekes)GetPubKey/SignVote/SignProposal
a few times before returning an error (@melekes)ResponseCommit.retain_height
, all blocks and associated data below this height will be removed.April 21, 2020
Special thanks to external contributors on this release: @whylee259, @greg-szabo
Friendly reminder, we have a bug bounty program.
Go API
maxClockDrift
an option Verify/VerifyAdjacent/VerifyNonAdjacent
now accept maxClockDrift time.Duration
(@melekes).http
and local
packages (@erikgrinaker).ResponseCommit.retain_height
field, which will automatically remove blocks below this height. This bumps the ABCI version to 0.16.2 (@erikgrinaker).tendermint completion
command to generate Bash/Zsh completion scripts (@alessio)./status
response fields for the earliest block available on the node (@erikgrinaker).codespace
to ResultBroadcastTx
(@whylee259).Base
to blockchain reactor P2P messages StatusRequest
and StatusResponse
(@erikgrinaker).RetainBlocks
option to control block retention (@erikgrinaker).error
as a return value onGetPubKey()
(@marbar3778).count
and total
to /validators
response (@melekes).make proto-gen-docker
(@erikgrinaker).Subscribe
is called, but HTTP client is not running. Subscribe
, Unsubscribe(All)
methods return an error now (@melekes).April 6, 2020
This security release fixes:
Tendermint 0.33.2 and earlier does not limit P2P connection requests number. For each p2p connection, Tendermint allocates ~0.5MB. Even though this memory is garbage collected once the connection is terminated (due to duplicate IP or reaching a maximum number of inbound peers), temporary memory spikes can lead to OOM (Out-Of-Memory) exceptions.
Tendermint 0.33.3 (and 0.32.10) limits the total number of P2P incoming
connection requests to to p2p.max_num_inbound_peers + len(p2p.unconditional_peer_ids)
.
Notes:
Tendermint 0.33.2 and earlier does not reclaim activeID
of a peer after it's
removed in Mempool
reactor. This does not happen all the time. It only
happens when a connection fails (for any reason) before the Peer is created and
added to all reactors. RemovePeer
is therefore called before AddPeer
, which
leads to always growing memory (activeIDs
map). The activeIDs
map has a
maximum size of 65535 and the node will panic if this map reaches the maximum.
An attacker can create a lot of connection attempts (exploiting Denial of
service 1), which ultimately will lead to the node panicking.
Tendermint 0.33.3 (and 0.32.10) claims activeID
for a peer in InitPeer
,
which is executed before MConnection
is started.
Notes:
InitPeer
function was added to all reactors to combat a similar issue -
#3338;All clients are recommended to upgrade
Special thanks to fudongbai for finding and reporting this.
Friendly reminder, we have a bug bounty program.
March 11, 2020
Special thanks to external contributors on this release: @antho1404, @michaelfig, @gterzian, @tau3, @Shivani912
Friendly reminder, we have a bug bounty program.
CLI/RPC/Config
Go API
tendermint debug dump
sub-command archives filename's format (@melekes)non-deterministic signature
log noise (@tau3)NewHTTPClient
and NewHTTPClientFromTrustedStore
(@cmwaters)VerifyAdjacent
and VerifyNonAdjacent
funcs (@cmwaters)curve25519.X25519()
instead of ScalarMult
(@erikgrinaker)tendermint debug kill
sub-command (@melekes)/subscribe
(@melekes)/tx_search
upon client timeout (@gterzian)/tx_search
pagination with ordered results (@erikgrinaker)Feburary 13, 2020
Special thanks to external contributors on this release: @princesinha19
Friendly reminder, we have a bug bounty program.
order_by
to /tx_search
endpoint, allowing to change default ordering from asc to desc (@princesinha19)make proto-gen
cmd to generate proto stubs outside of GOPATH.GRPCMaxOpenConnections
when creating the gRPC server, not MaxOpenConnections
BlockMeta
is not nil in /block
& /block_by_hash
Special thanks to external contributors on this release: @mrekucci, @PSalant726, @princesinha19, @greg-szabo, @dongsam, @cuonglm, @jgimeno, @yenkhoon
Friendly reminder, we have a bug bounty program..
January 14, 2020
This release contains breaking changes to the Block#Header
, specifically
NumTxs
and TotalTxs
were removed (#2521). Here's how this change affects
different modules:
State
on diskHeader
brokeAlso, blocks are significantly smaller 🔥 because we got rid of the redundant
information in Block#LastCommit
. Commit
now mainly consists of a signature
and a validator address plus a timestamp. Note we may remove the validator
address & timestamp fields in the future (see ADR-25).
lite2
package has been added to solve lite
issues and introduce weak
subjectivity interface. Refer to the spec for complete details.
lite
package is now deprecated and will be removed in v0.34 release.
CLI/RPC/Config
[rpc] #3471 Paginate /validators
response (default: 30 vals per page)
[rpc] #3188 Remove BlockMeta
in ResultBlock
in favor of BlockId
for /block
[rpc] /block_results
response format updated (see RPC docs for details)
{
"jsonrpc": "2.0",
"id": "",
"result": {
"height": "2109",
"txs_results": null,
"begin_block_events": null,
"end_block_events": null,
"validator_updates": null,
"consensus_param_updates": null
}
}
[rpc] #4141 Remove #event
suffix from the ID in event responses.
{"jsonrpc": "2.0", "id": 0, "result": ...}
[rpc] #4141 Switch to integer IDs instead of json-client-XYZ
id=0 method=/subscribe
id=0 result=...
id=1 method=/abci_query
id=1 result=...
[config] #4046 Rename tag(s) to CompositeKey & places where tag is still present it was renamed to event or events. Find how a compositeKey is constructed here
[genesis] #2565 Add consensus_params.evidence.max_age_duration
. Rename
consensus_params.evidence.max_age
to max_age_num_blocks
.
[cli] #1771 tendermint lite
now uses new light client package (lite2
)
and has 3 more flags: --trusting-period
, --trusted-height
and
--trusted-hash
Apps
Go API
Validators
now requires two more args: page
and perPage
Task
(@PSalant726)GotVoteFromUnwantedRoundError
to ErrGotVoteFromUnwantedRound
(@PSalant726)errors.go
from libs/common
KV
out of common to its own pkgcmn.KVPair(s)
to kv.Pair(s)
sService
& BaseService
from libs/common
to libs/service
common/nil.go
to types/utils.go
& make the functions privatelibs/common
into pkg rand
libs/common
into pkg bytes
libs/common
into pkg timer
libs/common
into pkg tempfile
libs/common
into pkg os
libs/common
into pkg net
libs/common
to math
pkglibs/common
to strings
pkglibs/common
to async
pkglibs/common
to bits
pkglibs/common
to cmap
pkgRand
from all rand
pkg functionsMockBadEvidence
& MockGoodEvidence
in favor of MockEvidence
Blockchain Protocol
P2P Protocol
SecretConnection
non-malleable[proto] #3986 Prefix protobuf types to avoid name conflicts.
tendermint.abci.types
with the new API endpoint /tendermint.abci.types.ABCIApplication/
tendermint.rpc.grpc
with the new API endpoint /tendermint.rpc.grpc.BroadcastAPI/
tendermint.crypto.merkle
tendermint.libs.common
tendermint.types.proto3
unconditional_peer_ids
and persistent_peers_max_dial_period
config variables (see ADR-050) (@dongsam)tendermint debug kill
and
tendermint debug dump
commands for Tendermint node debugging functionality. See --help
in both
commands for further documentation and usage.--db_backend and --db_dir
flags (@princesinha19)--genesis_hash
flag to check genesis hash upon startup/block_by_hash
endpoint, which allows to fetch a block by its hash (@princesinha19)consensus_validator_power
: track your validators powerconsensus_validator_last_signed_height
: track at which height the validator last signedconsensus_validator_missed_blocks
: total amount of missed blocks for a validator
as gauges in prometheus for validator specific metricsblock_size
to BlockMeta
this is reflected in /blockchain
NumTxs
to BlockMeta
and EventDataNewBlockHeader
SecretConnection
handshake with merlin--consensus.create_empty_blocks_interval
flag (@jgimeno)--consensus.create_empty_blocks_interval
flag (@jgimeno)LastBlockHeight
and LastBlockAppHash
in Info
(@princesinha19)proposer
to /consensus_state
response (@princesinha19)SecretConnection
: use the transcript solely for authentication (i.e. MAC)outCapacity
to eventBus#Subscribe
when subscribing using a local clientAugust 5, 2020
May 19, 2020
April 29, 2020
April 6, 2020
This security release fixes:
Tendermint 0.33.2 and earlier does not limit the number of P2P connection requests. For each p2p connection, Tendermint allocates ~0.5MB. Even though this memory is garbage collected once the connection is terminated (due to duplicate IP or reaching a maximum number of inbound peers), temporary memory spikes can lead to OOM (Out-Of-Memory) exceptions.
Tendermint 0.33.3 (and 0.32.10) limits the total number of P2P incoming
connection requests to to p2p.max_num_inbound_peers + len(p2p.unconditional_peer_ids)
.
Notes:
Tendermint 0.33.2 and earlier does not reclaim activeID
of a peer after it's
removed in Mempool
reactor. This does not happen all the time. It only
happens when a connection fails (for any reason) before the Peer is created and
added to all reactors. RemovePeer
is therefore called before AddPeer
, which
leads to always growing memory (activeIDs
map). The activeIDs
map has a
maximum size of 65535 and the node will panic if this map reaches the maximum.
An attacker can create a lot of connection attempts (exploiting Denial of
Service 1), which ultimately will lead to the node panicking.
Tendermint 0.33.3 (and 0.32.10) claims activeID
for a peer in InitPeer
,
which is executed before MConnection
is started.
Notes:
InitPeer
function was added to all reactors to combat a similar issue -
#3338;All clients are recommended to upgrade
Special thanks to fudongbai for finding and reporting this.
Friendly reminder, we have a bug bounty program.
January, 9, 2020
Special thanks to external contributors on this release: @greg-szabo, @gregzaitsev, @yenkhoon
Friendly reminder, we have a bug bounty program.
[rpc/lib] #4248 RPC client basic authentication support (@greg-szabo)
[metrics] #4294 Add
consensus_validator_power
: track your validators powerconsensus_validator_last_signed_height
: track at which height the validator last signedconsensus_validator_missed_blocks
: total amount of missed blocks for a validator
as gauges in prometheus for validator specific metricsNovember 19, 2019
Special thanks to external contributors on this release: @erikgrinaker, @guagualvcha, @hsyis, @cosmostuba, @whunmr, @austinabell
Friendly reminder, we have a bug bounty program..
Go API
Query#(Matches|Conditions)
returns an error.tm-monitor
formatting of start time and avg tx throughput (@erikgrinaker)EXISTS
clause to the Websocket query interface.SignerDialerEndpointRetryWaitInterval
option (@cosmostuba)RegisterKeyType
to amino to allow external key types registration (@austinabell)tm-monitor
health when validator count is updated (@erikgrinaker)October 18, 2019
This security release fixes a vulnerability found in the consensus
package,
where an attacker could construct a BlockPartMessage
message in such a way
that it will lead to consensus failure. A few similar issues have been
identified and fixed here.
All clients are recommended to upgrade
Special thanks to elvishacker for finding and reporting this.
Friendly reminder, we have a bug bounty program.
WAL#Write
and WAL#WriteSync
to return an error if
they fail to write a messageOctober 8, 2019
The previous patch was insufficient because the attacker could still find a way
to submit a nil
pubkey by constructing a PubKeyMultisigThreshold
pubkey
with nil
subpubkeys for example.
This release provides multiple fixes, which include recovering from panics when
accepting new peers and only allowing ed25519
pubkeys.
All clients are recommended to upgrade
Special thanks to fudongbai for pointing this out.
Friendly reminder, we have a bug bounty program.
October 1, 2019
This release fixes a major security vulnerability found in the p2p
package.
All clients are recommended to upgrade. See
#4030 for details.
Special thanks to fudongbai for discovering and reporting this issue.
Friendly reminder, we have a bug bounty program.
September 19, 2019
Special thanks to external contributors on this release: @jon-certik, @gracenoah, @PSalant726, @gchaincl
Friendly reminder, we have a bug bounty program.
MempoolClient
interface to Client
interfaceomitempty
timeout_commit
to pass even if create_empty_blocks
is false
August 28, 2019
@climber73 wrote the Writing a Tendermint Core application in Java (gRPC) guide.
Special thanks to external contributors on this release: @gchaincl, @bluele, @climber73
Friendly reminder, we have a bug bounty program.
max_tx_bytes
configurable instead of max_msg_bytes
(@bluele)swagger
, introduce contract tests of implementation against documentationmax_msg_bytes
into mempool section (@bluele)July 31, 2019
Special thanks to external contributors on this release: @ruseinov, @bluele, @guagualvcha
Friendly reminder, we have a bug bounty program.
db
from libs in favor of https://github.com/tendermint/tm-db
version
in the config file, here NOTE: It's not ready for a production yet. For further information, see ADR-40 & ADR-43max_msg_bytes
configurable(@bluele)CustomReactors
option.
Warning: beware of accidental name clashes. Here is the list of existing
reactors: MEMPOOL, BLOCKCHAIN, CONSENSUS, EVIDENCE, PEX.max_body_bytes
and max_header_bytes
configurable(@bluele)/broadcast_evidence
endpoint to submit double signing and other types of evidenceserver/socket_server.go
to allow socket cleanup (@ruseinov)July 15, 2019
Special thanks to external contributors on this release: @ParthDesai, @climber73, @jim380, @ashleyvega
This release contains a minor enhancement to the ABCI and some breaking changes to our libs folder, namely:
CheckTxType
enum that can be set to Recheck
to indicate to the application that this transaction was already checked/validated and certain expensive operations (like checking signatures) can be skippedlibs
pkgsFriendly reminder, we have a bug bounty program.
Go API
Application
interface now take structs as arguments (RequestCheckTx and RequestDeliverTx, respectively), instead of just the raw tx bytes. This allows more information to be passed to these methods, for instance, indicating whether a tx has already been checked.db/debugDB
and common/colors.go
& errors/errors.go
files (@marbar3778)common/heap.go
file (@marbar3778)date.go
, io.go
. Remove GoPath()
, Prompt()
and IsDirEmpty()
functions from os.go
(@marbar3778)FailRand()
func and minor clean up to fail.go
(@marbar3778)NewNode
to support functional options, allowing the Node to be more easily customized.CustomReactors
option to NewNode
allowing caller to pass
custom reactors to run inside Tendermint node (@ParthDesai)CheckTxType
, which can take values of CheckTxType_New
and CheckTxType_Recheck
, indicating whether this is a new tx being checked for the first time or whether this tx is being rechecked after a block commit. This allows applications to skip certain expensive operations, like signature checking, if they've already been done once. see docsJune 25, 2019
Special thanks to external contributors on this release: @needkane, @SebastianElvis, @andynog, @Yawning, @wooparadog
This release contains breaking changes to our build and release processes, ABCI, and the RPC, namely:
master
Github branchFriendly reminder, we have a bug bounty program.
CLI/RPC/Config
leveldb
as generic
option for db_backend
. Must be goleveldb
or cleveldb
./block_results
response (eg. results.DeliverTx
-> results.deliver_tx
). See docs for details.127.0.0.1
by default instead of 0.0.0.0
Apps
ResponseCheckTx
, ResponseDeliverTx
, ResponseBeginBlock
,
and ResponseEndBlock
now include Events
instead of Tags
. Each Event
contains a type
and a list of attributes
(list of key-value pairs)
allowing for inclusion of multiple distinct events in each response.Go API
Blockchain Protocol
P2P Protocol
persistent_kvstore
to use base64 for pubkeys instead of hex (@needkane)HTTPClient#Call
returns wrapped errors, so a caller could use errors.Cause
to retrieve an error code. (@wooparadog)nil
is recorded as node's addressTendermint 0.31 release series has reached End-Of-Life and is no longer supported.
April 6, 2020
This security release fixes:
Tendermint 0.33.2 and earlier does not limit the number of P2P connection requests. For each p2p connection, Tendermint allocates ~0.5MB. Even though this memory is garbage collected once the connection is terminated (due to duplicate IP or reaching a maximum number of inbound peers), temporary memory spikes can lead to OOM (Out-Of-Memory) exceptions.
Tendermint 0.33.3, 0.32.10, and 0.31.12 limit the total number of P2P incoming
connection requests to to p2p.max_num_inbound_peers + len(p2p.unconditional_peer_ids)
.
Notes:
Tendermint 0.33.2 and earlier does not reclaim activeID
of a peer after it's
removed in Mempool
reactor. This does not happen all the time. It only
happens when a connection fails (for any reason) before the Peer is created and
added to all reactors. RemovePeer
is therefore called before AddPeer
, which
leads to always growing memory (activeIDs
map). The activeIDs
map has a
maximum size of 65535 and the node will panic if this map reaches the maximum.
An attacker can create a lot of connection attempts (exploiting Denial of
Service 1), which ultimately will lead to the node panicking.
Tendermint 0.33.3, 0.32.10, and 0.31.12 claim activeID
for a peer in InitPeer
,
which is executed before MConnection
is started.
Notes:
InitPeer
function was added to all reactors to combat a similar issue -
#3338;All clients are recommended to upgrade
Special thanks to fudongbai for finding and reporting this.
Friendly reminder, we have a bug bounty program.
October 18, 2019
This security release fixes a vulnerability found in the consensus
package,
where an attacker could construct a BlockPartMessage
message in such a way
that it will lead to consensus failure. A few similar issues have been
identified and fixed here.
All clients are recommended to upgrade
Special thanks to elvishacker for finding and reporting this.
Friendly reminder, we have a bug bounty program.
WAL#Write
and WAL#WriteSync
to return an error if
they fail to write a messageOctober 8, 2019
The previous patch was insufficient because the attacker could still find a way
to submit a nil
pubkey by constructing a PubKeyMultisigThreshold
pubkey
with nil
subpubkeys for example.
This release provides multiple fixes, which include recovering from panics when
accepting new peers and only allowing ed25519
pubkeys.
All clients are recommended to upgrade
Special thanks to fudongbai for pointing this out.
Friendly reminder, we have a bug bounty program.
October 1, 2019
This release fixes a major security vulnerability found in the p2p
package.
All clients are recommended to upgrade. See
#4030 for details.
Special thanks to fudongbai for discovering and reporting this issue.
Friendly reminder, we have a bug bounty program.
nil
is recorded as node's addressJuly 29, 2019
This releases fixes one bug in the PEX reactor and adds a recover
to the Go's
ABCI server, which allows it to properly cleanup.
server/socket_server.go
to allow socket cleanup (@ruseinov)June 3, 2019
This releases fixes a regression in the mempool introduced in v0.31.6. The regression caused the invalid committed txs to be proposed in blocks over and over again.
May 31st, 2019
This release contains many fixes and improvements, primarily for p2p functionality. It also fixes a security issue in the mempool package.
With this release, Tendermint now supports boltdb, although in experimental mode. Feel free to try and report to us any findings/issues. Note also that the build tags for compiling CLevelDB have changed.
Special thanks to external contributors on this release: @guagualvcha, @james-ray, @gregdhill, @climber73, @yutianwu, @carlosflrs, @defunctzombie, @leoluk, @needkane, @CrocdileChan
PanicSanity
, PanicCrisis
,
PanicConsensus
and PanicQ
Mempool
now an interface that lives in the mempool package.
See issue and PR for more details.Reactor#InitPeer
method is added to Reactor
interfaceCommit#VoteSignBytes
signature was changednode.Mempool()
method, which allows you to access mempool--keep-addr-book
option to unsafe_reset_all
cmd to not
clear the address book (@climber73)--config=<path-to-config>
option to testnet
cmd (@gregdhill)--hostname-suffix
, --hostname
and --random-monikers
options to testnet
cmd for greater peer address/identity generation flexibility.AddSignatureFromPubKey
errorcleveldb
tag instead of gcc
to compile Tendermint with CLevelDB or
use make build_c
/ make install_c
(full instructions can be found at
https://docs.tendermint.com/master/introduction/install.html#compile-with-cleveldb-support)boltdb
tag to compile Tendermint with bolt dbpersistent_peers
list is invalid (except
when IP lookup fails)/dial_seeds
& /dial_peers
return errors if addresses are
incorrect (except when IP lookup fails)ResponseDeliverTx.Code == 0
)RemovePeer
is always called before InitPeer
(upon a peer
reconnecting to our node)April 16th, 2019
This release fixes a regression from v0.31.4 where, in existing chains that
were upgraded, /validators
could return an empty validator set. This is true
for almost all heights, given the validator set remains the same.
Special thanks to external contributors on this release: @brapse, @guagualvcha, @dongsam, @phucc
CMap
: slight optimization in Keys()
and Values()
(@phucc)LoadValidators
: do not return an empty validator setfast_sync
mode when under high pressureApril 12th, 2019
This release fixes a regression from v0.31.3 which used the peer's SocketAddr
to add the peer to
the address book. This swallowed the peer's self-reported port which is important in case of reconnect.
It brings back NetAddress()
to NodeInfo
and uses it instead of SocketAddr
for adding peers.
Additionally, it improves response time on the /validators
or /status
RPC endpoints.
As a side-effect it makes these RPC endpoint more difficult to DoS and fixes a performance degradation in ExecCommitBlock
.
Also, it contains an ADR that proposes decoupling the
responsibility for peer behaviour from the p2p.Switch
(by @brapse).
Special thanks to external contributors on this release: @brapse, @guagualvcha, @mydring
NetAddress()
to NodeInfo
and use it instead of peer's SocketAddr()
when adding a peer to the PEXReactor
(potential fix for #3532)/validators
or /status
RPC
endpoints. Before response time was growing linearly with height if no
changes were made to the validator set.ExecCommitBlock
where we call
LoadValidators
for each Evidence
in the block.April 1st, 2019
This release includes two security sensitive fixes: it ensures generated private keys are valid, and it prevents certain DNS lookups that would cause the node to panic if the lookup failed.
secp256k1.GenPrivKeySecp256k1
function has changed to guarantee that it returns a valid key, which means it
will return a different private key than in previous versions for the same secret.March 30th, 2019
This release fixes a regression from v0.31.1 where Tendermint panics under mempool load for external ABCI apps.
Special thanks to external contributors on this release: @guagualvcha
CLI/RPC/Config
Apps
Go API
Group.Search
, Group.FindLast
, GroupReader.ReadLine
, GroupReader.PushLine
, MakeSimpleSearchFunc
(@guagualvcha)Blockchain Protocol
P2P Protocol
March 27th, 2019
This release contains a major improvement for the mempool that reduce the amount of sent data by about 30% (see some numbers below). It also fixes a memory leak in the mempool and adds TLS support to the RPC server by providing a certificate and key in the config.
Special thanks to external contributors on this release: @brapse, @guagualvcha, @HaoyangLiu, @needkane, @TraceBundy
CLI/RPC/Config
Apps
Go API
Blockchain Protocol
P2P Protocol
rpc.tls_cert_file
and rpc.tls_key_file
are provided in the config (@guagualvcha)GetSelectionWithBias
for addressbook (@guagualvcha)broadcastTxRoutine
(@HaoyangLiu)March 16th, 2019
Special thanks to external contributors on this release: @danil-lashin, @guagualvcha, @siburu, @silasdavis, @srmo, @Stumble, @svenstaro
This release is primarily about the new pubsub implementation, dubbed pubsub 2.0
, and related changes,
like configurable limits on the number of active RPC subscriptions at a time (max_subscription_clients
).
Pubsub 2.0 is an improved version of the older pubsub that is non-blocking and has a nicer API.
Note the improved pubsub API also resulted in some improvements to the HTTPClient interface and the API for WebSocket subscriptions.
This release also adds a configurable limit to the mempool size (max_txs_bytes
, default 1GB)
and a configurable timeout for the /broadcast_tx_commit
endpoint.
See the v0.31.0 Milestone for more details.
Friendly reminder, we have a bug bounty program.
CLI/RPC/Config
consensus.blocktime_iota
parameterrpc.max_subscription_clients
rpc.max_subscriptions_per_client
.rpc.timeout_broadcast_tx_commit
in the config.EventsClient
interface to reflect new pubsub/eventBus API ADR-33. This includes Subscribe
, Unsubscribe
, and UnsubscribeAll
methods.Apps
Go API
Close()
Batch
to prevent memory leak when using ClevelDB. (@Stumble)StartHTTPServer
/ StartHTTPAndTLSServer
now require a Config (use rpcserver.DefaultConfig
)Blockchain Protocol
P2P Protocol
rpc.max_subscription_clients
sets the maximum number of unique clients
with open subscriptionsrpc.max_subscriptions_per_client
sets the maximum number of unique
subscriptions from a given clientrpc.timeout_broadcast_tx_commit
sets the time to wait for a tx to be committed during /broadcast_tx_commit
time_iota_ms
to block's consensus parameters (not exposed to the application)/unsubscribe_all
endpoint to unsubscribe from all eventsmempool.max_txs_bytes
configuration value. Set to 1GB by default. The mempool's current txs_total_bytes
is exposed via total_bytes
field in
/num_unconfirmed_txs
and /unconfirmed_txs
RPC endpoints.BlockPool
(@guagualvcha)testnet
command's panic when creating non-validator configs (using --n
flag) (@srmo)/validators
and /abci_query
proxy endpoints
(@guagualvcha)March 10th, 2019
This release fixes a CLevelDB memory leak. It was happening because we were not closing the WriteBatch object after use. See levigo's godoc for the Close method. Special thanks goes to @Stumble who both reported an issue in cosmos-sdk and provided a fix here.
February 20th, 2019
This release fixes a consensus halt and a DataCorruptionError after restart
discovered in game_of_stakes_6
. It also fixes a security issue in the p2p
handshake by authenticating the NetAddress.ID of the peer we're dialing.
/net_info#peers#remote_ip
format. New format spec:
show_validator
when the private validator file does not exist.February 8th, 2019
This release fixes yet another issue with the proposer selection algorithm. We hope it's the last one, but we won't be surprised if it's not. We plan to one day expose the selection algorithm more directly to the application (#3285), and even to support randomness (#763). For more, see issues marked proposer-selection.
This release also includes a fix to prevent Tendermint from including the same piece of evidence in more than one block. This issue was reported by @chengwenxi in our bug bounty program.
Apps
ResponseEndBlock.ValidatorUpdates
contains only one entry per pubkey.Go API
Add
and Update
methods from ValidatorSet
in favor of new
UpdateWithChangeSet
. This allows updates to be applied as a set, instead of
one at a time.Block Protocol
P2P Protocol
ResponseEndBlock.ValidatorUpdates
.btcec.S256().N
directly instead of hard coding a copy.ResponseEndBlock.ValidatorUpdates
.February 7th, 2019
Special thanks to external contributors on this release: @ackratos, @rickyyangz
Note: This release contains security sensitive patches in the p2p
and
crypto
packages:
btcd
and use the btcd/btcec
library directly for
native secp256k1 signing. Note we still modify the signature encoding to
prevent malleability.go-ethereum/crypto/secp256k1
package.January 24, 2019
Special thanks to external contributors on this release: @infinytum, @gauthamzz
This release contains two important fixes: one for p2p layer where we sometimes
were not closing connections and one for consensus layer where consensus with
no empty blocks (create_empty_blocks = false
) could halt.
Friendly reminder, we have a bug bounty program.
triggered_timeout_commit
in the /dump_consensus_state
January 21, 2019
Special thanks to external contributors on this release: @bradyjoestar, @kunaldhariwal, @gauthamzz, @hrharder
This release is primarily about making some breaking changes to the Block protocol version before Cosmos launch, and to fixing more issues in the proposer selection algorithm discovered on Cosmos testnets.
The Block protocol changes include using a standard Merkle tree format (RFC 6962), fixing some inconsistencies between field orders in Vote and Proposal structs, and constraining the hash of the ConsensusParams to include only a few fields.
The proposer selection algorithm saw significant progress, including a formal proof by @cwgoes for the base-case in Idris and a much more detailed specification (still in progress) by @ancazamfir.
Fixes to the proposer selection algorithm include normalizing the proposer priorities to mitigate the effects of large changes to the validator set. That said, we just discovered another bug, which will be fixed in the next breaking release.
While we are trying to stabilize the Block protocol to preserve compatibility with old chains, there may be some final changes yet to come before Cosmos launch as we continue to audit and test the software.
Friendly reminder, we have a bug bounty program.
CLI/RPC/Config
Apps
MaxInt64 / 8
. Apps must ensure they do not return changes to the validator
set that cause this maximum to be exceeded.Go API
Blockchain Protocol
P2P Protocol
2*TotalVotingPower
to mitigate unfair proposer selection
heavily preferring earlier joined validators in the case of an early bonded large validator unbondingper_page
is greater than the max 100.chain_id
label for all metricsbtcd
fork for rare signRFC6979 bugJanuary 18th, 2019
Special thanks to external contributors on this release: @HaoyangLiu
Friendly reminder, we have a bug bounty program.
January 16th, 2019
Special thanks to external contributors on this release: @fmauricios, @gianfelipe93, @husio, @needkane, @srmo, @yutianwu
This release is primarily about upgrades to the privval
system -
separating the priv_validator.json
into distinct config and data files, and
refactoring the socket validator to support reconnections.
Note: Please backup your existing priv_validator.json
before using this
version.
See UPGRADING.md for more details.
CLI/RPC/Config
--proxy_app=dummy
option. Use kvstore
(persistent_kvstore
) instead.--proxy_app=nilapp
to --proxy_app=noop
.allow_duplicate_ip
is now set to falsepriv_validator.json
into immutable (config/priv_validator_key.json
) and mutable (data/priv_validator_state.json
) parts (@yutianwu)PubKeyMsg
into PubKeyRequest
and PubKeyResponse
to be consistent with other message typesApps
Go API
PrivValidator.GetAddress()
Blockchain Protocol
P2P Protocol
/net_info
Version
field in build scripts (@husio)PubKeyMultisigThreshold
unmarshaling into crypto.PubKey
interface/tx_search
when results are empty
(@gianfelipe93)December 21st, 2018
December 16th, 2018
bcrypt.GenerateFromPassword
December 16th, 2018
December 15th, 2018
Special thanks to external contributors on this release: @danil-lashin, @hleb-albau, @james-ray, @leo-xinwang
UnconfirmedTxs(limit)
and NumUnconfirmedTxs()
methods to HTTP/Local clients (@danil-lashin)testnet
command always sets addr_book_strict = false
notifyTxsAvailable
if there're txs left after committing a block, but recheck=falseDecember 5th, 2018
Special thanks to external contributors on this release: @danil-lashin, @srmo
Special thanks to @dlguddus for discovering a major issue in the proposer selection algorithm.
Friendly reminder, we have a bug bounty program.
This release is primarily about fixes to the proposer selection algorithm
in preparation for the Cosmos Game of
Stakes.
It also makes use of the ConsensusParams.Validator.PubKeyTypes
to restrict the
key types that can be used by validators, and removes the Heartbeat
consensus
message.
CLI/RPC/Config
accum
to proposer_priority
Go API
Blockchain Protocol
P2P Protocol
module=pex
/net_info
and the prometheus
metrics/broadcast_tx_commit
: Fix "interface conversion: interface {} in nil, not EventDataTx" panic (could happen if somebody sent a tx using /broadcast_tx_commit
while Tendermint was being stopped)-1.125*totalVotingPower
instead of 0, forcing them to wait before becoming the proposer. Also:
November 27th, 2018
Special thanks to external contributors on this release: @ackratos, @goolAdapter, @james-ray, @joe-bowman, @kostko, @nagarajmanjunath, @tomtau
Friendly reminder, we have a bug bounty program.
BeginBlock
/EndBlock
(@kostko)ResultBeginBlock
and ResultEndBlock
fields to EventDataNewBlock
and EventDataNewBlockHeader
to support subscriptions (@kostko)blocktime_iota
to the config.toml (@ackratos)
module=main
setting overriding all others
log_level="info"
to restore the previous behaviour.accum
field in /validators
by calling IncrementAccum
if necessaryNovember 17th, 2018
Special thanks to external contributors on this release: @danil-lashin, @kevlubkcm, @krhubert, @srmo
Friendly reminder, we have a bug bounty program.
StartHTTPServer
, StartHTTPAndTLSServer
, and StartGRPCServer
net.Listener
instead of an addressNewRound
and CompleteProposal
return new types EventDataNewRound
and
EventDataCompleteProposal
, respectively, instead of the generic EventDataRoundState
. (@kevlubkcm)log_format
config option, which can be set to 'plain' for colored
text or 'json' for JSON outputNovember 15th, 2018
Special thanks to external contributors on this release: @hleb-albau, @zhuzeyu
Friendly reminder, we have a bug bounty program.
/broadcast_tx_commit
November 11, 2018
Special thanks to external contributors on this release: @katakonst
Friendly reminder, we have a bug bounty program.
wal_dir
being emptypeer-id
label name to peer_id
in prometheus metricsNovember 2, 2018
Special thanks to external contributors on this release: @bradyjoestar, @connorwstein, @goolAdapter, @HaoyangLiu, @james-ray, @overbool, @phymbert, @Slamper, @Uzair1995, @yutianwu.
Special thanks to @Slamper for a series of bug reports in our bug bounty program which are fixed in this release.
This release is primarily about adding Version fields to various data structures, optimizing consensus messages for signing and verification in restricted environments (like HSMs and the Ethereum Virtual Machine), and aligning the consensus code with the specification. It also includes our first take at a generalized merkle proof system, and changes the length of hashes used for hashing data structures from 20 to 32 bytes.
See the UPGRADING.md for details on upgrading to the new version.
Please note that we are still making breaking changes to the protocols. While the new Version fields should help us to keep the software backwards compatible even while upgrading the protocols, we cannot guarantee that new releases will be compatible with old chains just yet. We expect there will be another breaking release or two before the Cosmos Hub launch, but we will otherwise be paying increasing attention to backwards compatibility. Thanks for bearing with us!
CLI/RPC/Config
mempool.wal
is disabled by defaultSocketPVMsg
s implementations into Request and Response, where the Response may contain a error message (returned by the remote signer)/abci_query
takes prove
argument instead of trusted
and switches the default
behaviour to prove=false
node_info.other.*_version
fields in /status
and
/net_info
_params
suffix from fields in consensus_params
.Apps
ResponseInfo
fields to make room for
AppVersion
Params
suffix from field namesParams
suffix to message typesValidator ValidatorParams
, to control what types of validator keys are allowed.Go API
ABCIQueryOptions.Trusted
-> ABCIQueryOptions.Prove
Index
and Total
fields from TxProof
.VoteTypeXxx
are now of type SignedMsgType byte
and named XxxType
, eg.
PrevoteType
, PrecommitType
.Params
suffixesBlockchain Protocol
Vote
/Proposal
/Heartbeat
:
Vote
as in the SignBytesvarint
encoding for ints that are usually unsigned (instead of zigzag encoding).P2P Protocol
CommitStepMessage
with NewValidBlockMessage
Proposal
message to align with specType
field to Proposal
and use same order of fields as in the
SignBytes for both Proposal
and Vote
ProtocolVersion
struct with protocol versions to top of
DefaultNodeInfo and require ProtocolVersion.Block
to match during peer handshakeCodespace
field to Response{CheckTx, DeliverTx, Query}
BlockVersion
and P2PVersion
to RequestInfo
golang.org/x/crypto
through our fork at
github.com/tendermint/cryptoBitArray.Or
methodBitArray.Sub
method (@james-ray)BitArray.PickRandom
to choose uniformly from true bitsSeptember 22, 2018
Special thanks to external contributors on this release: @scriptionist, @bradyjoestar, @WALL-E
This release is mostly about the ConsensusParams - removing fields and enforcing MaxGas.
It also addresses some issues found via security audit, removes various unused
functions from libs/common
, and implements
ADR-012.
Friendly reminder, we have a bug bounty program.
BREAKING CHANGES:
CLI/RPC/Config
Apps
ResponseCheckTx.GasWanted
and
ConsensusParams.BlockSize.MaxGas
and enforces:
GasWanted <= MaxGas
for every tx(sum of GasWanted in block) <= MaxGas
for block proposalGo API
FEATURES:
/consensus_params?height=X
endpoint to query the consensus
params at any height (@scriptonist)consensus.block_interval_metrics
is now gauge, not histogram (you will be able to see spikes, if any)autofile
or db/fsdb
permissions change from 0600.IMPROVEMENTS:
db_backend
is not initialized (@bradyjoestar)BUG FIXES:
September 6th, 2018
Special thanks to external contributors with PRs included in this release: ackratos, james-ray, bradyjoestar, peerlink, Ahmah2009, bluele, b00f.
This release includes breaking upgrades in the block header, including the long awaited changes for delaying validator set updates by one block to better support light clients. It also fixes enforcement on the maximum size of blocks, and includes a BFT timestamp in each block that can be safely used by applications. There are also some minor breaking changes to the rpc, config, and ABCI.
See the UPGRADING.md for details on upgrading to the new version.
From here on, breaking changes will be broken down to better reflect how users are affected by a change.
A few more breaking changes are in the works - each will come with a clear Architecture Decision Record (ADR) explaining the change. You can review ADRs here or in the open Pull Requests. You can also check in on the issues marked as breaking.
BREAKING CHANGES:
CLI/RPC/Config
Apps
Validator
(see
ADR-018):
Validator
(so it's just Address and Power)ValidatorUpdate
(with just PubKey and Power)Go API
*p2p.NodeKey
(@bradyjoestar)Blockchain Protocol
r || s
, both little endian encoded as 32 bytes.s
to be in canonical form.P2P Protocol
FEATURES:
ValidatorSetUpdates
for when the validator set changesIMPROVEMENTS:
write-good
and stop-words
.BUG FIXES:
db_path
with db_dir
from automatically generated configuration files.tx.height
(@ackratos)/dial_peers
does not try to dial existing peersAugust 22nd, 2018
BUG FIXES:
August 5th, 2018
This release includes breaking upgrades in our P2P encryption, some ABCI messages, and how we encode time and signatures.
A few more changes are still coming to the Header, ABCI, and validator set handling to better support light clients, BFT time, and upgrades. Most notably, validator set changes will be delayed by one block (see #1815).
We also removed make ensure_deps
in favour of make get_vendor_deps
.
BREAKING CHANGES:
type
field in Amino JSON. They're just bytes.make ensure_deps
in favor of make get_vendor_deps
FEATURES:
make check_dep
IMPROVEMENTS:
BUG FIXES:
July 26th, 2018
BUG FIXES
July 26th, 2018
BUG FIXES
July 24th, 2018
BUG FIXES
/blockchain
endpoint
/abci_query
July 23th, 2018
BREAKING CHANGES:
tendermint/crypto
into many subpackagesIMPROVEMENTS:
BUG FIXES:
create_empty_blocks=false
where a
transaction is published at an old height.persistent_peers
, not internal NAT IP/status
RPC endpoint resistant to consensus haltJuly 14th, 2018
BREAKING CHANGES:
app_options
field.FEATURES:
BUG FIXES:
July 10th, 2018
IMPROVEMENTS
July 10th, 2018
IMPROVEMENTS
ecosystem.json
and tendermint-bft.md
from deprecated aib-data
repository.instrumentation.max_open_connections
, which limits the number
of requests in flight to Prometheus server (if enabled). Default: 3.BUG FIXES
July 5th, 2018
IMPROVEMENTS
BUG FIXES
July 2nd, 2018
BREAKING CHANGES:
max_block_size_txs
and max_block_size_bytes
in favor of
consensus params from the genesis file.skip_upnp
to upnp
, and turn it off by default.max_packet_msg_size
back to max_packet_msg_payload_size
syncing
is now called catching_up
crypto
tmlibs/merkle
-> crypto/merkle
. Uses SHA256 instead of RIPEMD160libs
merkle
package (moved to crypto/merkle
)FEATURES
/metrics
using a Prometheus client;
disabled by default). See the new instrumentation
section in the config and
metrics
guide.external_address
to config to allow specifying the address for
peers to dialIMPROVEMENT
BUG FIXES:
rpc.max_open_connections
) and gRPC connections
(rpc.grpc_max_open_connections
). Check out "Running In Production" guide if
you want to increase them.create_empty_blocks=false
June 21th, 2018
BREAKING CHANGES
unsafe_reset_all
removes the addrbook.jsonIMPROVEMENT
BUG FIXES
fast_sync
when create_empty_blocks=false
cache_size=0
/subscribe
method)June 6th, 2018
This is the first in a series of breaking releases coming to Tendermint after soliciting developer feedback and conducting security audits.
This release does not break any blockchain data structures or protocols other than the ABCI messages between Tendermint and the application.
Applications that upgrade for ABCI v0.11.0 should be able to continue running Tendermint v0.20.0 on blockchains created with v0.19.X
BREAKING CHANGES
p2p/filter/pubkey/<id>
to p2p/filter/id/<id>
June 5th, 2018
BREAKING CHANGES
privval
packageFEATURES
BUG FIXES
per_page=0
June 4th, 2018
BREAKING:
auth_enc
config option, peer connections are always auth
encrypted. Technically a breaking change but seems no one was using it and
arguably a bug fix :)BUG FIXES
skip_timeout_commit=true
and
create_empty_blocks=false
May 31st, 2018
BREAKING:
FEATURES
IMPROVEMENTS:
May 29th, 2018
BUG FIXES
BUG FIX:
May 20th, 2018
BREAKING CHANGES
FEATURES
/tx_search
takes page
(starts at 1) and per_page
(max 100, default 30) args to paginate results/unconfirmed_txs
takes limit
(max 100, default 30) arg to limit the outputmempool.size
and mempool.cache_size
optionsIMPROVEMENTS
BUG FIXES
IMPROVEMENTS
docs/spec
(TODO cleanup the rest of the docs ...)BUG FIXES
FEATURES
/consensus_state
returns just the votes seen at the current heightIMPROVEMENTS
/dump_consensus_state
/dump_consensus_state
BUG FIXES
tendermint init
FEATURES:
/net_info
includes n_peers
IMPROVEMENTS:
BUG FIXES:
Note this release includes some small breaking changes in the RPC and one in the config that are really bug fixes. v0.19.1 will work with existing chains, and make Tendermint easier to use and debug. With <3
BREAKING (MINOR)
wal_light
setting. If you really needed this, let us knowFEATURES:
gen_node_key
commandBUG FIXES
Some of these are breaking in the RPC response, but they're really bugs!
/dump_consensus_state
/status
prove
in ABCIQueryBREAKING:
testnet
command; now it can fill in persistent_peers
for you in the config file and much more (see tendermint testnet --help
for details)show_node_id
now returns an error if there is no node key/status
endpoint (see https://godoc.org/github.com/tendermint/tendermint/rpc/core#Status)Upgrade from go-wire to go-amino. This is a sweeping change that breaks everything that is serialized to disk or over the network.
See github.com/tendermint/go-amino for details on the new format.
See scripts/wire2amino.go
for a tool to upgrade
genesis/priv_validator/node_key JSON files.
FEATURES
BREAKING:
FEATURES:
/status
/tx
and /tx_search
responses now include the transaction hash/net_info
IMPROVEMENTS:
persistent_peers
)/tx_search
results are sorted by heightBUG FIXES:
BUG FIXES:
app_state
in genesis as AppStateJSON
BREAKING:
IMPROVEMENTS:
dummy
(persistent_dummy
) to kvstore
(persistent_kvstore
) (name "dummy" is deprecated and will not work in the next breaking release)app_options
field is deprecated. please rename it to app_state
in your genesis file(s). app_options
will not work in the next breaking releaseauth_enc
is true, all dialed peers must have a node ID in their addressFEATURES:
auth_enc
flag to enable/disable encryption--p2p.private_peer_ids
flag and PrivatePeerIDs
config variable (see config for description)/health
endpoint, which returns empty result for nowBUG FIXES:
BREAKING CHANGES:
--p2p.seeds
is now --p2p.persistent_peers
(persistent peers to which TM will always connect to)--p2p.seeds
only used for getting addresses (if addrbook is empty; not persistent)FEATURES:
/dial_peers&persistent=_
unsafe endpoint$THMHOME/config/node_key.json
ID@IP:PORT
--p2p.seed_mode
)IMPROVEMENT:
pex
and conn
BUG FIX:
BREAKING CHANGES:
FEATURES:
/block_results?height=X
returns the DeliverTx results for a given height.IMPROVEMENTS:
BUG FIXES:
tcp://
tendermint init
to ignore files that are there and generate files that aren't.BREAKING CHANGES:
FEATURES:
tendermint lite
command (and lite/proxy
pkg) for running a light-client RPC proxy.
NOTE it is currently insecure and its APIs are not yet covered by semverIMPROVEMENTS:
BUG FIXES:
BREAKING CHANGES:
int64
everywhere/subscribe
and /unsubscribe
take query
arg instead of event
/status
returns the LatestBlockTime in human readable form instead of in nanosecondsFEATURES:
/unsubscribe_all
WebSocket RPC endpoint/tx_search
endpoint for filtering transactions by more complex queriesIMPROVEMENTS:
tmlibs/pubsub
BUG FIXES:
BUG FIXES:
BREAKING CHANGES:
prove
FEATURES:
Verifiers
pkg contains the tendermint light-client library (name subject to change)!/genesis
includes the app_options
./abci_query
takes an additional height
parameter to support historical queries.trusted
(set false to get a proof) and height
to query a historical height.IMPROVEMENTS:
/genesis
result includes app_options
RPCError
satisfies the error
interface.BUG FIXES:
IMPROVEMENTS:
BUG FIXES:
/dump_consensus_state
to have normal json output (NOTE: technically breaking, but worth a bug fix label)BREAKING:
genesis file: validator amount
is now power
abci: Info, BeginBlock, InitChain all take structs
rpc: various changes to match JSONRPC spec (http://www.jsonrpc.org/specification), including breaking ones:
rpctypes.RPCResponse
uses new RPCError
type instead of string
.cmd: if there is no genesis, exit immediately instead of waiting around for one to show.
types: Signer.Sign
returns an error.
state: every validator set change is persisted to disk, which required some changes to the State
structure.
p2p: new p2p.Peer
interface used for all reactor methods (instead of *p2p.Peer
struct).
FEATURES:
/validators?height=X
allows querying of validators at previous heights.height
param empty for /block
, /validators
, and /commit
will return the value for the latest height.IMPROVEMENTS:
.rst
, and cleaned up for presentation on tendermint.readthedocs.io
BUG FIXES:
IMPROVEMENTS:
BUG FIXES:
FEATURES:
--consensus.create_empty_blocks
; when set to false, blocks are only created when there are txs or when the AppHash changes.consensus.create_empty_blocks_interval
; an empty block is created after this many seconds.create_empty_blocks = true
and create_empty_blocks_interval = 0
, so blocks are being created all the time (as in all previous versions of tendermint). The number of empty blocks can be reduced by increasing create_empty_blocks_interval
or by setting create_empty_blocks = false
.TxsAvailable()
method added to Mempool that returns a channel which fires when txs are available.syncing
field to response returned by /status
. Is true
while in fast-sync mode.IMPROVEMENTS:
BUG FIXES:
FEATURES:
IMPROVEMENTS:
FEATURES:
--trace
to get stack traces for logged errorsIMPROVEMENTS:
megacheck
tooltcp://
. http://
is also accepted as an alias for tcp://
BUG FIXES:
Includes major updates to configuration, logging, and json serialization. Also includes the Grand Repo-Merge of 2017.
BREAKING CHANGES:
Config and Flags:
config
map is replaced with a Config
struct,
containing substructs: BaseConfig
, P2PConfig
, MempoolConfig
, ConsensusConfig
, RPCConfig
--seeds
is now --p2p.seeds
--node_laddr
is now --p2p.laddr
--pex
is now --p2p.pex
--skip_upnp
is now --p2p.skip_upnp
--rpc_laddr
is now --rpc.laddr
--grpc_laddr
is now --rpc.grpc_laddr
config.toml
, for instance:
[p2p]
laddr="tcp://1.2.3.4:46656"
[consensus]
timeout_propose=1000
DefaultConfig() / TestConfig()
functions to handle defaults, and remove config/tendermint
and config/tendermint_test
Logger
log15
logger with a simple interface, and provide a new implementation using go-kit
.
See our new logging library and blog post for more detailswarn
and notice
are removed (you may need to change them in your config.toml
!)JSON serialization:
[TypeByte, Xxx]
with {"type": "some-type", "data": Xxx}
in RPC and all .json
files by using go-wire/data
. For instance, a public key is now:
"pub_key": {
"type": "ed25519",
"data": "83DDF8775937A4A12A2704269E2729FCFCD491B933C4B0A7FFE37FE41D7760D0"
}
[TypeByte, {"jsonrpc": "2.0", ... }]
is now just {"jsonrpc": "2.0", ... }
[]byte
to data.Bytes
in all serialized types (for hex encoding)ValidatorSet
fieldsEventDataInner
for serializing eventsOther:
appBlockHeight == 0
Accum
field when computing the validator hash. This makes the ValidatorSetHash unique for a given validator set, rather than changing with every block (as the Accum changes)/dial_seeds
, and all calls prefixed with unsafe
. Use the --rpc.unsafe
flag to enable.FEATURES:
state:info,*:error
, which means the state
package logs at info
level, and everything else logs at error
leveladdress
and pub_key
fields in priv_validator.json
and overwrite them with the values derrived from the priv_key
IMPROVEMENTS:
tendermint/go-p2p -> tendermint/tendermint/p2p
and tendermint/go-rpc -> tendermint/tendermint/rpc/lib
go-common -> tmlibs/common
go-data -> go-wire/data
go-
libs, except go-crypto
and go-wire
, are merged under tmlibs
/blockchain_info
call to return a maximum of 20 blocks.Wrap()
and .Unwrap()
instead of eg. PubKeyS
for go-crypto
typesjson.MarshalIndent
)cmd/tendermint/commands
and do not read config from file for testsBUG FIXES:
ResetPrivValidator
where we were using the global config and log (causing external consumers, eg. basecoin, to fail).FEATURES:
/tx?hash=X
endpoint to query for transactions and their DeliverTx result by hash. Optionally returns a proof of the tx's inclusion in the blocktendermint testnet
command initializes files for a testnetIMPROVEMENTS:
/broadcast_tx_XXX
also returns the Hash (can be used to query for the tx)/broadcast_tx_commit
also returns the height the block was committed in--seeds
, under seeds
in the config, or in /dial_seeds
are now persistent, and will be reconnected to if the connection breaksBUG FIXES:
BREAKING CHANGES:
Query(RequestQuery) ResponseQuery
, enabling precise proofs at particular heights:message RequestQuery{
bytes data = 1;
string path = 2;
uint64 height = 3;
bool prove = 4;
}
message ResponseQuery{
CodeType code = 1;
int64 index = 2;
bytes key = 3;
bytes value = 4;
bytes proof = 5;
uint64 height = 6;
string log = 7;
}
BlockMeta
data type unifies its Hash and PartSetHash under a BlockID
:type BlockMeta struct {
BlockID BlockID `json:"block_id"` // the block hash and partsethash
Header *Header `json:"header"` // The block's Header
}
ValidatorSet.Proposer
is exposed as a field and persisted with the State
. Use GetProposer()
to initialize or update after validator-set changes.
tendermint gen_validator
command output is now pure JSON
FEATURES:
/commit?height=X
returns header and commit for block at height X
IMPROVEMENTS:
Node
is now a BaseService
CONTRIBUTING.md
, Github ISSUE_TEMPLATE
, CHANGELOG.md
BUG FIXES:
/dial_seeds
with invalid addressesaccumComparable
ValidatorSet.Proposer
across restarts by persisting it in the State
BREAKING CHANGES:
BlockID
to represent blocks:type BlockID struct {
Hash []byte `json:"hash"`
PartsHeader PartSetHeader `json:"parts"`
}
Vote
data type now includes validator address and index:type Vote struct {
ValidatorAddress []byte `json:"validator_address"`
ValidatorIndex int `json:"validator_index"`
Height int `json:"height"`
Round int `json:"round"`
Type byte `json:"type"`
BlockID BlockID `json:"block_id"` // zero if vote is nil.
Signature crypto.Signature `json:"signature"`
}
FEATURES:
Maj23Msg
, for peers to alert others they've seen a Maj23,
in order to track and handle conflicting votes intelligently to prevent Byzantine faults from causing halts:type VoteSetMaj23Message struct {
Height int
Round int
Type byte
BlockID types.BlockID
}
IMPROVEMENTS:
BUG FIXES:
Maj23Msg
.FEATURES:
--pex
flag for more resilient gossip network (feature still in development, beware dragons)IMPROVEMENTS:
/dial_seeds
to enable manual network configurationIMPROVEMENTS:
BUG FIXES:
BUG FIXES:
FEATURES:
tmsp_query
tmsp_info
IMPROVEMENTS:
BUG FIXES:
priv_validator.json
for recoveryBREAKING CHANGES:
FEATURES:
cswal_light
; logs only the validator's own votes/broadcast_tx_commit
, returns when tx is included in a block, else an error/unsafe_flush_mempool
, empties the mempoolIMPROVEMENTS:
BUG FIXES:
Strict versioning only began with the release of v0.7.0, in late summer 2016. The project itself began in early summer 2014 and was workable decentralized cryptocurrency software by the end of that year. Through the course of 2015, in collaboration with Eris Industries (now Monax Industries), many additional features were integrated, including an implementation from scratch of the Ethereum Virtual Machine. That implementation now forms the heart of Burrow. In the later half of 2015, the consensus algorithm was upgraded with a more asynchronous design and a more deterministic and robust implementation.
By late 2015, frustration with the difficulty of forking a large monolithic stack to create alternative cryptocurrency designs led to the invention of the Application Blockchain Interface (ABCI), then called the Tendermint Socket Protocol (TMSP). The Ethereum Virtual Machine and various other transaction features were removed, and Tendermint was whittled down to a core consensus engine driving an application running in another process. The ABCI interface and implementation were iterated on and improved over the course of 2016, until versioned history kicked in with v0.7.0.