Friendly reminder, we have a bug bounty program.
Feb 4, 2023
This is a very minor release for anyone who ends up struggling to update to
v0.34.25 due to the github.com/btcsuite/btcd/btcec/v2
dependency update in
Tendermint Core: Tendermint Core v0.34.25 implicitly depends on tm-load-test
v1.0.0, which implicitly depends on Tendermint Core v0.34.14, which implicitly
depends on a pre-modularized version of github.com/btcsuite/btcd/btcec
.
This type of error sometimes shows up when attempting to import Tendermint Core as a Go dependency, with error messages like:
no required module provides package github.com/btcsuite/btcd/btcec; to add it:
go get github.com/btcsuite/btcd/btcec
This could also be a sign that your project, or one of your dependencies, depends on an older version of btcd and need to upgrade.
- informalsystems/tendermint#11 Bump tm-load-test to v1.3.0 to remove implicit dependency on Tendermint Core, which can sometimes cause problems for folks importing the Informal Systems fork as a library
Feb 3, 2023
This is primarily a security patch from the Informal Systems team's public fork
of Tendermint Core, but additionally includes some minor improvements that were
not yet released on the v0.34.x
branch.
Special thanks to @jhernandezb and the Notional team for picking up on this issue!
[consensus]
informalsystems/tendermint#4 Fixed a busy loop that happened when sending of a block part failed by sleeping in case of error (@jhernandezb and @sergio-mena)
[crypto]
#9250 Update to use btcec v2 and the latest btcutil. (@wcsiu)[metrics]
#9733 Add metrics for timing the consensus steps and for the progress of block gossip. (@williambanfield)
Nov 21, 2022
Apart from one minor bug fix, this release aims to optimize the output of the RPC (both HTTP and WebSocket endpoints). See our upgrading guidelines for more details.
[rpc]
#9724 Remove useless whitespace in RPC output (@adizere, @thanethomson)
[rpc]
#9692 RemoveCache-Control
header response from/check_tx
endpoint (@JayT106)
Nov 9, 2022
This release introduces some new Prometheus metrics to help in determining what kinds of messages are consuming the most P2P bandwidth. This builds towards our broader goal of optimizing Tendermint bandwidth consumption, and will give us meaningful insights once we can establish these metrics for a number of chains.
We now also return Cache-Control
headers for select RPC endpoints to help
facilitate caching.
Special thanks to external contributors on this release: @JayT106
-
[p2p]
#9641 Add new Envelope type and associated methods for sending and receiving Envelopes instead of raw bytes. This also adds new metrics,tendermint_p2p_message_send_bytes_total
andtendermint_p2p_message_receive_bytes_total
, that expose how many bytes of each message type have been sent. -
[rpc]
#9666 Enable caching of RPC responses (@JayT106)The following RPC endpoints will return
Cache-Control
headers with a maximum age of 1 day:/abci_info
/block
, ifheight
is supplied/block_by_hash
/block_results
, ifheight
is supplied/blockchain
/check_tx
/commit
, ifheight
is supplied/consensus_params
, ifheight
is supplied/genesis
/genesis_chunked
/tx
/validators
, ifheight
is supplied
This release includes several bug fixes, one of which we discovered while building up a baseline for v0.34 against which to compare our upcoming v0.37 release during our QA process.
Special thanks to external contributors on this release: @RiccardoM
- [rpc] #9423 Support HTTPS URLs from the WebSocket client (@RiccardoM, @cmwaters)
- [config] #9483
Calling
tendermint init
would incorrectly leave out the new[storage]
section delimiter in the generated configuration file - this has now been fixed - [p2p] #9500 Prevent peers who have errored being added to the peer set (@jmalicevic)
- [indexer] #9473 Fix bug that caused the psql indexer to index empty blocks whenever one of the transactions returned a non zero code. The relevant deduplication logic has been moved within the kv indexer only (@cmwaters)
- [blocksync] #9518 A block sync stall was observed during our QA process whereby the node was unable to make progress. Retrying block requests after a timeout fixes this.
Release highlights include:
- A new
[storage]
configuration section and flagdiscard_abci_responses
, which, if enabled, discards all ABCI responses except the latest one in order to reduce disk space usage in the state store. When enabled, theblock_results
RPC endpoint can no longer function and will return an error. - A new CLI command,
reindex-event
, to re-index block and tx events to the event sinks. You can run this command when the event store backend dropped/disconnected or you want to replace the backend. Whendiscard_abci_responses
is enabled, you will not be able to use this command.
Special thanks to external contributors on this release: @rootwarp & @animart
- [cli] #9083 Backport command to reindex missed events (@cmwaters)
- [cli] #9107 Add the
p2p.external-address
argument to set the node P2P external address (@amimart)
- [config] #9054
discard_abci_responses
flag added to discard all ABCI responses except the last in order to save on storage space in the state store (@samricotta)
- [mempool] #9033 Rework lock discipline to mitigate callback deadlocks in the priority mempool
- [cli] #9103 fix unsafe-reset-all for working with home path (@rootwarp)
Special thanks to external contributors on this release: @joeabbey @yihuang
This release introduces a prioritized mempool. Further notes can be found in UPGRADING.md.
NOTE: There's a known issue when combining the prioritized mempool with the ABCI socket client, that the team are curently working to resolve. Read more about the issue here.
- [blocksync] #8496 validate block against state before persisting it to disk (@cmwaters)
- [indexer] #8625 Fix overriding tx index of duplicated txs. (@yihuang)
- [mempool] #8962 Backport priority mempool fixes from v0.35.x to v0.34.x (@creachadair).
- [cli] [#8674] Add command to force compact goleveldb databases (@cmwaters)
- [mempool] [#8695] Port back the priority mempool. (@alexanderbez, @jmalicevic, @cmwaters)
- [logging] #8845 Add "Lazy" Stringers to defer Sprintf and Hash until logs print. (@joeabbey)
- [cli] #8270 fix reset commands (@alexanderbez).
- CLI/RPC/Config
- [cli] #8258 Fix a bug in the cli that caused
unsafe-reset-all
to panic
- [cli] #8258 Fix a bug in the cli that caused
-
CLI/RPC/Config
- [cli] #8081 make the reset command safe to use (@marbar3778).
- [consensus] #8079 start the timeout ticker before relay (backport #7844) (@creachadair).
- [consensus] #7992 #7994 change lock handling in handleMsg and reactor to alleviate issues gossiping during long ABCI calls (@williambanfield).
Special thanks to external contributors on this release: @yihuang
- [consensus] #7617 calculate prevote message delay metric (backport #7551) (@williambanfield).
- [consensus] #7631 check proposal non-nil in prevote message delay metric (backport #7625) (@williambanfield).
- [statesync] #7885 statesync: assert app version matches (backport #7856) (@cmwaters).
- [statesync] #7881 fix app hash in state rollback (backport #7837) (@cmwaters).
- [cli] #7837 fix app hash in state rollback. (@yihuang).
Special thanks to external contributors on this release: @thanethomson
- #7368 cmd: add integration test for rollback functionality (@cmwaters).
- #7309 pubsub: Report a non-nil error when shutting down (fixes #7306).
- #7057 Import Postgres driver support for the psql indexer (@creachadair).
- #7106 Revert mutex change to ABCI Clients (@tychoish).
- [config] #7230 rpc: Add experimental config params to allow for subscription buffer size control (@thanethomson).
This release backports the rollback
feature to allow recovery in the event of an incorrect app hash.
- #6982 The tendermint binary now has built-in suppport for running the end-to-end test application (with state sync support) (@cmwaters).
- [cli] #7033 Add a
rollback
command to rollback to the previous tendermint state. This may be useful in the event of non-determinstic app hash or when reverting an upgrade. @cmwaters
- #7103 Remove IAVL dependency (backport of #6550) (@cmwaters)
- #7057 Import Postgres driver support for the psql indexer (@creachadair).
- [ABCI] #7110 Revert "change client to use multi-reader mutexes (#6873)" (@tychoish).
This release backports improvements to state synchronization and ABCI performance under concurrent load, and the PostgreSQL event indexer.
- [statesync] #6881 improvements to stateprovider logic (@cmwaters)
- [ABCI] #6873 change client to use multi-reader mutexes (@tychoish)
- [indexing] #6906 enable the PostgreSQL indexer sink (@creachadair)
Special thanks to external contributors on this release: @JayT106.
- [rpc] #6717 introduce
/genesis_chunked
rpc endpoint for handling large genesis files by chunking them (@tychoish)
- [rpc] #6825 Remove egregious INFO log from
ABCI#Query
RPC. (@alexanderbez)
- [light] #6685 fix bug with incorrectly handling contexts that would occasionally freeze state sync. (@cmwaters)
- [privval] #6748 Fix vote timestamp to prevent chain halt (@JayT106)
June 18, 2021
This release improves the robustness of statesync; tweaking channel priorities and timeouts and adding two new parameters to the state sync config.
- Apps
- [Version] #6494
TMCoreSemVer
is not required to be set as a ldflag any longer.
- [Version] #6494
- [statesync] #6566 Allow state sync fetchers and request timeout to be configurable. (@alexanderbez)
- [statesync] #6378 Retry requests for snapshots and add a minimum discovery time (5s) for new snapshots. (@tychoish)
- [statesync] #6582 Increase chunk priority and add multiple retry chunk requests (@cmwaters)
- [evidence] #6375 Fix bug with inconsistent LightClientAttackEvidence hashing (@cmwaters)
April 14, 2021
This release fixes a bug where peers would sometimes try to send messages on incorrect channels. Special thanks to our friends at Oasis Labs for surfacing this issue!
- [p2p/node] #6339 Fix bug with using custom channels (@cmwaters)
- [light] #6346 Correctly handle too high errors to improve client robustness (@cmwaters)
April 8, 2021
This release fixes a moderate severity security issue, Security Advisory Alderfly, which impacts all networks that rely on Tendermint light clients. Further details will be released once networks have upgraded.
This release also includes a small Go API-breaking change, to reduce panics in the RPC layer.
Special thanks to our external contributors on this release: @gchaincl
- Go API
- [rpc/jsonrpc/server] #6204 Modify
WriteRPCResponseHTTP(Error)
to return an error (@melekes)
- [rpc/jsonrpc/server] #6204 Modify
- [rpc] #6226 Index block events and expose a new RPC method,
/block_search
, to allow querying for blocks byBeginBlock
andEndBlock
events (@alexanderbez)
- [rpc/jsonrpc/server] #6191 Correctly unmarshal
RPCRequest
when data isnull
(@melekes) - [p2p] #6289 Fix "unknown channels" bug on CustomReactors (@gchaincl)
- [light/evidence] Adds logic to handle forward lunatic attacks (@cmwaters)
February 25, 2021
This release, in conjunction with a fix in the Cosmos SDK, introduces changes that should mean the logs are much, much quieter. 🎉
- [libs/log] #6174 Include timestamp (
ts
field;time.RFC3339Nano
format) in JSON logger output (@melekes)
- [abci] #6124 Fixes a panic condition during callback execution in
ReCheckTx
during high tx load. (@alexanderbez)
February 18, 2021
This release fixes a downstream security issue which impacts Cosmos SDK users who are:
- Using Cosmos SDK v0.40.0 or later, AND
- Running validator nodes, AND
- Using the file-based
FilePV
implementation for their consensus keys
Users who fulfill all the above criteria were susceptible to leaking private key material in the logs. All other users are unaffected.
The root cause was a discrepancy between the Tendermint Core (untyped) logger and the Cosmos SDK (typed) logger: Tendermint Core's logger automatically stringifies Go interfaces whenever possible; however, the Cosmos SDK's logger uses reflection to log the fields within a Go interface.
The introduction of the typed logger meant that previously un-logged fields within
interfaces are now sometimes logged, including the private key material inside the
FilePV
struct.
Tendermint Core v0.34.7 fixes this issue; however, we strongly recommend that all validators
use remote signer implementations instead of FilePV
in production.
Thank you to @joe-bowman for his assistance with this vulnerability and a particular shout-out to @marbar3778 for diagnosing it quickly.
- [consensus] #6128 Remove privValidator from log call (@tessr)
February 18, 2021
Tendermint Core v0.34.5 and v0.34.6 have been recalled due to build tooling problems.
February 11, 2021
This release includes a fix for a memory leak in the evidence reactor (see #6068, below). All Tendermint clients are recommended to upgrade. Thank you to our friends at Crypto.com for the initial report of this memory leak!
Special thanks to other external contributors on this release: @yayajacky, @odidev, @laniehei, and @c29r3!
- [light] #6022 Fix a bug when the number of validators equals 100 (@melekes)
- [light] #6026 Fix a bug when height isn't provided for the rpc calls:
/commit
and/validators
(@cmwaters) - [evidence] #6068 Terminate broadcastEvidenceRoutine when peer is stopped (@melekes)
January 19, 2021
This release includes a fix for a high-severity security vulnerability, a DoS-vector that impacted Tendermint Core v0.34.0-v0.34.2. For more details, see Security Advisory Mulberry or https://nvd.nist.gov/vuln/detail/CVE-2021-21271.
Tendermint Core v0.34.3 also updates GoGo Protobuf to 1.3.2 in order to pick up the fix for https://nvd.nist.gov/vuln/detail/CVE-2021-3121.
- [evidence] [security fix] Use correct source of evidence time (@cmwaters)
- [proto] #5886 Bump gogoproto to 1.3.2 (@marbar3778)
January 12, 2021
This release fixes a substantial bug in evidence handling where evidence could sometimes be broadcast before the block containing that evidence was fully committed, resulting in some nodes panicking when trying to verify said evidence.
- Go API
- [libs/os] #5871
EnsureDir
now propagates IO errors and checks the file type (@erikgrinaker)
- [libs/os] #5871
- [evidence] #5890 Add a buffer to evidence from consensus to avoid broadcasting and proposing evidence before the height of such an evidence has finished (@cmwaters)
- [statesync] #5889 Set
LastHeightConsensusParamsChanged
when bootstrapping Tendermint state (@cmwaters)
January 6, 2021
Special thanks to external contributors on this release:
@p4u from vocdoni.io reported that the mempool might behave incorrectly under a
high load. The consequences can range from pauses between blocks to the peers
disconnecting from this node. As a temporary remedy (until the mempool package
is refactored), the max-batch-bytes
was disabled. Transactions will be sent
one by one without batching.
-
CLI/RPC/Config
- [cli] #5786 deprecate snake_case commands for hyphen-case (@cmwaters)
-
Go API
- [libs/protoio] #5868 Return number of bytes read in
Reader.ReadMsg()
(@erikgrinaker)
- [libs/protoio] #5868 Return number of bytes read in
- [mempool] #5813 Add
keep-invalid-txs-in-cache
config option. When set to true, mempool will keep invalid transactions in the cache (@p4u)
- [crypto] #5707 Fix infinite recursion in string formatting of Secp256k1 keys (@erikgrinaker)
- [mempool] #5800 Disable
max-batch-bytes
(@melekes) - [p2p] #5868 Fix inbound traffic statistics and rate limiting in
MConnection
(@erikgrinaker)
November 19, 2020
Holy smokes, this is a big one! For a more reader-friendly overview of the changes in 0.34.0 (and of the changes you need to accommodate as a user), check out UPGRADING.md.
Special thanks to external contributors on this release: @james-ray, @fedekunze, @favadi, @alessio, @joe-bowman, @cuonglm, @SadPencil and @dongsam.
-
CLI/RPC/Config
- [config] #5315 Rename
prof_laddr
topprof_laddr
and move it torpc
section (@melekes) - [evidence] #4959 Add JSON tags to
DuplicateVoteEvidence
(@marbar3778) - [light] #4946
tendermint lite
command has been renamed totendermint light
(@marbar3778) - [privval] #4582
round
in private_validator_state.json is no longer JSON string; instead it is a number (@marbar3778) - [rpc] #4792
/validators
are now sorted by voting power (@melekes) - [rpc] #4947 Return an error when
page
pagination param is 0 in/validators
,tx_search
(@melekes) - [rpc] #5137 JSON tags of
gasWanted
andgasUsed
inResponseCheckTx
andResponseDeliverTx
have been made snake_case (gas_wanted
andgas_used
) (@marbar3778) - [rpc] #5315 Remove
/unsafe_start_cpu_profiler
,/unsafe_stop_cpu_profiler
and/unsafe_write_heap_profile
. Please use pprof functionality instead (@melekes) - [rpc/client, rpc/jsonrpc/client] #5347 All client methods now accept
context.Context
as 1st param (@melekes)
- [config] #5315 Rename
-
Apps
- [abci] #4704 Add ABCI methods
ListSnapshots
,LoadSnapshotChunk
,OfferSnapshot
, andApplySnapshotChunk
for state sync snapshots.ABCIVersion
bumped to 0.17.0. (@erikgrinaker) - [abci] #4989
Proof
withinResponseQuery
has been renamed toProofOps
(@marbar3778) - [abci] #5096
CheckTxType
Protobuf enum names are now uppercase, to follow Protobuf style guide (@erikgrinaker) - [abci] #5324 ABCI evidence type is now an enum with two types of possible evidence (@cmwaters)
- [abci] #4704 Add ABCI methods
-
P2P Protocol
- [blockchain] #4637 Migrate blockchain reactor(s) to Protobuf encoding (@marbar3778)
- [evidence] #4949 Migrate evidence reactor to Protobuf encoding (@marbar3778)
- [mempool] #4940 Migrate mempool from to Protobuf encoding (@marbar3778)
- [mempool] #5321 Batch transactions when broadcasting them to peers (@melekes)
MaxBatchBytes
new config setting defines the max size of one batch.
- [p2p/pex] #4973 Migrate
p2p/pex
reactor to Protobuf encoding (@marbar3778) - [statesync] #4943 Migrate state sync reactor to Protobuf encoding (@marbar3778)
-
Blockchain Protocol
- [evidence] #4725 Remove
Pubkey
fromDuplicateVoteEvidence
(@marbar3778) - [evidence] #5499 Cap evidence to a maximum number of bytes (supercedes #4780) (@cmwaters)
- [merkle] #5193 Header hashes are no longer empty for empty inputs, notably
DataHash
,EvidenceHash
, andLastResultsHash
(@erikgrinaker) - [state] #4845 Include
GasWanted
andGasUsed
intoLastResultsHash
(@melekes) - [types] #4792 Sort validators by voting power to enable faster commit verification (@melekes)
- [evidence] #4725 Remove
-
On-disk serialization
-
Light client, private validator
-
Go API
- [consensus] #4582 RoundState:
Round
,LockedRound
&CommitRound
are nowint32
(@marbar3778) - [consensus] #4582 HeightVoteSet:
round
is nowint32
(@marbar3778) - [crypto] #4721 Remove
SimpleHashFromMap()
andSimpleProofsFromMap()
(@erikgrinaker) - [crypto] #4940 All keys have become
[]byte
instead of[<size>]byte
. The byte method no longer returns the marshaled value but just the[]byte
form of the data. (@marbar3778) - [crypto] #4988 Removal of key type multisig (@marbar3778)
- The key has been moved to the Cosmos-SDK
- [crypto] #4989 Remove
Simple
prefixes fromSimpleProof
,SimpleValueOp
&SimpleProofNode
. (@marbar3778)merkle.Proof
has been renamed toProofOps
.- Protobuf messages
Proof
&ProofOp
has been moved toproto/crypto/merkle
SimpleHashFromByteSlices
has been renamed toHashFromByteSlices
SimpleHashFromByteSlicesIterative
has been renamed toHashFromByteSlicesIterative
SimpleProofsFromByteSlices
has been renamed toProofsFromByteSlices
- [crypto] #4941 Remove suffixes from all keys. (@marbar3778)
- ed25519: type
PrivKeyEd25519
is nowPrivKey
- ed25519: type
PubKeyEd25519
is nowPubKey
- secp256k1: type
PrivKeySecp256k1
is nowPrivKey
- secp256k1: type
PubKeySecp256k1
is nowPubKey
- sr25519: type
PrivKeySr25519
is nowPrivKey
- sr25519: type
PubKeySr25519
is nowPubKey
- ed25519: type
- [crypto] #5214 Change
GenPrivKeySecp256k1
toGenPrivKeyFromSecret
to be consistent with other keys (@marbar3778) - [crypto] #5236
VerifyBytes
is nowVerifySignature
on thecrypto.PubKey
interface (@marbar3778) - [evidence] #5361 Add LightClientAttackEvidence and change evidence interface (@cmwaters)
- [libs] #4831 Remove
Bech32
pkg from Tendermint. This pkg now lives in the cosmos-sdk (@marbar3778) - [light] #4946 Rename
lite2
pkg tolight
. Removelite
implementation. (@marbar3778) - [light] #5347
NewClient
,NewHTTPClient
,VerifyHeader
andVerifyLightBlockAtHeight
now acceptcontext.Context
as 1st param (@melekes) - [merkle] #5193
HashFromByteSlices
andProofsFromByteSlices
now return a hash for empty inputs, following RFC6962 (@erikgrinaker) - [proto] #5025 All proto files have been moved to
/proto
directory. (@marbar3778)- Using the recommended the file layout from buf, see here for more info
- [rpc/client] #4947
Validators
,TxSearch
page
/per_page
params become pointers (@melekes)UnconfirmedTxs
limit
param is a pointer
- [rpc/jsonrpc/server] #5141 Remove
WriteRPCResponseArrayHTTP
(useWriteRPCResponseHTTP
instead) (@melekes) - [state] #4679
TxResult
is a Protobuf type defined inabci
types directory (@marbar3778) - [state] #5191 Add
State.InitialHeight
field to record initial block height, must be1
(not0
) to start from 1 (@erikgrinaker) - [state] #5231
LoadStateFromDBOrGenesisFile()
andLoadStateFromDBOrGenesisDoc()
no longer saves the state in the database if not found, the genesis state is simply returned (@erikgrinaker) - [state] #5348 Define an Interface for the state store. (@marbar3778)
- [types] #4939
SignedMsgType
has moved to a Protobuf enum types (@marbar3778) - [types] #4962
ConsensusParams
,BlockParams
,EvidenceParams
,ValidatorParams
&HashedParams
are now Protobuf types (@marbar3778) - [types] #4852 Vote & Proposal
SignBytes
is now funcVoteSignBytes
&ProposalSignBytes
(@marbar3778) - [types] #4798 Simplify
VerifyCommitTrusting
func + remove extra validation (@melekes) - [types] #4845 Remove
ABCIResult
(@melekes) - [types] #5029 Rename all values from
PartsHeader
toPartSetHeader
to have consistency (@marbar3778) - [types] #4939
Total
inParts
&PartSetHeader
has been changed from aint
to auint32
(@marbar3778) - [types] #4939 Vote:
ValidatorIndex
&Round
are nowint32
(@marbar3778) - [types] #4939 Proposal:
POLRound
&Round
are nowint32
(@marbar3778) - [types] #4939 Block:
Round
is nowint32
(@marbar3778)
- [consensus] #4582 RoundState:
- [abci] #5031 Add
AppVersion
to consensus parameters (@james-ray)- This makes it possible to update your ABCI application version via
EndBlock
response
- This makes it possible to update your ABCI application version via
- [abci] #5174 Remove
MockEvidence
in favor of testing with actual evidence types (DuplicateVoteEvidence
&LightClientAttackEvidence
) (@cmwaters) - [abci] #5191 Add
InitChain.InitialHeight
field giving the initial block height (@erikgrinaker) - [abci] #5227 Add
ResponseInitChain.app_hash
which is recorded in genesis block (@erikgrinaker) - [config] #5147 Add
--consensus.double_sign_check_height
flag andDoubleSignCheckHeight
config variable. See ADR-51 (@dongsam) - [db] #5233 Add support for
badgerdb
database backend (@erikgrinaker) - [evidence] #4532 Handle evidence from light clients (@melekes)
- [evidence] #4821 Amnesia (light client attack) evidence can be detected, verified and committed (@cmwaters)
- [genesis] #5191 Add
initial_height
field to specify the initial chain height (defaults to1
) (@erikgrinaker) - [libs/math] #5665 Make fractions unsigned integers (uint64) (@cmwaters)
- [light] #5298 Morph validator set and signed header into light block (@cmwaters)
- [p2p] #4981 Expose
SaveAs
func on NodeKey (@melekes) - [privval] #5239 Add
chainID
to requests from client. (@marbar3778) - [rpc] #4532 Support
BlockByHash
query (@fedekunze) - [rpc] #4979 Support EXISTS operator in
/tx_search
query (@melekes) - [rpc] #5017 Add
/check_tx
endpoint to check transactions without executing them or adding them to the mempool (@melekes) - [rpc] #5108 Subscribe using the websocket for new evidence events (@cmwaters)
- [statesync] Add state sync support, where a new node can be rapidly bootstrapped by fetching state snapshots from peers instead of replaying blocks. See the
[statesync]
config section. - [evidence] #5361 Add LightClientAttackEvidence and refactor evidence lifecycle - for more information see ADR-059 (@cmwaters)
- [blockchain] #5278 Verify only +2/3 of the signatures in a block when fast syncing. (@marbar3778)
- [consensus] #4578 Attempt to repair the consensus WAL file (
data/cs.wal/wal
) automatically in case of corruption (@alessio)- The original WAL file will be backed up to
data/cs.wal/wal.CORRUPTED
.
- The original WAL file will be backed up to
- [consensus] #5143 Only call
privValidator.GetPubKey
once per block (@melekes) - [evidence] #4722 Consolidate evidence store and pool types to improve evidence DB (@cmwaters)
- [evidence] #4839 Reject duplicate evidence from being proposed (@cmwaters)
- [evidence] #5219 Change the source of evidence time to block time (@cmwaters)
- [libs] #5126 Add a sync package which wraps sync.(RW)Mutex & deadlock.(RW)Mutex and use a build flag (deadlock) in order to enable deadlock checking (@marbar3778)
- [light] #4935 Fetch and compare a new header with witnesses in parallel (@melekes)
- [light] #4929 Compare header with witnesses only when doing bisection (@melekes)
- [light] #4916 Validate basic for inbound validator sets and headers before further processing them (@cmwaters)
- [mempool] Add RemoveTxByKey() exported function for custom mempool cleaning (@p4u)
- [p2p/conn] #4795 Return err on
signChallenge()
instead of panic - [privval] #5437
NewSignerDialerEndpoint
can now be givenSignerServiceEndpointOption
(@erikgrinaker) - [rpc] #4968 JSON encoding is now handled by
libs/json
, not Amino (@erikgrinaker) - [rpc] #5293
/dial_peers
has addedprivate
andunconditional
as parameters. (@marbar3778) - [state] #4781 Export
InitStateVersion
for the initial state version (@erikgrinaker) - [txindex] #4466 Allow to index an event at runtime (@favadi)
abci.EventAttribute
replacesKV.Pair
- [types] #4905 Add
ValidateBasic
to validator and validator set (@cmwaters) - [types] #5340 Add check in
Header.ValidateBasic()
for block protocol version (@marbar3778) - [types] #5490 Use
Commit
andCommitSig
max sizes instead of vote max size to calculate the maximum block size. (@cmwaters)
- [abci/grpc] #5520 Return async responses in order, to avoid mempool panics. (@erikgrinaker)
- [blockchain/v2] #4971 Correctly set block store base in status responses (@erikgrinaker)
- [blockchain/v2] #5499 Fix "duplicate block enqueued by processor" panic (@melekes)
- [blockchain/v2] #5530 Fix out of order block processing panic (@melekes)
- [blockchain/v2] #5553 Make the removal of an already removed peer a noop (@melekes)
- [consensus] #4895 Cache the address of the validator to reduce querying a remote KMS (@joe-bowman)
- [consensus] #4970 Don't allow
LastCommitRound
to be negative (@cuonglm) - [consensus] #5329 Fix wrong proposer schedule for validators returned by
InitChain
(@erikgrinaker) - [docker] #5385 Fix incorrect
time_iota_ms
default setting causing block timestamp drift (@erikgrinaker) - [evidence] #5170 Change ABCI evidence time to the time the infraction happened not the time the evidence was committed on the block (@cmwaters)
- [evidence] #5610 Make it possible for ABCI evidence to be formed from Tendermint evidence (@cmwaters)
- [libs/rand] #5215 Fix out-of-memory error on unexpected argument of Str() (@SadPencil)
- [light] #5307 Persist correct proposer priority in light client validator sets (@cmwaters)
- [p2p] #5136 Fix error for peer with the same ID but different IPs (@valardragon)
- [privval] #5638 Increase read/write timeout to 5s and calculate ping interval based on it (@JoeKash)
- [proxy] #5078 Force Tendermint to exit when ABCI app crashes (@melekes)
- [rpc] #5660 Set
application/json
as theContent-Type
header in RPC responses. (@alexanderbez) - [store] #5382 Fix race conditions when loading/saving/pruning blocks (@erikgrinaker)
August 11, 2020
Go reported a security vulnerability that affected the encoding/binary
package. The most recent binary for tendermint is using 1.14.6, for this
reason the Tendermint engineering team has opted to conduct a release to aid users in using the correct version of Go. Read more about the security issue here.
August 4, 2020
- [go] Build release binary using Go 1.14.4, to avoid halt caused by Go 1.14.1 (golang/go#38223)
- [privval] #5140
RemoteSignerError
from remote signers are no longer retried (@melekes)
July 2, 2020
This security release fixes:
Tendermint 0.33.0 and above allow block proposers to include signatures for the wrong block. This may happen naturally if you start a network, have it run for some time and restart it without changing the chainID. (It is a misconfiguration to reuse chainIDs.) Correct block proposers will accidentally include signatures for the wrong block if they see these signatures, and then commits won't validate, making all proposed blocks invalid. A malicious validator (even with a minimal amount of stake) can use this vulnerability to completely halt the network.
Tendermint 0.33.6 checks all the signatures are for the block with +2/3 majority before creating a commit.
Tendermint 0.33.1 and above are no longer fully verifying commit signatures during block execution - they stop after +2/3. This means proposers can propose blocks that contain valid +2/3 signatures and then the rest of the signatures can be whatever they want. They can claim that all the other validators signed just by including a CommitSig with arbitrary signature data. While this doesn't seem to impact safety of Tendermint per se, it means that Commits may contain a lot of invalid data.
This was already true of blocks, since they could include invalid txs filled with garbage, but in that case the application knew that they are invalid and could punish the proposer. But since applications didn't--and don't-- verify commit signatures directly (they trust Tendermint to do that), they won't be able to detect it.
This can impact incentivization logic in the application that depends on the LastCommitInfo sent in BeginBlock, which includes which validators signed. For instance, Gaia incentivizes proposers with a bonus for including more than +2/3 of the signatures. But a proposer can now claim that bonus just by including arbitrary data for the final -1/3 of validators without actually waiting for their signatures. There may be other tricks that can be played because of this.
Tendermint 0.33.6 verifies all the signatures during block execution.
Please note that the light client does not check nil votes and exits as soon as 2/3+ of the signatures are checked.
All clients are recommended to upgrade.
Special thanks to @njmurarka at Bluzelle Networks for reporting this.
- [consensus] Do not allow signatures for a wrong block in commits (@ebuchman)
- [consensus] Verify all the signatures during block execution (@melekes)
Please note that the fix for the False Witness issue renames the VerifyCommitTrusting
function to VerifyCommitLightTrusting
. If you were relying on the light client, you may
need to update your code.
May 28, 2020
Special thanks to external contributors on this release: @tau3,
-
Go API
- [privval] #4744 Remove deprecated
OldFilePV
(@melekes) - [mempool] #4759 Modify
Mempool#InitWAL
to return an error (@melekes) - [node] #4832
ConfigureRPC
returns an error (@melekes) - [rpc] #4836 Overhaul
lib
folder (@melekes) Move lib/ folder to jsonrpc/. Rename: rpc package -> jsonrpc package rpcclient package -> client package rpcserver package -> server package JSONRPCClient to Client JSONRPCRequestBatch to RequestBatch JSONRPCCaller to Caller StartHTTPServer to Serve StartHTTPAndTLSServer to ServeTLS NewURIClient to NewURI NewJSONRPCClient to New NewJSONRPCClientWithHTTPClient to NewWithHTTPClient NewWSClient to NewWS Unexpose ResponseWriterWrapper Remove unused http_params.go
- [privval] #4744 Remove deprecated
- [pex] #4439 Use highwayhash for pex buckets (@tau3)
- [abci/server] #4719 Print panic & stack trace to STDERR if logger is not set (@melekes)
- [types] #4638 Implement
Header#ValidateBasic
(@alexanderbez) - [buildsystem] #4378 Replace build_c and install_c with TENDERMINT_BUILD_OPTIONS parsing. The following options are available:
- nostrip: don't strip debugging symbols nor DWARF tables.
- cleveldb: use cleveldb as db backend instead of goleveldb.
- race: pass -race to go build and enable data race detection.
- [mempool] #4759 Allow ReapX and CheckTx functions to run in parallel (@melekes)
- [rpc/core] #4844 Do not lock consensus state in
/validators
,/consensus_params
and/status
(@melekes)
- [blockchain/v2] #4761 Fix excessive CPU usage caused by spinning on closed channels (@erikgrinaker)
- [blockchain/v2] Respect
fast_sync
option (@erikgrinaker) - [light] #4741 Correctly return
ErrSignedHeaderNotFound
andErrValidatorSetNotFound
on corresponding RPC errors (@erikgrinaker) - [rpc] #4805 Attempt to handle panics during panic recovery (@erikgrinaker)
- [types] #4764 Return an error if voting power overflows in
VerifyCommitTrusting
(@melekes) - [privval] #4812 Retry
GetPubKey/SignVote/SignProposal
a few times before returning an error (@melekes) - [p2p] #4847 Return masked IP (not the actual IP) in addrbook#groupKey (@melekes)
- Nodes are no longer guaranteed to contain all blocks up to the latest height. The ABCI app can now control which blocks to retain through the ABCI field
ResponseCommit.retain_height
, all blocks and associated data below this height will be removed.
April 21, 2020
Special thanks to external contributors on this release: @whylee259, @greg-szabo
-
Go API
- [abci] #4588 Add
ResponseCommit.retain_height
field, which will automatically remove blocks below this height. This bumps the ABCI version to 0.16.2 (@erikgrinaker). - [cmd] #4665 New
tendermint completion
command to generate Bash/Zsh completion scripts (@alessio). - [rpc] #4588 Add
/status
response fields for the earliest block available on the node (@erikgrinaker). - [rpc] #4611 Add
codespace
toResultBroadcastTx
(@whylee259).
- [all] #4608 Give reactors descriptive names when they're initialized (@tessr).
- [blockchain] #4588 Add
Base
to blockchain reactor P2P messagesStatusRequest
andStatusResponse
(@erikgrinaker). - [Docker] #4569 Default configuration added to docker image (you can still mount your own config the same way) (@greg-szabo).
- [example/kvstore] #4588 Add
RetainBlocks
option to control block retention (@erikgrinaker). - [evidence] #4632 Inbound evidence checked if already existing (@cmwaters).
- [lite2] #4575 Use bisection for within-range verification (@cmwaters).
- [lite2] #4562 Cache headers when using bisection (@cmwaters).
- [p2p] #4548 Add ban list to address book (@cmwaters).
- [privval] #4534 Add
error
as a return value onGetPubKey()
(@marbar3778). - [p2p] #4621 Ban peers when messages are unsolicited or too frequent (@cmwaters).
- [rpc] #4703 Add
count
andtotal
to/validators
response (@melekes). - [tools] #4615 Allow developers to use Docker to generate proto stubs, via
make proto-gen-docker
(@erikgrinaker).
- [rpc] #4568 Fix panic when
Subscribe
is called, but HTTP client is not running.Subscribe
,Unsubscribe(All)
methods return an error now (@melekes).
April 6, 2020
This security release fixes:
Tendermint 0.33.2 and earlier does not limit P2P connection requests number. For each p2p connection, Tendermint allocates ~0.5MB. Even though this memory is garbage collected once the connection is terminated (due to duplicate IP or reaching a maximum number of inbound peers), temporary memory spikes can lead to OOM (Out-Of-Memory) exceptions.
Tendermint 0.33.3 (and 0.32.10) limits the total number of P2P incoming
connection requests to to p2p.max_num_inbound_peers + len(p2p.unconditional_peer_ids)
.
Notes:
- Tendermint does not rate limit P2P connection requests per IP (an attacker can saturate all the inbound slots);
- Tendermint does not rate limit HTTP(S) requests. If you expose any RPC endpoints to the public, please make sure to put in place some protection (https://www.nginx.com/blog/rate-limiting-nginx/). We may implement this in the future (#1696).
Tendermint 0.33.2 and earlier does not reclaim activeID
of a peer after it's
removed in Mempool
reactor. This does not happen all the time. It only
happens when a connection fails (for any reason) before the Peer is created and
added to all reactors. RemovePeer
is therefore called before AddPeer
, which
leads to always growing memory (activeIDs
map). The activeIDs
map has a
maximum size of 65535 and the node will panic if this map reaches the maximum.
An attacker can create a lot of connection attempts (exploiting Denial of
service 1), which ultimately will lead to the node panicking.
Tendermint 0.33.3 (and 0.32.10) claims activeID
for a peer in InitPeer
,
which is executed before MConnection
is started.
Notes:
InitPeer
function was added to all reactors to combat a similar issue - #3338;- Denial of service 2 is independent of Denial of service 1 and can be executed without it.
All clients are recommended to upgrade
Special thanks to fudongbai for finding and reporting this.
- [mempool] Reserve IDs in InitPeer instead of AddPeer (@tessr)
- [p2p] Limit the number of incoming connections (@melekes)
March 11, 2020
Special thanks to external contributors on this release: @antho1404, @michaelfig, @gterzian, @tau3, @Shivani912
-
CLI/RPC/Config
- [cli] #4505
tendermint lite
sub-command new syntax (@melekes):lite cosmoshub-3 -p 52.57.29.196:26657 -w public-seed-node.cosmoshub.certus.one:26657 --height 962118 --hash 28B97BE9F6DE51AC69F70E0B7BFD7E5C9CD1A595B7DC31AFF27C50D4948
- [cli] #4505
-
Go API
- [blockchain/v2] #4361 Add reactor (@brapse)
- [cmd] #4515 Change
tendermint debug dump
sub-command archives filename's format (@melekes) - [consensus] #3583 Reduce
non-deterministic signature
log noise (@tau3) - [examples/kvstore] #4507 ABCI query now returns the proper height (@erikgrinaker)
- [lite2] #4462 Add
NewHTTPClient
andNewHTTPClientFromTrustedStore
(@cmwaters) - [lite2] #4329 modified bisection to loop (@cmwaters)
- [lite2] #4385 Disconnect from bad nodes (@melekes)
- [lite2] #4398 Add
VerifyAdjacent
andVerifyNonAdjacent
funcs (@cmwaters) - [lite2] #4426 Don't save intermediate headers (@cmwaters)
- [lite2] #4464 Cross-check first header (@cmwaters)
- [lite2] #4470 Fix inconsistent header-validatorset pairing (@melekes)
- [lite2] #4488 Allow local clock drift -10 sec. (@melekes)
- [p2p] #4449 Use
curve25519.X25519()
instead ofScalarMult
(@erikgrinaker) - [types] #4417 VerifyCommitX() functions should return as soon as +2/3 threshold is reached (@alessio).
- [libs/kv] #4542 remove unused type KI64Pair (@tessr)
- [cmd] #4303 Show useful error when Tendermint is not initialized (@melekes)
- [cmd] #4515 Fix
tendermint debug kill
sub-command (@melekes) - [rpc] #3935 Create buffered subscriptions on
/subscribe
(@melekes) - [rpc] #4375 Stop searching for txs in
/tx_search
upon client timeout (@gterzian) - [rpc] #4406 Fix issue with multiple subscriptions on the websocket (@antho1404)
- [rpc] #4432 Fix
/tx_search
pagination with ordered results (@erikgrinaker) - [rpc] #4492 Keep the original subscription "id" field when new RPCs come in (@michaelfig)
Feburary 13, 2020
Special thanks to external contributors on this release: @princesinha19
- [rpc] #3333 Add
order_by
to/tx_search
endpoint, allowing to change default ordering from asc to desc (@princesinha19)
- [proto] #4369 Add buf for usage with linting and checking if there are breaking changes with the master branch.
- [proto] #4369 Add
make proto-gen
cmd to generate proto stubs outside of GOPATH.
- [node] #4311 Use
GRPCMaxOpenConnections
when creating the gRPC server, notMaxOpenConnections
- [rpc] #4319 Check
BlockMeta
is not nil in/block
&/block_by_hash
Special thanks to external contributors on this release: @mrekucci, @PSalant726, @princesinha19, @greg-szabo, @dongsam, @cuonglm, @jgimeno, @yenkhoon
January 14, 2020
This release contains breaking changes to the Block#Header
, specifically
NumTxs
and TotalTxs
were removed (#2521). Here's how this change affects
different modules:
- apps: it breaks the ABCI header field numbering
- state: it breaks the format of
State
on disk - RPC: all RPC requests which expose the header broke
- Go API: the
Header
broke - P2P: since blocks go over the wire, technically the P2P protocol broke
Also, blocks are significantly smaller 🔥 because we got rid of the redundant
information in Block#LastCommit
. Commit
now mainly consists of a signature
and a validator address plus a timestamp. Note we may remove the validator
address & timestamp fields in the future (see ADR-25).
lite2
package has been added to solve lite
issues and introduce weak
subjectivity interface. Refer to the spec for complete details.
lite
package is now deprecated and will be removed in v0.34 release.
-
CLI/RPC/Config
-
[rpc] #3471 Paginate
/validators
response (default: 30 vals per page) -
[rpc] #3188 Remove
BlockMeta
inResultBlock
in favor ofBlockId
for/block
-
[rpc]
/block_results
response format updated (see RPC docs for details){ "jsonrpc": "2.0", "id": "", "result": { "height": "2109", "txs_results": null, "begin_block_events": null, "end_block_events": null, "validator_updates": null, "consensus_param_updates": null } }
-
[rpc] #4141 Remove
#event
suffix from the ID in event responses.{"jsonrpc": "2.0", "id": 0, "result": ...}
-
[rpc] #4141 Switch to integer IDs instead of
json-client-XYZ
id=0 method=/subscribe id=0 result=... id=1 method=/abci_query id=1 result=...
- ID is unique for each request;
- Request.ID is now optional. Notification is a Request without an ID. Previously ID="" or ID=0 were considered as notifications.
-
[config] #4046 Rename tag(s) to CompositeKey & places where tag is still present it was renamed to event or events. Find how a compositeKey is constructed here
- You will have to generate a new config for your Tendermint node(s)
-
[genesis] #2565 Add
consensus_params.evidence.max_age_duration
. Renameconsensus_params.evidence.max_age
tomax_age_num_blocks
. -
[cli] #1771
tendermint lite
now uses new light client package (lite2
) and has 3 more flags:--trusting-period
,--trusted-height
and--trusted-hash
-
-
Apps
- [tm-bench] Removed tm-bench in favor of tm-load-test
-
Go API
- [rpc] #3953 Modify NewHTTP, NewXXXClient functions to return an error on invalid remote instead of panicking (@mrekucci)
- [rpc/client] #3471
Validators
now requires two more args:page
andperPage
- [libs/common] #3262 Make error the last parameter of
Task
(@PSalant726) - [cs/types] #3262 Rename
GotVoteFromUnwantedRoundError
toErrGotVoteFromUnwantedRound
(@PSalant726) - [libs/common] #3862 Remove
errors.go
fromlibs/common
- [libs/common] #4230 Move
KV
out of common to its own pkg - [libs/common] #4230 Rename
cmn.KVPair(s)
tokv.Pair(s)
s - [libs/common] #4232 Move
Service
&BaseService
fromlibs/common
tolibs/service
- [libs/common] #4232 Move
common/nil.go
totypes/utils.go
& make the functions private - [libs/common] #4231 Move random functions from
libs/common
into pkgrand
- [libs/common] #4237 Move byte functions from
libs/common
into pkgbytes
- [libs/common] #4237 Move throttletimer functions from
libs/common
into pkgtimer
- [libs/common] #4237 Move tempfile functions from
libs/common
into pkgtempfile
- [libs/common] #4240 Move os functions from
libs/common
into pkgos
- [libs/common] #4240 Move net functions from
libs/common
into pkgnet
- [libs/common] #4240 Move mathematical functions and types out of
libs/common
tomath
pkg - [libs/common] #4240 Move string functions out of
libs/common
tostrings
pkg - [libs/common] #4240 Move async functions out of
libs/common
toasync
pkg - [libs/common] #4240 Move bit functions out of
libs/common
tobits
pkg - [libs/common] #4240 Move cmap functions out of
libs/common
tocmap
pkg - [libs/common] #4258 Remove
Rand
from allrand
pkg functions - [types] #2565 Remove
MockBadEvidence
&MockGoodEvidence
in favor ofMockEvidence
-
Blockchain Protocol
-
P2P Protocol
- [p2p] #3668 Make
SecretConnection
non-malleable
- [p2p] #3668 Make
-
[proto] #3986 Prefix protobuf types to avoid name conflicts.
- ABCI becomes
tendermint.abci.types
with the new API endpoint/tendermint.abci.types.ABCIApplication/
- core_grpc becomes
tendermint.rpc.grpc
with the new API endpoint/tendermint.rpc.grpc.BroadcastAPI/
- merkle becomes
tendermint.crypto.merkle
- libs.common becomes
tendermint.libs.common
- proto3 becomes
tendermint.types.proto3
- ABCI becomes
- [p2p] #4053 Add
unconditional_peer_ids
andpersistent_peers_max_dial_period
config variables (see ADR-050) (@dongsam) - [tools] #4227 Implement
tendermint debug kill
andtendermint debug dump
commands for Tendermint node debugging functionality. See--help
in both commands for further documentation and usage. - [cli] #4234 Add
--db_backend and --db_dir
flags (@princesinha19) - [cli] #4113 Add optional
--genesis_hash
flag to check genesis hash upon startup - [config] #3831 Add support for RocksDB (@Stumble)
- [rpc] #3985 Add new
/block_by_hash
endpoint, which allows to fetch a block by its hash (@princesinha19) - [metrics] #4263 Add
consensus_validator_power
: track your validators powerconsensus_validator_last_signed_height
: track at which height the validator last signedconsensus_validator_missed_blocks
: total amount of missed blocks for a validator as gauges in prometheus for validator specific metrics
- [rpc/lib] #4248 RPC client basic authentication support (@greg-szabo)
- [lite2] #1771 Light client with weak subjectivity
- [rpc] #3188 Added
block_size
toBlockMeta
this is reflected in/blockchain
- [types] #2521 Add
NumTxs
toBlockMeta
andEventDataNewBlockHeader
- [p2p] #4185 Simplify
SecretConnection
handshake with merlin - [cli] #4065 Add
--consensus.create_empty_blocks_interval
flag (@jgimeno) - [docs] #4065 Document
--consensus.create_empty_blocks_interval
flag (@jgimeno) - [crypto] #4190 Added SR25519 signature scheme
- [abci] [#4177] kvstore: Return
LastBlockHeight
andLastBlockAppHash
inInfo
(@princesinha19) - [rpc] #2741 Add
proposer
to/consensus_state
response (@princesinha19) - [deps] #4289 Update tm-db to 0.4.0, this includes major breaking changes in the dep that change how errors are handled.
- [rpc/lib]#4051 Fix RPC client, which was previously resolving https protocol to http (@yenkhoon)
- [rpc] #4141 JSONRPCClient: validate that Response.ID matches Request.ID
- [rpc] #4141 WSClient: check for unsolicited responses
- [types] \4164 Prevent temporary power overflows on validator updates
- [cs] #4069 Don't panic when block meta is not found in store (@gregzaitsev)
- [types] #4164 Prevent temporary power overflows on validator updates (joint efforts of @gchaincl and @ancazamfir)
- [p2p] #4140
SecretConnection
: use the transcript solely for authentication (i.e. MAC) - [consensus/types] #4243 fix BenchmarkRoundStateDeepCopy panics (@cuonglm)
- [rpc] #4256 Pass
outCapacity
toeventBus#Subscribe
when subscribing using a local client
August 5, 2020
- [privval] #5112 If remote signer errors, don't retry (@melekes)
May 19, 2020
- [p2p] #4847 Return masked IP (not the actual IP) in addrbook#groupKey (@melekes)
April 29, 2020
- [privval] #4275 Fix consensus failure when remote signer drops (@melekes)
April 6, 2020
This security release fixes:
Tendermint 0.33.2 and earlier does not limit the number of P2P connection requests. For each p2p connection, Tendermint allocates ~0.5MB. Even though this memory is garbage collected once the connection is terminated (due to duplicate IP or reaching a maximum number of inbound peers), temporary memory spikes can lead to OOM (Out-Of-Memory) exceptions.
Tendermint 0.33.3 (and 0.32.10) limits the total number of P2P incoming
connection requests to to p2p.max_num_inbound_peers + len(p2p.unconditional_peer_ids)
.
Notes:
- Tendermint does not rate limit P2P connection requests per IP (an attacker can saturate all the inbound slots);
- Tendermint does not rate limit HTTP(S) requests. If you expose any RPC endpoints to the public, please make sure to put in place some protection (https://www.nginx.com/blog/rate-limiting-nginx/). We may implement this in the future (#1696).
Tendermint 0.33.2 and earlier does not reclaim activeID
of a peer after it's
removed in Mempool
reactor. This does not happen all the time. It only
happens when a connection fails (for any reason) before the Peer is created and
added to all reactors. RemovePeer
is therefore called before AddPeer
, which
leads to always growing memory (activeIDs
map). The activeIDs
map has a
maximum size of 65535 and the node will panic if this map reaches the maximum.
An attacker can create a lot of connection attempts (exploiting Denial of
Service 1), which ultimately will lead to the node panicking.
Tendermint 0.33.3 (and 0.32.10) claims activeID
for a peer in InitPeer
,
which is executed before MConnection
is started.
Notes:
InitPeer
function was added to all reactors to combat a similar issue - #3338;- Denial of Service 2 is independent of Denial of Service 1 and can be executed without it.
All clients are recommended to upgrade
Special thanks to fudongbai for finding and reporting this.
- [mempool] Reserve IDs in InitPeer instead of AddPeer (@tessr)
- [p2p] Limit the number of incoming connections (@melekes)
January, 9, 2020
Special thanks to external contributors on this release: @greg-szabo, @gregzaitsev, @yenkhoon
-
[rpc/lib] #4248 RPC client basic authentication support (@greg-szabo)
-
[metrics] #4294 Add
consensus_validator_power
: track your validators powerconsensus_validator_last_signed_height
: track at which height the validator last signedconsensus_validator_missed_blocks
: total amount of missed blocks for a validator as gauges in prometheus for validator specific metrics
- [rpc/lib] #4131 Fix RPC client, which was previously resolving https protocol to http (@yenkhoon)
- [cs] #4069 Don't panic when block meta is not found in store (@gregzaitsev)
November 19, 2019
Special thanks to external contributors on this release: @erikgrinaker, @guagualvcha, @hsyis, @cosmostuba, @whunmr, @austinabell
-
Go API
- [libs/pubsub] #4070
Query#(Matches|Conditions)
returns an error.
- [libs/pubsub] #4070
- [mempool] #4083 Added TxInfo parameter to CheckTx(), and removed CheckTxWithInfo() (@erikgrinaker)
- [mempool] #4057 Include peer ID when logging rejected txns (@erikgrinaker)
- [tools] #4023 Improved
tm-monitor
formatting of start time and avg tx throughput (@erikgrinaker) - [p2p] #3991 Log "has been established or dialed" as debug log instead of Error for connected peers (@whunmr)
- [rpc] #4077 Added support for
EXISTS
clause to the Websocket query interface. - [privval] Add
SignerDialerEndpointRetryWaitInterval
option (@cosmostuba) - [crypto] Add
RegisterKeyType
to amino to allow external key types registration (@austinabell)
- [libs/pubsub] #4070 Strip out non-numeric characters when attempting to match numeric values.
- [libs/pubsub] #4070 No longer panic in Query#(Matches|Conditions) preferring to return an error instead.
- [tools] #4023 Refresh
tm-monitor
health when validator count is updated (@erikgrinaker) - [state] #4104 txindex/kv: Fsync data to disk immediately after receiving it (@guagualvcha)
- [state] #4095 txindex/kv: Return an error if there's one when the user searches for a tx (hash=X) (@hsyis)
October 18, 2019
This security release fixes a vulnerability found in the consensus
package,
where an attacker could construct a BlockPartMessage
message in such a way
that it will lead to consensus failure. A few similar issues have been
identified and fixed here.
All clients are recommended to upgrade
Special thanks to elvishacker for finding and reporting this.
- Go API
- [consensus] Modify
WAL#Write
andWAL#WriteSync
to return an error if they fail to write a message
- [consensus] Modify
- [consensus] Validate incoming messages more throughly
October 8, 2019
The previous patch was insufficient because the attacker could still find a way
to submit a nil
pubkey by constructing a PubKeyMultisigThreshold
pubkey
with nil
subpubkeys for example.
This release provides multiple fixes, which include recovering from panics when
accepting new peers and only allowing ed25519
pubkeys.
All clients are recommended to upgrade
Special thanks to fudongbai for pointing this out.
- [p2p] #4030 Only allow ed25519 pubkeys when connecting
October 1, 2019
This release fixes a major security vulnerability found in the p2p
package.
All clients are recommended to upgrade. See
#4030 for details.
Special thanks to fudongbai for discovering and reporting this issue.
- [p2p] #4030 Fix for panic on nil public key send to a peer
September 19, 2019
Special thanks to external contributors on this release: @jon-certik, @gracenoah, @PSalant726, @gchaincl
- CLI/RPC/Config
- [rpc] #3984 Add
MempoolClient
interface toClient
interface
- [rpc] #3984 Add
- [rpc] #2010 Add NewHTTPWithClient and NewJSONRPCClientWithHTTPClient (note these and NewHTTP, NewJSONRPCClient functions panic if remote is invalid) (@gracenoah)
- [rpc] #3882 Add custom marshalers to proto messages to disable
omitempty
- [deps] #3952 bump github.com/go-kit/kit from 0.6.0 to 0.9.0
- [deps] #3951 bump github.com/stretchr/testify from 1.3.0 to 1.4.0
- [deps] #3945 bump github.com/gorilla/websocket from 1.2.0 to 1.4.1
- [deps] #3948 bump github.com/libp2p/go-buffer-pool from 0.0.1 to 0.0.2
- [deps] #3943 bump github.com/fortytw2/leaktest from 1.2.0 to 1.3.0
- [deps] #3939 bump github.com/rs/cors from 1.6.0 to 1.7.0
- [deps] #3937 bump github.com/magiconair/properties from 1.8.0 to 1.8.1
- [deps] #3947 update gogo/protobuf version from v1.2.1 to v1.3.0
- [deps] #4001 bump github.com/tendermint/tm-db from 0.1.1 to 0.2.0
- [consensus] #3908 Wait
timeout_commit
to pass even ifcreate_empty_blocks
isfalse
- [mempool] #3968 Fix memory loading error on 32-bit machines (@jon-certik)
August 28, 2019
@climber73 wrote the Writing a Tendermint Core application in Java (gRPC) guide.
Special thanks to external contributors on this release: @gchaincl, @bluele, @climber73
- [consensus] #3839 Reduce "Error attempting to add vote" message severity (Error -> Info)
- [mempool] #3877 Make
max_tx_bytes
configurable instead ofmax_msg_bytes
(@bluele) - [privval] #3370 Refactor and simplify validator/kms connection handling. Please refer to this comment for details
- [rpc] #3880 Document endpoints with
swagger
, introduce contract tests of implementation against documentation
- [config] #3868 Move misplaced
max_msg_bytes
into mempool section (@bluele) - [rpc] #3910 Fix DATA RACE in HTTP client (@gchaincl)
- [store] #3893 Fix "Unregistered interface types.Evidence" panic
July 31, 2019
Special thanks to external contributors on this release: @ruseinov, @bluele, @guagualvcha
- Go API
- [libs] #3811 Remove
db
from libs in favor ofhttps://github.com/tendermint/tm-db
- [libs] #3811 Remove
- [blockchain] #3561 Add early version of the new blockchain reactor, which is supposed to be more modular and testable compared to the old version. To try it, you'll have to change
version
in the config file, here NOTE: It's not ready for a production yet. For further information, see ADR-40 & ADR-43 - [mempool] #3826 Make
max_msg_bytes
configurable(@bluele) - [node] #3846 Allow replacing existing p2p.Reactor(s) using
CustomReactors
option. Warning: beware of accidental name clashes. Here is the list of existing reactors: MEMPOOL, BLOCKCHAIN, CONSENSUS, EVIDENCE, PEX. - [rpc] #3818 Make
max_body_bytes
andmax_header_bytes
configurable(@bluele) - [rpc] #2252 Add
/broadcast_evidence
endpoint to submit double signing and other types of evidence
- [abci] #3809 Recover from application panics in
server/socket_server.go
to allow socket cleanup (@ruseinov) - [p2p] #3664 p2p/conn: reuse buffer when write/read from secret connection(@guagualvcha)
- [p2p] #3834 Do not write 'Couldn't connect to any seeds' error log if there are no seeds in config file
- [rpc] #3076 Improve transaction search performance
- [p2p] #3644 Fix error logging for connection stop (@defunctzombie)
- [rpc] #3813 Return err if page is incorrect (less than 0 or greater than total pages)
July 15, 2019
Special thanks to external contributors on this release: @ParthDesai, @climber73, @jim380, @ashleyvega
This release contains a minor enhancement to the ABCI and some breaking changes to our libs folder, namely:
- CheckTx requests include a
CheckTxType
enum that can be set toRecheck
to indicate to the application that this transaction was already checked/validated and certain expensive operations (like checking signatures) can be skipped - Removed various functions from
libs
pkgs
-
Go API
- [abci] #2127 The CheckTx and DeliverTx methods in the ABCI
Application
interface now take structs as arguments (RequestCheckTx and RequestDeliverTx, respectively), instead of just the raw tx bytes. This allows more information to be passed to these methods, for instance, indicating whether a tx has already been checked. - [libs] Remove unused
db/debugDB
andcommon/colors.go
&errors/errors.go
files (@marbar3778) - [libs] #2432 Remove unused
common/heap.go
file (@marbar3778) - [libs] Remove unused
date.go
,io.go
. RemoveGoPath()
,Prompt()
andIsDirEmpty()
functions fromos.go
(@marbar3778) - [libs] Remove unused
FailRand()
func and minor clean up tofail.go
(@marbar3778)
- [abci] #2127 The CheckTx and DeliverTx methods in the ABCI
- [node] Add variadic argument to
NewNode
to support functional options, allowing the Node to be more easily customized. - [node]#3730 Add
CustomReactors
option toNewNode
allowing caller to pass custom reactors to run inside Tendermint node (@ParthDesai) - [abci] #2127RequestCheckTx has a new field,
CheckTxType
, which can take values ofCheckTxType_New
andCheckTxType_Recheck
, indicating whether this is a new tx being checked for the first time or whether this tx is being rechecked after a block commit. This allows applications to skip certain expensive operations, like signature checking, if they've already been done once. see docs
- [rpc] #3700 Make possible to set absolute paths for TLS cert and key (@climber73)
- [abci] #3513 Call the reqRes callback after the resCb so they always happen in the same order
- [p2p] #3338 Prevent "sent next PEX request too soon" errors by not calling ensurePeers outside of ensurePeersRoutine
- [behaviour] \3772 Return correct reason in MessageOutOfOrder (@jim380)
- [config] #3723 Add consensus_params to testnet config generation; document time_iota_ms (@ashleyvega)
June 25, 2019
Special thanks to external contributors on this release: @needkane, @SebastianElvis, @andynog, @Yawning, @wooparadog
This release contains breaking changes to our build and release processes, ABCI, and the RPC, namely:
- Use Go modules instead of dep
- Bring active development to the
master
Github branch - ABCI Tags are now Events - see docs
- Bind RPC to localhost by default, not to the public interface UPGRADING/RPC_Changes
-
CLI/RPC/Config
- [cli] #3613 Switch from golang/dep to Go Modules to resolve dependencies: It is recommended to switch to Go Modules if your project has tendermint as a dependency. Read more on Modules here: https://github.com/golang/go/wiki/Modules
- [config] #3632 Removed
leveldb
as generic option fordb_backend
. Must begoleveldb
orcleveldb
. - [rpc] #3616 Fix field names for
/block_results
response (eg.results.DeliverTx
->results.deliver_tx
). See docs for details. - [rpc] #3724 RPC now binds to
127.0.0.1
by default instead of0.0.0.0
-
Apps
- [abci] #1859
ResponseCheckTx
,ResponseDeliverTx
,ResponseBeginBlock
, andResponseEndBlock
now includeEvents
instead ofTags
. EachEvent
contains atype
and a list ofattributes
(list of key-value pairs) allowing for inclusion of multiple distinct events in each response.
- [abci] #1859
-
Go API
-
Blockchain Protocol
-
P2P Protocol
- [abci/examples] #3659 Change validator update tx format in the
persistent_kvstore
to use base64 for pubkeys instead of hex (@needkane) - [consensus] #3656 Exit if SwitchToConsensus fails
- [p2p] #3666 Add per channel telemetry to improve reactor observability
- [rpc] #3686
HTTPClient#Call
returns wrapped errors, so a caller could useerrors.Cause
to retrieve an error code. (@wooparadog)
- [libs/db] #3717 Fixed the BoltDB backend's Batch.Delete implementation (@Yawning)
- [libs/db] #3718 Fixed the BoltDB backend's Get and Iterator implementation (@Yawning)
- [node] #3716 Fix a bug where
nil
is recorded as node's address - [node] #3741 Fix profiler blocking the entire node
Tendermint 0.31 release series has reached End-Of-Life and is no longer supported.
April 6, 2020
This security release fixes:
Tendermint 0.33.2 and earlier does not limit the number of P2P connection requests. For each p2p connection, Tendermint allocates ~0.5MB. Even though this memory is garbage collected once the connection is terminated (due to duplicate IP or reaching a maximum number of inbound peers), temporary memory spikes can lead to OOM (Out-Of-Memory) exceptions.
Tendermint 0.33.3, 0.32.10, and 0.31.12 limit the total number of P2P incoming
connection requests to to p2p.max_num_inbound_peers + len(p2p.unconditional_peer_ids)
.
Notes:
- Tendermint does not rate limit P2P connection requests per IP (an attacker can saturate all the inbound slots);
- Tendermint does not rate limit HTTP(S) requests. If you expose any RPC endpoints to the public, please make sure to put in place some protection (https://www.nginx.com/blog/rate-limiting-nginx/). We may implement this in the future (#1696).
Tendermint 0.33.2 and earlier does not reclaim activeID
of a peer after it's
removed in Mempool
reactor. This does not happen all the time. It only
happens when a connection fails (for any reason) before the Peer is created and
added to all reactors. RemovePeer
is therefore called before AddPeer
, which
leads to always growing memory (activeIDs
map). The activeIDs
map has a
maximum size of 65535 and the node will panic if this map reaches the maximum.
An attacker can create a lot of connection attempts (exploiting Denial of
Service 1), which ultimately will lead to the node panicking.
Tendermint 0.33.3, 0.32.10, and 0.31.12 claim activeID
for a peer in InitPeer
,
which is executed before MConnection
is started.
Notes:
InitPeer
function was added to all reactors to combat a similar issue - #3338;- Denial of Service 2 is independent of Denial of Service 1 and can be executed without it.
All clients are recommended to upgrade
Special thanks to fudongbai for finding and reporting this.
- [mempool] Reserve IDs in InitPeer instead of AddPeer (@tessr)
- [p2p] Limit the number of incoming connections (@melekes)
October 18, 2019
This security release fixes a vulnerability found in the consensus
package,
where an attacker could construct a BlockPartMessage
message in such a way
that it will lead to consensus failure. A few similar issues have been
identified and fixed here.
All clients are recommended to upgrade
Special thanks to elvishacker for finding and reporting this.
- Go API
- [consensus] Modify
WAL#Write
andWAL#WriteSync
to return an error if they fail to write a message
- [consensus] Modify
- [consensus] Validate incoming messages more throughly
October 8, 2019
The previous patch was insufficient because the attacker could still find a way
to submit a nil
pubkey by constructing a PubKeyMultisigThreshold
pubkey
with nil
subpubkeys for example.
This release provides multiple fixes, which include recovering from panics when
accepting new peers and only allowing ed25519
pubkeys.
All clients are recommended to upgrade
Special thanks to fudongbai for pointing this out.
- [p2p] #4030 Only allow ed25519 pubkeys when connecting
October 1, 2019
This release fixes a major security vulnerability found in the p2p
package.
All clients are recommended to upgrade. See
#4030 for details.
Special thanks to fudongbai for discovering and reporting this issue.
- [p2p] #4030 Fix for panic on nil public key send to a peer
- [node] #3716 Fix a bug where
nil
is recorded as node's address - [node] #3741 Fix profiler blocking the entire node
July 29, 2019
This releases fixes one bug in the PEX reactor and adds a recover
to the Go's
ABCI server, which allows it to properly cleanup.
- [abci] #3809 Recover from application panics in
server/socket_server.go
to allow socket cleanup (@ruseinov)
- [p2p] #3338 Prevent "sent next PEX request too soon" errors by not calling ensurePeers outside of ensurePeersRoutine
June 3, 2019
This releases fixes a regression in the mempool introduced in v0.31.6. The regression caused the invalid committed txs to be proposed in blocks over and over again.
- [mempool] #3699 Remove all committed txs from the mempool. This reverts the change from v0.31.6 where we only remove valid txs from the mempool. Note this means malicious proposals can cause txs to be dropped from the mempools of other nodes by including them in blocks before they are valid. See #3322.
May 31st, 2019
This release contains many fixes and improvements, primarily for p2p functionality. It also fixes a security issue in the mempool package.
With this release, Tendermint now supports boltdb, although in experimental mode. Feel free to try and report to us any findings/issues. Note also that the build tags for compiling CLevelDB have changed.
Special thanks to external contributors on this release: @guagualvcha, @james-ray, @gregdhill, @climber73, @yutianwu, @carlosflrs, @defunctzombie, @leoluk, @needkane, @CrocdileChan
- Go API
- [libs/common] Removed deprecated
PanicSanity
,PanicCrisis
,PanicConsensus
andPanicQ
- [mempool, state] #2659
Mempool
now an interface that lives in the mempool package. See issue and PR for more details. - [p2p] #3346
Reactor#InitPeer
method is added toReactor
interface - [types] #1648
Commit#VoteSignBytes
signature was changed
- [libs/common] Removed deprecated
- [node] #2659 Add
node.Mempool()
method, which allows you to access mempool - [libs/db] #3604 Add experimental support for bolt db (etcd's fork of bolt) (@CrocdileChan)
- [cli] #3585 Add
--keep-addr-book
option tounsafe_reset_all
cmd to not clear the address book (@climber73) - [cli] #3160 Add
--config=<path-to-config>
option totestnet
cmd (@gregdhill) - [cli] #3661 Add
--hostname-suffix
,--hostname
and--random-monikers
options totestnet
cmd for greater peer address/identity generation flexibility. - [crypto] #3672 Return more info in the
AddSignatureFromPubKey
error - [cs/replay] #3460 Check appHash for each block
- [libs/db] #3611 Conditional compilation
- Use
cleveldb
tag instead ofgcc
to compile Tendermint with CLevelDB or usemake build_c
/make install_c
(full instructions can be found at https://docs.tendermint.com/) - Use
boltdb
tag to compile Tendermint with bolt db
- Use
- [node] #3362 Return an error if
persistent_peers
list is invalid (except when IP lookup fails) - [p2p] #3463 Do not log "Can't add peer's address to addrbook" error for a private peer (@guagualvcha)
- [p2p] #3531 Terminate session on nonce wrapping (@climber73)
- [pex] #3647 Dial seeds, if any, instead of crawling peers first (@defunctzombie)
- [rpc] #3534 Add support for batched requests/responses in JSON RPC
- [rpc] #3362
/dial_seeds
&/dial_peers
return errors if addresses are incorrect (except when IP lookup fails)
- [consensus] #3067 Fix replay from appHeight==0 with validator set changes (@james-ray)
- [consensus] #3304 Create a peer state in consensus reactor before the peer is started (@guagualvcha)
- [lite] #3669 Add context parameter to RPC Handlers in proxy routes (@yutianwu)
- [mempool] #3322 When a block is committed, only remove committed txs from the mempool
that were valid (ie.
ResponseDeliverTx.Code == 0
) - [p2p] #3338 Ensure
RemovePeer
is always called beforeInitPeer
(upon a peer reconnecting to our node) - [p2p] #3532 Limit the number of attempts to connect to a peer in seed mode to 16 (as a result, the node will stop retrying after a 35 hours time window)
- [p2p] #3362 Allow inbound peers to be persistent, including for seed nodes.
- [pex] #3603 Dial seeds when addrbook needs more addresses (@defunctzombie)
- [networks] fixes ansible integration script (@carlosflrs)
April 16th, 2019
This release fixes a regression from v0.31.4 where, in existing chains that
were upgraded, /validators
could return an empty validator set. This is true
for almost all heights, given the validator set remains the same.
Special thanks to external contributors on this release: @brapse, @guagualvcha, @dongsam, @phucc
- [libs/common]
CMap
: slight optimization inKeys()
andValues()
(@phucc) - [gitignore] gitignore: add .vendor-new (@dongsam)
- [state] #3537
LoadValidators
: do not return an empty validator set - [blockchain] #3457
Fix "peer did not send us anything" in
fast_sync
mode when under high pressure
April 12th, 2019
This release fixes a regression from v0.31.3 which used the peer's SocketAddr
to add the peer to
the address book. This swallowed the peer's self-reported port which is important in case of reconnect.
It brings back NetAddress()
to NodeInfo
and uses it instead of SocketAddr
for adding peers.
Additionally, it improves response time on the /validators
or /status
RPC endpoints.
As a side-effect it makes these RPC endpoint more difficult to DoS and fixes a performance degradation in ExecCommitBlock
.
Also, it contains an ADR that proposes decoupling the
responsibility for peer behaviour from the p2p.Switch
(by @brapse).
Special thanks to external contributors on this release: @brapse, @guagualvcha, @mydring
- [p2p] #3463 Do not log "Can't add peer's address to addrbook" error for a private peer
- [p2p] #3547 Fix a couple of annoying typos (@mdyring)
- [docs] #3514 Fix block.Header.Time description (@melekes)
- [p2p] #2716 Check if we're already connected to peer right before dialing it (@melekes)
- [p2p] #3545 Add back
NetAddress()
toNodeInfo
and use it instead of peer'sSocketAddr()
when adding a peer to thePEXReactor
(potential fix for #3532) - [state] #3438
Persist validators every 100000 blocks even if no changes to the set
occurred (@guagualvcha). This
- Prevents possible DoS attack using
/validators
or/status
RPC endpoints. Before response time was growing linearly with height if no changes were made to the validator set. - Fixes performance degradation in
ExecCommitBlock
where we callLoadValidators
for eachEvidence
in the block.
- Prevents possible DoS attack using
April 1st, 2019
This release includes two security sensitive fixes: it ensures generated private keys are valid, and it prevents certain DNS lookups that would cause the node to panic if the lookup failed.
- Go API
- [crypto/secp256k1] #3439
The
secp256k1.GenPrivKeySecp256k1
function has changed to guarantee that it returns a valid key, which means it will return a different private key than in previous versions for the same secret.
- [crypto/secp256k1] #3439
The
- [crypto/secp256k1] #3439 Ensure generated private keys are valid by randomly sampling until a valid key is found. Previously, it was possible (though rare!) to generate keys that exceeded the curve order. Such keys would lead to invalid signatures.
- [p2p] #3522 Memoize socket address in peer connections to avoid DNS lookups. Previously, failed DNS lookups could cause the node to panic.
March 30th, 2019
This release fixes a regression from v0.31.1 where Tendermint panics under mempool load for external ABCI apps.
Special thanks to external contributors on this release: @guagualvcha
-
CLI/RPC/Config
-
Apps
-
Go API
- [libs/autofile] #3504 Remove unused code in autofile package. Deleted functions:
Group.Search
,Group.FindLast
,GroupReader.ReadLine
,GroupReader.PushLine
,MakeSimpleSearchFunc
(@guagualvcha)
- [libs/autofile] #3504 Remove unused code in autofile package. Deleted functions:
-
Blockchain Protocol
-
P2P Protocol
- [circle] #3497 Move release management to CircleCI
- [mempool] #3512 Fix panic from concurrent access to txsMap, a regression for external ABCI apps introduced in v0.31.1
March 27th, 2019
This release contains a major improvement for the mempool that reduce the amount of sent data by about 30% (see some numbers below). It also fixes a memory leak in the mempool and adds TLS support to the RPC server by providing a certificate and key in the config.
Special thanks to external contributors on this release: @brapse, @guagualvcha, @HaoyangLiu, @needkane, @TraceBundy
-
CLI/RPC/Config
-
Apps
-
Go API
-
Blockchain Protocol
-
P2P Protocol
- [rpc] #3419 Start HTTPS server if
rpc.tls_cert_file
andrpc.tls_key_file
are provided in the config (@guagualvcha)
- [docs] #3140 Formalize proposer election algorithm properties
- [docs] #3482 Fix broken links (@brapse)
- [mempool] #2778 No longer send txs back to peers who sent it to you.
Also, limit to 65536 active peers.
This vastly improves the bandwidth consumption of nodes.
For instance, for a 4 node localnet, in a test sending 250byte txs for 120 sec. at 500 txs/sec (total of 15MB):
- total bytes received from 1st node:
- before: 42793967 (43MB)
- after: 30003256 (30MB)
- total bytes sent to 1st node:
- before: 30569339 (30MB)
- after: 19304964 (19MB)
- total bytes received from 1st node:
- [p2p] #3475 Simplify
GetSelectionWithBias
for addressbook (@guagualvcha) - [rpc/lib/client] #3430 Disable compression for HTTP client to prevent GZIP-bomb DoS attacks (@guagualvcha)
- [blockchain] #2699 Update the maxHeight when a peer is removed
- [mempool] #3478 Fix memory-leak related to
broadcastTxRoutine
(@HaoyangLiu)
March 16th, 2019
Special thanks to external contributors on this release: @danil-lashin, @guagualvcha, @siburu, @silasdavis, @srmo, @Stumble, @svenstaro
This release is primarily about the new pubsub implementation, dubbed pubsub 2.0
, and related changes,
like configurable limits on the number of active RPC subscriptions at a time (max_subscription_clients
).
Pubsub 2.0 is an improved version of the older pubsub that is non-blocking and has a nicer API.
Note the improved pubsub API also resulted in some improvements to the HTTPClient interface and the API for WebSocket subscriptions.
This release also adds a configurable limit to the mempool size (max_txs_bytes
, default 1GB)
and a configurable timeout for the /broadcast_tx_commit
endpoint.
See the v0.31.0 Milestone for more details.
-
CLI/RPC/Config
- [config] #2920 Remove
consensus.blocktime_iota
parameter - [rpc] #3227 New PubSub design does not block on clients when publishing messages. Slow clients may miss messages and receive an error, terminating the subscription.
- [rpc] #3269 Limit number of unique clientIDs with open subscriptions. Configurable via
rpc.max_subscription_clients
- [rpc] #3269 Limit number of unique queries a given client can subscribe to at once. Configurable via
rpc.max_subscriptions_per_client
. - [rpc] #3435 Default ReadTimeout and WriteTimeout changed to 10s. WriteTimeout can increased by setting
rpc.timeout_broadcast_tx_commit
in the config. - [rpc/client] #3269 Update
EventsClient
interface to reflect new pubsub/eventBus API ADR-33. This includesSubscribe
,Unsubscribe
, andUnsubscribeAll
methods.
- [config] #2920 Remove
-
Apps
-
Go API
- [libs/common] TrapSignal accepts logger as a first parameter and does not block anymore
- previously it was dumping "captured ..." msg to os.Stdout
- TrapSignal should not be responsible for blocking thread of execution
- [libs/db] #3397 Add possibility to
Close()
Batch
to prevent memory leak when using ClevelDB. (@Stumble) - [types] #3354 Remove RoundState from EventDataRoundState
- [rpc] #3435
StartHTTPServer
/StartHTTPAndTLSServer
now require a Config (userpcserver.DefaultConfig
)
- [libs/common] TrapSignal accepts logger as a first parameter and does not block anymore
-
Blockchain Protocol
-
P2P Protocol
- [config] #3269 New configuration values for controlling RPC subscriptions:
rpc.max_subscription_clients
sets the maximum number of unique clients with open subscriptionsrpc.max_subscriptions_per_client
sets the maximum number of unique subscriptions from a given clientrpc.timeout_broadcast_tx_commit
sets the time to wait for a tx to be committed during/broadcast_tx_commit
- [types] #2920 Add
time_iota_ms
to block's consensus parameters (not exposed to the application) - [lite] #3269 Add
/unsubscribe_all
endpoint to unsubscribe from all events - [mempool] #3079 Bound mempool memory usage via the
mempool.max_txs_bytes
configuration value. Set to 1GB by default. The mempool's currenttxs_total_bytes
is exposed viatotal_bytes
field in/num_unconfirmed_txs
and/unconfirmed_txs
RPC endpoints.
- [all] #3385, #3386 Various linting improvements
- [crypto] #3371 Copy in secp256k1 package from go-ethereum instead of importing go-ethereum (@silasdavis)
- [deps] #3382 Don't pin repos without releases
- [deps] #3357, #3389, #3392 Update gogo/protobuf, golang/protobuf, levigo, golang.org/x/crypto
- [libs/common] #3238 exit with zero (0) code upon receiving SIGTERM/SIGINT
- [libs/db] #3378 CLevelDB#Stats now returns the following properties:
- leveldb.num-files-at-level{n}
- leveldb.stats
- leveldb.sstables
- leveldb.blockpool
- leveldb.cachedblock
- leveldb.openedtables
- leveldb.alivesnaps
- leveldb.aliveiters
- [privval] #3351 First part of larger refactoring that clarifies and separates concerns in the privval package.
- [blockchain] #3358 Fix timer leak in
BlockPool
(@guagualvcha) - [cmd] #3408 Fix
testnet
command's panic when creating non-validator configs (using--n
flag) (@srmo) - [libs/db/remotedb/grpcdb] #3402 Close Iterator/ReverseIterator after use
- [libs/pubsub] #951, #1880 Use non-blocking send when dispatching messages ADR-33
- [lite] #3364 Fix
/validators
and/abci_query
proxy endpoints (@guagualvcha) - [p2p/conn] #3347 Reject all-zero shared secrets in the Diffie-Hellman step of secret-connection
- [p2p] #3369 Do not panic when filter times out
- [p2p] #3359 Fix reconnecting report duplicate ID error due to race condition between adding peer to peerSet and starting it (@guagualvcha)
March 10th, 2019
This release fixes a CLevelDB memory leak. It was happening because we were not closing the WriteBatch object after use. See levigo's godoc for the Close method. Special thanks goes to @Stumble who both reported an issue in cosmos-sdk and provided a fix here.
- Go API
- [libs/db] #3842 Add Close() method to Batch interface (@Stumble)
- [libs/db] #3842 Fix CLevelDB memory leak (@Stumble)
February 20th, 2019
This release fixes a consensus halt and a DataCorruptionError after restart
discovered in game_of_stakes_6
. It also fixes a security issue in the p2p
handshake by authenticating the NetAddress.ID of the peer we're dialing.
- [config] #3291 Make config.ResetTestRootWithChainID() create concurrency-safe test directories.
- [consensus] #3295 Flush WAL on stop to prevent data corruption during graceful shutdown.
- [consensus] #3302 Fix possible halt by resetting TriggeredTimeoutPrecommit before starting next height.
- [rpc] #3251 Fix
/net_info#peers#remote_ip
format. New format spec:- dotted decimal ("192.0.2.1"), if ip is an IPv4 or IP4-mapped IPv6 address
- IPv6 ("2001:db8::1"), if ip is a valid IPv6 address
- [cmd] #3314 Return
an error on
show_validator
when the private validator file does not exist. - [p2p] #3010 Authenticate a peer against its NetAddress.ID when dialing.
February 8th, 2019
This release fixes yet another issue with the proposer selection algorithm. We hope it's the last one, but we won't be surprised if it's not. We plan to one day expose the selection algorithm more directly to the application (#3285), and even to support randomness (#763). For more, see issues marked proposer-selection.
This release also includes a fix to prevent Tendermint from including the same piece of evidence in more than one block. This issue was reported by @chengwenxi in our bug bounty program.
-
Apps
- [state] #3222
Duplicate updates for the same validator are forbidden. Apps must ensure
that a given
ResponseEndBlock.ValidatorUpdates
contains only one entry per pubkey.
- [state] #3222
Duplicate updates for the same validator are forbidden. Apps must ensure
that a given
-
Go API
- [types] #3222
Remove
Add
andUpdate
methods fromValidatorSet
in favor of newUpdateWithChangeSet
. This allows updates to be applied as a set, instead of one at a time.
- [types] #3222
Remove
-
Block Protocol
- [state] #3286 Blocks that include already committed evidence are invalid.
-
P2P Protocol
- [consensus] #3222
Validator updates are applied as a set, instead of one at a time, thus
impacting the proposer priority calculation. This ensures that the proposer
selection algorithm does not depend on the order of updates in
ResponseEndBlock.ValidatorUpdates
.
- [consensus] #3222
Validator updates are applied as a set, instead of one at a time, thus
impacting the proposer priority calculation. This ensures that the proposer
selection algorithm does not depend on the order of updates in
- [crypto] #3279 Use
btcec.S256().N
directly instead of hard coding a copy.
- [state] #3222 Fix validator set updates so they are applied as a set, rather
than one at a time. This makes the proposer selection algorithm independent of
the order of updates in
ResponseEndBlock.ValidatorUpdates
. - [evidence] #3286 Don't add committed evidence to evidence pool.
February 7th, 2019
Special thanks to external contributors on this release: @ackratos, @rickyyangz
Note: This release contains security sensitive patches in the p2p
and
crypto
packages:
- p2p:
- Partial fix for MITM attacks on the p2p connection. MITM conditions may still exist. See #3010.
- crypto:
- Eliminate our fork of
btcd
and use thebtcd/btcec
library directly for native secp256k1 signing. Note we still modify the signature encoding to prevent malleability. - Support the libsecp256k1 library via CGo through the
go-ethereum/crypto/secp256k1
package. - Eliminate MixEntropy functions
- Eliminate our fork of
- Go API
- [consensus] #3246 Better logging and notes on recovery for corrupted WAL file
- [crypto] #3163 Use ethereum's libsecp256k1 go-wrapper for signatures when cgo is available
- [crypto] #3162 Wrap btcd instead of forking it to keep up with fixes (used if cgo is not available)
- [makefile] #3233 Use golangci-lint instead of go-metalinter
- [tools] #3218 Add go-deadlock tool to help detect deadlocks
- [tools] #3106 Add tm-signer-harness test harness for remote signers
- [tests] #3258 Fixed a bunch of non-deterministic test failures
- [node] #3186 EventBus and indexerService should be started before first block (for replay last block on handshake) execution (@ackratos)
- [p2p] #3232 Fix infinite loop leading to addrbook deadlock for seed nodes
- [p2p] #3247 Fix panic in SeedMode when calling FlushStop and OnStop concurrently
- [p2p] #3040 Fix MITM on secret connection by checking low-order points
- [privval] #3258 Fix race between sign requests and ping requests in socket that was causing messages to be corrupted
January 24, 2019
Special thanks to external contributors on this release: @infinytum, @gauthamzz
This release contains two important fixes: one for p2p layer where we sometimes
were not closing connections and one for consensus layer where consensus with
no empty blocks (create_empty_blocks = false
) could halt.
- [pex] #3037 Only log "Reached max attempts to dial" once
- [rpc] #3159 Expose
triggered_timeout_commit
in the/dump_consensus_state
- [consensus] #3199 Fix consensus halt with no empty blocks from not resetting triggeredTimeoutCommit
- [p2p] #2967 Fix file descriptor leak
January 21, 2019
Special thanks to external contributors on this release: @bradyjoestar, @kunaldhariwal, @gauthamzz, @hrharder
This release is primarily about making some breaking changes to the Block protocol version before Cosmos launch, and to fixing more issues in the proposer selection algorithm discovered on Cosmos testnets.
The Block protocol changes include using a standard Merkle tree format (RFC 6962), fixing some inconsistencies between field orders in Vote and Proposal structs, and constraining the hash of the ConsensusParams to include only a few fields.
The proposer selection algorithm saw significant progress, including a formal proof by @cwgoes for the base-case in Idris and a much more detailed specification (still in progress) by @ancazamfir.
Fixes to the proposer selection algorithm include normalizing the proposer priorities to mitigate the effects of large changes to the validator set. That said, we just discovered another bug, which will be fixed in the next breaking release.
While we are trying to stabilize the Block protocol to preserve compatibility with old chains, there may be some final changes yet to come before Cosmos launch as we continue to audit and test the software.
-
CLI/RPC/Config
-
Apps
- [state] #3049 Total voting power of the validator set is upper bounded by
MaxInt64 / 8
. Apps must ensure they do not return changes to the validator set that cause this maximum to be exceeded.
- [state] #3049 Total voting power of the validator set is upper bounded by
-
Go API
-
Blockchain Protocol
-
P2P Protocol
- [consensus] #3049 Normalize priorities to not exceed
2*TotalVotingPower
to mitigate unfair proposer selection heavily preferring earlier joined validators in the case of an early bonded large validator unbonding
- [consensus] #3049 Normalize priorities to not exceed
- [rpc] #3065 Return maxPerPage (100), not defaultPerPage (30) if
per_page
is greater than the max 100. - [instrumentation] #3082 Add
chain_id
label for all metrics
- [crypto] #3164 Update
btcd
fork for rare signRFC6979 bug - [lite] #3171 Fix verifying large validator set changes
- [log] #3125 Fix year format
- [mempool] #3168 Limit tx size to fit in the max reactor msg size
- [scripts] #3147 Fix json2wal for large block parts (@bradyjoestar)
January 18th, 2019
Special thanks to external contributors on this release: @HaoyangLiu
- [consensus] Fix consensus halt from proposing blocks with too much evidence
January 16th, 2019
Special thanks to external contributors on this release: @fmauricios, @gianfelipe93, @husio, @needkane, @srmo, @yutianwu
This release is primarily about upgrades to the privval
system -
separating the priv_validator.json
into distinct config and data files, and
refactoring the socket validator to support reconnections.
Note: Please backup your existing priv_validator.json
before using this
version.
See UPGRADING.md for more details.
-
CLI/RPC/Config
- [cli] Removed
--proxy_app=dummy
option. Usekvstore
(persistent_kvstore
) instead. - [cli] Renamed
--proxy_app=nilapp
to--proxy_app=noop
. - [config] #2992
allow_duplicate_ip
is now set to false - [privval] #1181 Split
priv_validator.json
into immutable (config/priv_validator_key.json
) and mutable (data/priv_validator_state.json
) parts (@yutianwu) - [privval] #2926 Split up
PubKeyMsg
intoPubKeyRequest
andPubKeyResponse
to be consistent with other message types - [privval] #2923 Listen for unix socket connections instead of dialing them
- [cli] Removed
-
Apps
-
Go API
- [types] #2981 Remove
PrivValidator.GetAddress()
- [types] #2981 Remove
-
Blockchain Protocol
-
P2P Protocol
- [rpc] #3052 Include peer's remote IP in
/net_info
- [consensus] #3086 Log peerID on ignored votes (@srmo)
- [docs] #3061 Added specification for signing consensus msgs at ./docs/spec/consensus/signing.md
- [privval] #2948 Memoize pubkey so it's only requested once on startup
- [privval] #2923 Retry RemoteSigner connections on error
- [build] #3085 Fix
Version
field in build scripts (@husio) - [crypto/multisig] #3102 Fix multisig keys address length
- [crypto/encoding] #3101 Fix
PubKeyMultisigThreshold
unmarshalling intocrypto.PubKey
interface - [p2p/conn] #3111 Make SecretConnection thread safe
- [rpc] #3053 Fix internal error in
/tx_search
when results are empty (@gianfelipe93) - [types] #2926 Do not panic if retrieving the privval's public key fails
December 21st, 2018
- [mempool] #3036 Fix LRU cache by popping the least recently used item when the cache is full, not the most recently used one!
December 16th, 2018
- Go API
- [dep] #3027 Revert to mainline Go crypto library, eliminating the modified
bcrypt.GenerateFromPassword
- [dep] #3027 Revert to mainline Go crypto library, eliminating the modified
December 16th, 2018
- [node] #3025 Validate NodeInfo addresses on startup.
- [p2p] #3025 Revert to using defers in addrbook. Fixes deadlocks in pex and consensus upon invalid ExternalAddr/ListenAddr configuration.
December 15th, 2018
Special thanks to external contributors on this release: @danil-lashin, @hleb-albau, @james-ray, @leo-xinwang
- [rpc] #2964 Add
UnconfirmedTxs(limit)
andNumUnconfirmedTxs()
methods to HTTP/Local clients (@danil-lashin) - [docs] #3004 Enable full-text search on docs pages
- [consensus] #2971 Return error if ValidatorSet is empty after InitChain (@leo-xinwang)
- [ci/cd] #3005 Updated CircleCI job to trigger website build when docs are updated
- [docs] Various updates
- [cmd] #2983
testnet
command always setsaddr_book_strict = false
- [config] #2980 Fix CORS options formatting
- [kv indexer] #2912 Don't ignore key when executing CONTAINS
- [mempool] #2961 Call
notifyTxsAvailable
if there're txs left after committing a block, but recheck=false - [mempool] #2994 Reject txs with negative GasWanted
- [p2p] #2990 Fix a bug where seeds don't disconnect from a peer after 3h
- [consensus] #3006 Save state after InitChain only when stateHeight is also 0 (@james-ray)
December 5th, 2018
Special thanks to external contributors on this release: @danil-lashin, @srmo
Special thanks to @dlguddus for discovering a major issue in the proposer selection algorithm.
This release is primarily about fixes to the proposer selection algorithm
in preparation for the Cosmos Game of
Stakes.
It also makes use of the ConsensusParams.Validator.PubKeyTypes
to restrict the
key types that can be used by validators, and removes the Heartbeat
consensus
message.
-
CLI/RPC/Config
- [rpc] #2932 Rename
accum
toproposer_priority
- [rpc] #2932 Rename
-
Go API
-
Blockchain Protocol
- [state] #2714 Validators can now only use pubkeys allowed within ConsensusParams.Validator.PubKeyTypes
-
P2P Protocol
- [state] #2929 Minor refactor of updateState logic (@danil-lashin)
- [node] #2959 Allow node to start even if software's BlockProtocol is different from state's BlockProtocol
- [pex] #2959 Pex reactor logger uses
module=pex
- [p2p] #2968 Panic on transport error rather than continuing to run but not accept new connections
- [p2p] #2969 Fix mismatch in peer count between
/net_info
and the prometheus metrics - [rpc] #2408
/broadcast_tx_commit
: Fix "interface conversion: interface {} in nil, not EventDataTx" panic (could happen if somebody sent a tx using/broadcast_tx_commit
while Tendermint was being stopped) - [state] #2785 Fix accum for new validators to be
-1.125*totalVotingPower
instead of 0, forcing them to wait before becoming the proposer. Also:- do not batch clip
- keep accums averaged near 0
- [txindex/kv] #2925 Don't return false positives when range searching for a prefix of a tag value
- [types] #2938 Fix regression in v0.26.4 where we panic on empty genDoc.Validators
- [types] #2941 Preserve val.Accum during ValidatorSet.Update to avoid it being reset to 0 every time a validator is updated
November 27th, 2018
Special thanks to external contributors on this release: @ackratos, @goolAdapter, @james-ray, @joe-bowman, @kostko, @nagarajmanjunath, @tomtau
- [rpc] #2747 Enable subscription to tags emitted from
BeginBlock
/EndBlock
(@kostko) - [types] #2747 Add
ResultBeginBlock
andResultEndBlock
fields toEventDataNewBlock
andEventDataNewBlockHeader
to support subscriptions (@kostko) - [types] #2918 Add Marshal, MarshalTo, Unmarshal methods to various structs to support Protobuf compatibility (@nagarajmanjunath)
- [config] #2877 Add
blocktime_iota
to the config.toml (@ackratos)- NOTE: this should be a ConsensusParam, not part of the config, and will be removed from the config at a later date (#2920.
- [mempool] #2882 Add txs from Update to cache
- [mempool] #2891 Remove local int64 counter from being stored in every tx
- [node] #2866 Add ability to instantiate IPCVal (@joe-bowman)
- [blockchain] #2731 Retry both blocks if either is bad to avoid getting stuck during fast sync (@goolAdapter)
- [consensus] #2893 Use genDoc.Validators instead of state.NextValidators on replay when appHeight==0 (@james-ray)
- [log] #2868 Fix
module=main
setting overriding all others- NOTE: this changes the default logging behaviour to be much less verbose.
Set
log_level="info"
to restore the previous behaviour.
- NOTE: this changes the default logging behaviour to be much less verbose.
Set
- [rpc] #2808 Fix
accum
field in/validators
by callingIncrementAccum
if necessary - [rpc] #2811 Allow integer IDs in JSON-RPC requests (@tomtau)
- [txindex/kv] #2759 Fix tx.height range queries
- [txindex/kv] #2775 Order tx results by index if height is the same
- [txindex/kv] #2908 Don't return false positives when searching for a prefix of a tag value
November 17th, 2018
Special thanks to external contributors on this release: @danil-lashin, @kevlubkcm, @krhubert, @srmo
- Go API
- [rpc] #2791 Functions that start HTTP servers are now blocking:
- Impacts
StartHTTPServer
,StartHTTPAndTLSServer
, andStartGRPCServer
- These functions now take a
net.Listener
instead of an address
- Impacts
- [rpc] #2767 Subscribing to events
NewRound
andCompleteProposal
return new typesEventDataNewRound
andEventDataCompleteProposal
, respectively, instead of the genericEventDataRoundState
. (@kevlubkcm)
- [rpc] #2791 Functions that start HTTP servers are now blocking:
- [log] #2843 New
log_format
config option, which can be set to 'plain' for colored text or 'json' for JSON output - [types] #2767 New event types EventDataNewRound (with ProposerInfo) and EventDataCompleteProposal (with BlockID). (@kevlubkcm)
- [dep] #2844 Dependencies are no longer pinned to an exact version in the
Gopkg.toml:
- Serialization libs are allowed to vary by patch release
- Other libs are allowed to vary by minor release
- [p2p] #2857 "Send failed" is logged at debug level instead of error.
- [rpc] #2780 Add read and write timeouts to HTTP servers
- [state] #2848 Make "Update to validators" msg value pretty (@danil-lashin)
- [consensus] #2819 Don't send proposalHearbeat if not a validator
- [docs] #2859 Fix ConsensusParams details in spec
- [libs/autofile] #2760 Comment out autofile permissions check - should fix running Tendermint on Windows
- [p2p] #2869 Set connection config properly instead of always using default
- [p2p/pex] #2802 Seed mode fixes:
- Only disconnect from inbound peers
- Use FlushStop instead of Sleep to ensure all messages are sent before disconnecting
November 15th, 2018
Special thanks to external contributors on this release: @hleb-albau, @zhuzeyu
- [rpc] #2582 Enable CORS on RPC API (@hleb-albau)
- [abci] #2748 Unlock mutex in localClient so even when app panics (e.g. during CheckTx), consensus continue working
- [abci] #2748 Fix DATA RACE in localClient
- [amino] #2822 Update to v0.14.1 to support compiling on 32-bit platforms
- [rpc] #2748 Drain channel before calling Unsubscribe(All) in
/broadcast_tx_commit
November 11, 2018
Special thanks to external contributors on this release: @katakonst
- [consensus] #2704 Simplify valid POL round logic
- [docs] #2749 Deduplicate some ABCI docs
- [mempool] More detailed log messages
- [autofile] #2703 Do not panic when checking Head size
- [crypto/merkle] #2756 Fix crypto/merkle ProofOperators.Verify to check bounds on keypath parts.
- [mempool] fix a bug where we create a WAL despite
wal_dir
being empty - [p2p] #2771 Fix
peer-id
label name topeer_id
in prometheus metrics - [p2p] #2797 Fix IDs in peer NodeInfo and require them for addresses in AddressBook
- [p2p] #2797 Do not close conn immediately after sending pex addrs in seed mode. Partial fix for #2092.
November 2, 2018
Special thanks to external contributors on this release: @bradyjoestar, @connorwstein, @goolAdapter, @HaoyangLiu, @james-ray, @overbool, @phymbert, @Slamper, @Uzair1995, @yutianwu.
Special thanks to @Slamper for a series of bug reports in our bug bounty program which are fixed in this release.
This release is primarily about adding Version fields to various data structures, optimizing consensus messages for signing and verification in restricted environments (like HSMs and the Ethereum Virtual Machine), and aligning the consensus code with the specification. It also includes our first take at a generalized merkle proof system, and changes the length of hashes used for hashing data structures from 20 to 32 bytes.
See the UPGRADING.md for details on upgrading to the new version.
Please note that we are still making breaking changes to the protocols. While the new Version fields should help us to keep the software backwards compatible even while upgrading the protocols, we cannot guarantee that new releases will be compatible with old chains just yet. We expect there will be another breaking release or two before the Cosmos Hub launch, but we will otherwise be paying increasing attention to backwards compatibility. Thanks for bearing with us!
-
CLI/RPC/Config
- [config] #2232 Timeouts are now strings like "3s" and "100ms", not ints
- [config] #2505 Remove Mempool.RecheckEmpty (it was effectively useless anyways)
- [config] #2490
mempool.wal
is disabled by default - [privval] #2459 Split
SocketPVMsg
s implementations into Request and Response, where the Response may contain a error message (returned by the remote signer) - [state] #2644 Add Version field to State, breaking the format of State as encoded on disk.
- [rpc] #2298
/abci_query
takesprove
argument instead oftrusted
and switches the default behaviour toprove=false
- [rpc] #2654 Remove all
node_info.other.*_version
fields in/status
and/net_info
- [rpc] #2636 Remove
_params
suffix from fields inconsensus_params
.
-
Apps
- [abci] #2298 ResponseQuery.Proof is now a structured merkle.Proof, not just arbitrary bytes
- [abci] #2644 Add Version to Header and shift all fields by one
- [abci] #2662 Bump the field numbers for some
ResponseInfo
fields to make room forAppVersion
- [abci] #2636 Updates to ConsensusParams
- Remove
Params
suffix from field names - Add
Params
suffix to message types - Add new field and type,
Validator ValidatorParams
, to control what types of validator keys are allowed.
- Remove
-
Go API
- [config] #2232 Timeouts are time.Duration, not ints
- [crypto/merkle & lite] #2298 Various changes to accomodate General Merkle trees
- [crypto/merkle] #2595 Remove all Hasher objects in favor of byte slices
- [crypto/merkle] #2635 merkle.SimpleHashFromTwoHashes is no longer exported
- [node] #2479 Remove node.RunForever
- [rpc/client] #2298
ABCIQueryOptions.Trusted
->ABCIQueryOptions.Prove
- [types] #2298 Remove
Index
andTotal
fields fromTxProof
. - [types] #2598
VoteTypeXxx
are now of typeSignedMsgType byte
and namedXxxType
, eg.PrevoteType
,PrecommitType
. - [types] #2636 Rename fields in ConsensusParams to remove
Params
suffixes - [types] #2735 Simplify Proposal message to align with spec
-
Blockchain Protocol
- [crypto/tmhash] #2732 TMHASH is now full 32-byte SHA256
- All hashes in the block header and Merkle trees are now 32-bytes
- PubKey Addresses are still only 20-bytes
- [state] #2587 Require block.Time of the fist block to be genesis time
- [state] #2644 Require block.Version to match state.Version
- [types] Update SignBytes for
Vote
/Proposal
/Heartbeat
: - [types] #2730 Use
same order for fields in
Vote
as in the SignBytes - [types] #2732 Remove the address field from the validator hash
- [types] #2644 Add Version struct to Header
- [types] #2609 ConsensusParams.Hash() is the hash of the amino encoded struct instead of the Merkle tree of the fields
- [types] #2670 Header.Hash() builds Merkle tree out of fields in the same order they appear in the header, instead of sorting by field name
- [types] #2682 Use proto3
varint
encoding for ints that are usually unsigned (instead of zigzag encoding). - [types] #2636 Add Validator field to ConsensusParams (Used to control which pubkey types validators can use, by abci type).
- [crypto/tmhash] #2732 TMHASH is now full 32-byte SHA256
-
P2P Protocol
- [consensus] #2652
Replace
CommitStepMessage
withNewValidBlockMessage
- [consensus] #2735 Simplify
Proposal
message to align with spec - [consensus] #2730
Add
Type
field toProposal
and use same order of fields as in the SignBytes for bothProposal
andVote
- [p2p] #2654 Add
ProtocolVersion
struct with protocol versions to top of DefaultNodeInfo and requireProtocolVersion.Block
to match during peer handshake
- [consensus] #2652
Replace
- [abci] #2557 Add
Codespace
field toResponse{CheckTx, DeliverTx, Query}
- [abci] #2662 Add
BlockVersion
andP2PVersion
toRequestInfo
- [crypto/merkle] #2298 General Merkle Proof scheme for chaining various types of Merkle trees together
- [docs/architecture] #1181 S plit immutable and mutable parts of priv_validator.json
- Additional Metrics
- [config] #2232 Added ValidateBasic method, which performs basic checks
- [crypto/ed25519] #2558 Switch to use latest
golang.org/x/crypto
through our fork at github.com/tendermint/crypto - [libs/log] #2707 Add year to log format (@yutianwu)
- [tools] #2238 Binary dependencies are now locked to a specific git commit
- #2711 Validate all incoming reactor messages. Fixes various bugs due to negative ints.
- [autofile] #2428 Group.RotateFile need call Flush() before rename (@goolAdapter)
- [common] #2533 Fixed a bug in the
BitArray.Or
method - [common] #2506 Fixed a bug in the
BitArray.Sub
method (@james-ray) - [common] #2534 Fix
BitArray.PickRandom
to choose uniformly from true bits - [consensus] #1690 Wait for timeoutPrecommit before starting next round
- [consensus] #1745 Wait for Proposal or timeoutProposal before entering prevote
- [consensus] #2642 Only propose ValidBlock, not LockedBlock
- [consensus] #2642 Initialized ValidRound and LockedRound to -1
- [consensus] #1637 Limit the amount of evidence that can be included in a block
- [consensus] #2652 Ensure valid block property with faulty proposer
- [evidence] #2515 Fix db iter leak (@goolAdapter)
- [libs/event] #2518 Fix event concurrency flaw (@goolAdapter)
- [node] #2434 Make node respond to signal interrupts while sleeping for genesis time
- [state] #2616 Pass nil to NewValidatorSet() when genesis file's Validators field is nil
- [p2p] #2555 Fix p2p switch FlushThrottle value (@goolAdapter)
- [p2p] #2668 Reconnect to originally dialed address (not self-reported address) for persistent peers
September 22, 2018
Special thanks to external contributors on this release: @scriptionist, @bradyjoestar, @WALL-E
This release is mostly about the ConsensusParams - removing fields and enforcing MaxGas.
It also addresses some issues found via security audit, removes various unused
functions from libs/common
, and implements
ADR-012.
BREAKING CHANGES:
-
CLI/RPC/Config
-
Apps
- [mempool] #2360 Mempool tracks the
ResponseCheckTx.GasWanted
andConsensusParams.BlockSize.MaxGas
and enforces:GasWanted <= MaxGas
for every tx(sum of GasWanted in block) <= MaxGas
for block proposal
- [mempool] #2360 Mempool tracks the
-
Go API
FEATURES:
- [rpc] #2415 New
/consensus_params?height=X
endpoint to query the consensus params at any height (@scriptonist) - [types] #1714 Add Address to GenesisValidator
- [metrics] #2337
consensus.block_interval_metrics
is now gauge, not histogram (you will be able to see spikes, if any) - [libs] #2286 Panic if
autofile
ordb/fsdb
permissions change from 0600.
IMPROVEMENTS:
- [libs/db] #2371 Output error instead of panic when the given
db_backend
is not initialised (@bradyjoestar) - [mempool] #2399 Make mempool cache a proper LRU (@bradyjoestar)
- [p2p] #2126 Introduce PeerTransport interface to improve isolation of concerns
- [libs/common] #2326 Service returns ErrNotStarted
BUG FIXES:
- [node] #2294 Delay starting node until Genesis time
- [consensus] #2048 Correct peer statistics for marking peer as good
- [rpc] #2460 StartHTTPAndTLSServer() now passes StartTLS() errors back to the caller rather than hanging forever.
- [p2p] #2047 Accept new connections asynchronously
- [tm-bench] #2410 Enforce minimum transaction size (@WALL-E)
September 6th, 2018
Special thanks to external contributors with PRs included in this release: ackratos, james-ray, bradyjoestar, peerlink, Ahmah2009, bluele, b00f.
This release includes breaking upgrades in the block header, including the long awaited changes for delaying validator set updates by one block to better support light clients. It also fixes enforcement on the maximum size of blocks, and includes a BFT timestamp in each block that can be safely used by applications. There are also some minor breaking changes to the rpc, config, and ABCI.
See the UPGRADING.md for details on upgrading to the new version.
From here on, breaking changes will be broken down to better reflect how users are affected by a change.
A few more breaking changes are in the works - each will come with a clear Architecture Decision Record (ADR) explaining the change. You can review ADRs here or in the open Pull Requests. You can also check in on the issues marked as breaking.
BREAKING CHANGES:
-
CLI/RPC/Config
-
Apps
- [abci] Added address of the original proposer of the block to Header
- [abci] Change ABCI Header to match Tendermint exactly
- [abci] #2159 Update use of
Validator
(see ADR-018):- Remove PubKey from
Validator
(so it's just Address and Power) - Introduce
ValidatorUpdate
(with just PubKey and Power) - InitChain and EndBlock use ValidatorUpdate
- Update field names and types in BeginBlock
- Remove PubKey from
- [state] #1815 Validator set changes are now delayed by one block
- updates returned in ResponseEndBlock for block H will be included in RequestBeginBlock for block H+2
-
Go API
- [lite] #1815 Complete refactor of the package
- [node] #2212 NewNode now accepts a
*p2p.NodeKey
(@bradyjoestar) - [libs/common] #2199 Remove Fmt, in favor of fmt.Sprintf
- [libs/common] SplitAndTrim was deleted
- [libs/common] #2274 Remove unused Math functions like MaxInt, MaxInt64, MinInt, MinInt64 (@Ahmah2009)
- [libs/clist] Panics if list extends beyond MaxLength
- [crypto] #2205 Rename AminoRoute variables to no longer be prefixed by signature type.
-
Blockchain Protocol
- [state] #1815 Validator set changes are now delayed by one block (!)
- Add NextValidatorSet to State, changes on-disk representation of state
- [state] #2184 Enforce ConsensusParams.BlockSize.MaxBytes (See
ADR-020).
- Remove ConsensusParams.BlockSize.MaxTxs
- Introduce maximum sizes for all components of a block, including ChainID
- [types] Updates to the block Header:
- [consensus] #2203 Implement BFT time
- Timestamp in block must be monotonic and equal the median of timestamps in block's LastCommit
- [crypto] #2239 Secp256k1 signature changes (See
ADR-014):
- format changed from DER to
r || s
, both little endian encoded as 32 bytes. - malleability removed by requiring
s
to be in canonical form.
- format changed from DER to
- [state] #1815 Validator set changes are now delayed by one block (!)
-
P2P Protocol
FEATURES:
- [types] #2015 Allow genesis file to have 0 validators (@b00f)
- Initial validator set can be determined by the app in ResponseInitChain
- [rpc] #2161 New event
ValidatorSetUpdates
for when the validator set changes - [crypto/multisig] #2164 Introduce multisig pubkey and signature format
- [libs/db] #2293 Allow passing options through when creating instances of leveldb dbs
IMPROVEMENTS:
- [docs] Lint documentation with
write-good
andstop-words
. - [docs] #2249 Refactor, deduplicate, and improve the ABCI docs and spec (with thanks to @ttmc).
- [scripts] #2196 Added json2wal tool, which is supposed to help our users restore (@bradyjoestar) corrupted WAL files and compose test WAL files (@bradyjoestar)
- [mempool] #2234 Now stores txs by hash inside of the cache, to mitigate memory leakage
- [mempool] #2166 Set explicit capacity for map when updating txs (@bluele)
BUG FIXES:
- [config] #2284 Replace
db_path
withdb_dir
from automatically generated configuration files. - [mempool] #2188 Fix OOM issue from cache map and list getting out of sync
- [state] #2051 KV store index supports searching by
tx.height
(@ackratos) - [rpc] #2327
/dial_peers
does not try to dial existing peers - [node] #2323 Filter empty strings from config lists (@james-ray)
- [abci/client] #2236 Fix closing GRPC connection (@bradyjoestar)
August 22nd, 2018
BUG FIXES:
- [libs/autofile] #2261 Fix log rotation so it actually happens.
- Fixes issues with consensus WAL growing unbounded ala #2259
August 5th, 2018
This release includes breaking upgrades in our P2P encryption, some ABCI messages, and how we encode time and signatures.
A few more changes are still coming to the Header, ABCI, and validator set handling to better support light clients, BFT time, and upgrades. Most notably, validator set changes will be delayed by one block (see #1815).
We also removed make ensure_deps
in favour of make get_vendor_deps
.
BREAKING CHANGES:
- [abci] Changed time format from int64 to google.protobuf.Timestamp
- [abci] Changed Validators to LastCommitInfo in RequestBeginBlock
- [abci] Removed Fee from ResponseDeliverTx and ResponseCheckTx
- [crypto] Switch crypto.Signature from interface to []byte for space efficiency
#2128
- NOTE: this means signatures no longer have the prefix bytes in Amino
binary nor the
type
field in Amino JSON. They're just bytes.
- NOTE: this means signatures no longer have the prefix bytes in Amino
binary nor the
- [p2p] Remove salsa and ripemd primitives, in favor of using chacha as a stream cipher, and hkdf #2054
- [tools] Removed
make ensure_deps
in favor ofmake get_vendor_deps
- [types] CanonicalTime uses nanoseconds instead of clipping to ms
- breaks serialization/signing of all messages with a timestamp
FEATURES:
- [tools] Added
make check_dep
- ensures gopkg.lock is synced with gopkg.toml
- ensures no branches are used in the gopkg.toml
IMPROVEMENTS:
- [blockchain] Improve fast-sync logic
#1805
- tweak params
- only process one block at a time to avoid starving
- [common] bit array functions which take in another parameter are now thread safe
- [crypto] Switch hkdfchachapoly1305 to xchachapoly1305
- [p2p] begin connecting to peers as soon a seed node provides them to you (#2093)
BUG FIXES:
- [common] Safely handle cases where atomic write files already exist #2109
- [privval] fix a deadline for accepting new connections in socket private validator.
- [p2p] Allow startup if a configured seed node's IP can't be resolved (#1716)
- [node] Fully exit when CTRL-C is pressed even if consensus state panics #2072
July 26th, 2018
BUG FIXES
- [consensus, blockchain] Fix 0.22.7 below.
July 26th, 2018
BUG FIXES
- [consensus, blockchain] Register the Evidence interface so it can be marshalled/unmarshalled by the blockchain and consensus reactors
July 24th, 2018
BUG FIXES
- [rpc] Fix
/blockchain
endpoint- (#2049) Fix OOM attack by returning error on negative input
- Fix result length to have max 20 (instead of 21) block metas
- [rpc] Validate height is non-negative in
/abci_query
- [consensus] (#2050) Include evidence in proposal block parts (previously evidence was not being included in blocks!)
- [p2p] (#2046) Close rejected inbound connections so file descriptor doesn't leak
- [Gopkg] (#2053) Fix versions in the toml
July 23th, 2018
BREAKING CHANGES:
- [crypto] Refactor
tendermint/crypto
into many subpackages - [libs/common] remove exponentially distributed random numbers
IMPROVEMENTS:
- [abci, libs/common] Generated gogoproto static marshaller methods
- [config] Increase default send/recv rates to 5 mB/s
- [p2p] reject addresses coming from private peers
- [p2p] allow persistent peers to be private
BUG FIXES:
- [mempool] fixed a race condition when
create_empty_blocks=false
where a transaction is published at an old height. - [p2p] dial external IP setup by
persistent_peers
, not internal NAT IP - [rpc] make
/status
RPC endpoint resistant to consensus halt
July 14th, 2018
BREAKING CHANGES:
- [genesis] removed deprecated
app_options
field. - [types] Genesis.AppStateJSON -> Genesis.AppState
FEATURES:
- [tools] Merged in from github.com/tendermint/tools
BUG FIXES:
- [tools/tm-bench] Various fixes
- [consensus] Wait for WAL to stop on shutdown
- [abci] Fix #1891, pending requests cannot hang when abci server dies. Previously a crash in BeginBlock could leave tendermint in broken state.
July 10th, 2018
IMPROVEMENTS
- Update dependencies
- pin all values in Gopkg.toml to version or commit
- update golang/protobuf to v1.1.0
July 10th, 2018
IMPROVEMENTS
- More cleanup post repo merge!
- [docs] Include
ecosystem.json
andtendermint-bft.md
from deprecatedaib-data
repository. - [config] Add
instrumentation.max_open_connections
, which limits the number of requests in flight to Prometheus server (if enabled). Default: 3.
BUG FIXES
- [rpc] Allow unquoted integers in requests
- NOTE: this is only for URI requests. JSONRPC requests and all responses will use quoted integers (the proto3 JSON standard).
- [consensus] Fix halt on shutdown
July 5th, 2018
IMPROVEMENTS
- Cleanup post repo-merge.
- [docs] Various improvements.
BUG FIXES
- [state] Return error when EndBlock returns a 0-power validator that isn't already in the validator set.
- [consensus] Shut down WAL properly.
July 2nd, 2018
BREAKING CHANGES:
- [config]
- Remove
max_block_size_txs
andmax_block_size_bytes
in favor of consensus params from the genesis file. - Rename
skip_upnp
toupnp
, and turn it off by default. - Change
max_packet_msg_size
back tomax_packet_msg_payload_size
- Remove
- [rpc]
- All integers are encoded as strings (part of the update for Amino v0.10.1)
syncing
is now calledcatching_up
- [types] Update Amino to v0.10.1
- Amino is now fully proto3 compatible for the basic types
- JSON-encoded types now use the type name instead of the prefix bytes
- Integers are encoded as strings
- [crypto] Update go-crypto to v0.10.0 and merge into
crypto
- privKey.Sign returns error.
- ed25519 address changed to the first 20-bytes of the SHA256 of the raw pubkey bytes
tmlibs/merkle
->crypto/merkle
. Uses SHA256 instead of RIPEMD160
- [tmlibs] Update to v0.9.0 and merge into
libs
- remove
merkle
package (moved tocrypto/merkle
)
- remove
FEATURES
- [cmd] Added metrics (served under
/metrics
using a Prometheus client; disabled by default). See the newinstrumentation
section in the config and metrics guide. - [p2p] Add IPv6 support to peering.
- [p2p] Add
external_address
to config to allow specifying the address for peers to dial
IMPROVEMENT
- [rpc/client] Supports https and wss now.
- [crypto] Make public key size into public constants
- [mempool] Log tx hash, not entire tx
- [abci] Merged in github.com/tendermint/abci
- [crypto] Merged in github.com/tendermint/go-crypto
- [libs] Merged in github.com/tendermint/tmlibs
- [docs] Move from .rst to .md
BUG FIXES:
- [rpc] Limit maximum number of HTTP/WebSocket connections
(
rpc.max_open_connections
) and gRPC connections (rpc.grpc_max_open_connections
). Check out "Running In Production" guide if you want to increase them. - [rpc] Limit maximum request body size to 1MB (header is limited to 1MB).
- [consensus] Fix a halting bug where
create_empty_blocks=false
- [p2p] Fix panic in seed mode
June 21th, 2018
BREAKING CHANGES
- [config] Change default ports from 4665X to 2665X. Ports over 32768 are ephemeral and reserved for use by the kernel.
- [cmd]
unsafe_reset_all
removes the addrbook.json
IMPROVEMENT
- [pubsub] Set default capacity to 0
- [docs] Various improvements
BUG FIXES
- [consensus] Fix an issue where we don't make blocks after
fast_sync
whencreate_empty_blocks=false
- [mempool] Fix #1761 where we don't process txs if
cache_size=0
- [rpc] Fix memory leak in Websocket (when using
/subscribe
method) - [config] Escape paths in config - fixes config paths on Windows
June 6th, 2018
This is the first in a series of breaking releases coming to Tendermint after soliciting developer feedback and conducting security audits.
This release does not break any blockchain data structures or protocols other than the ABCI messages between Tendermint and the application.
Applications that upgrade for ABCI v0.11.0 should be able to continue running Tendermint v0.20.0 on blockchains created with v0.19.X
BREAKING CHANGES
- [abci] Upgrade to v0.11.0
- [abci] Change Query path for filtering peers by node ID from
p2p/filter/pubkey/<id>
top2p/filter/id/<id>
June 5th, 2018
BREAKING CHANGES
- [types/priv_validator] Moved to top level
privval
package
FEATURES
- [config] Collapse PeerConfig into P2PConfig
- [docs] Add quick-install script
- [docs/spec] Add table of Amino prefixes
BUG FIXES
- [rpc] Return 404 for unknown endpoints
- [consensus] Flush WAL on stop
- [evidence] Don't send evidence to peers that are behind
- [p2p] Fix memory leak on peer disconnects
- [rpc] Fix panic when
per_page=0
June 4th, 2018
BREAKING:
- [p2p] Remove
auth_enc
config option, peer connections are always auth encrypted. Technically a breaking change but seems no one was using it and arguably a bug fix :)
BUG FIXES
- [mempool] Fix deadlock under high load when
skip_timeout_commit=true
andcreate_empty_blocks=false
May 31st, 2018
BREAKING:
- [libs/pubsub] TagMap#Get returns a string value
- [libs/pubsub] NewTagMap accepts a map of strings
FEATURES
- [rpc] the RPC documentation is now published to https://tendermint.github.io/slate
- [p2p] AllowDuplicateIP config option to refuse connections from same IP.
- true by default for now, false by default in next breaking release
- [docs] Add docs for query, tx indexing, events, pubsub
- [docs] Add some notes about running Tendermint in production
IMPROVEMENTS:
- [consensus] Consensus reactor now receives events from a separate synchronous event bus, which is not dependant on external RPC load
- [consensus/wal] do not look for height in older files if we've seen height - 1
- [docs] Various cleanup and link fixes
May 29th, 2018
BUG FIXES
- [blockchain] Fix fast-sync deadlock during high peer turnover
BUG FIX:
- [evidence] Dont send peers evidence from heights they haven't synced to yet
- [p2p] Refuse connections to more than one peer with the same IP
- [docs] Various fixes
May 20th, 2018
BREAKING CHANGES
- [rpc/client] TxSearch and UnconfirmedTxs have new arguments (see below)
- [rpc/client] TxSearch returns ResultTxSearch
- [version] Breaking changes to Go APIs will not be reflected in breaking version change, but will be included in changelog.
FEATURES
- [rpc]
/tx_search
takespage
(starts at 1) andper_page
(max 100, default 30) args to paginate results - [rpc]
/unconfirmed_txs
takeslimit
(max 100, default 30) arg to limit the output - [config]
mempool.size
andmempool.cache_size
options
IMPROVEMENTS
- [docs] Lots of updates
- [consensus] Only Fsync() the WAL before executing msgs from ourselves
BUG FIXES
- [mempool] Enforce upper bound on number of transactions
IMPROVEMENTS
- [state] Improve tx indexing by using batches
- [consensus, state] Improve logging (more consensus logs, fewer tx logs)
- [spec] Moved to
docs/spec
(TODO cleanup the rest of the docs ...)
BUG FIXES
- [consensus] Fix issue #1575 where a late proposer can get stuck
FEATURES
- [rpc] New
/consensus_state
returns just the votes seen at the current height
IMPROVEMENTS
- [rpc] Add stringified votes and fraction of power voted to
/dump_consensus_state
- [rpc] Add PeerStateStats to
/dump_consensus_state
BUG FIXES
- [cmd] Set GenesisTime during
tendermint init
- [consensus] fix ValidBlock rules
FEATURES:
- [p2p] Allow peers with different Minor versions to connect
- [rpc]
/net_info
includesn_peers
IMPROVEMENTS:
- [p2p] Various code comments, cleanup, error types
- [p2p] Change some Error logs to Debug
BUG FIXES:
- [p2p] Fix reconnect to persistent peer when first dial fails
- [p2p] Validate NodeInfo.ListenAddr
- [p2p] Only allow (MaxNumPeers - MaxNumOutboundPeers) inbound peers
- [p2p/pex] Limit max msg size to 64kB
- [p2p] Fix panic when pex=false
- [p2p] Allow multiple IPs per ID in AddrBook
- [p2p] Fix before/after bugs in addrbook isBad()
Note this release includes some small breaking changes in the RPC and one in the config that are really bug fixes. v0.19.1 will work with existing chains, and make Tendermint easier to use and debug. With <3
BREAKING (MINOR)
- [config] Removed
wal_light
setting. If you really needed this, let us know
FEATURES:
- [networks] moved in tooling from devops repo: terraform and ansible scripts for deploying testnets !
- [cmd] Added
gen_node_key
command
BUG FIXES
Some of these are breaking in the RPC response, but they're really bugs!
- [spec] Document address format and pubkey encoding pre and post Amino
- [rpc] Lower case JSON field names
- [rpc] Fix missing entries, improve, and lower case the fields in
/dump_consensus_state
- [rpc] Fix NodeInfo.Channels format to hex
- [rpc] Add Validator address to
/status
- [rpc] Fix
prove
in ABCIQuery - [cmd] MarshalJSONIndent on init
BREAKING:
- [cmd] improved
testnet
command; now it can fill inpersistent_peers
for you in the config file and much more (seetendermint testnet --help
for details) - [cmd]
show_node_id
now returns an error if there is no node key - [rpc]: changed the output format for the
/status
endpoint (see https://godoc.org/github.com/tendermint/tendermint/rpc/core#Status)
Upgrade from go-wire to go-amino. This is a sweeping change that breaks everything that is serialized to disk or over the network.
See github.com/tendermint/go-amino for details on the new format.
See scripts/wire2amino.go
for a tool to upgrade
genesis/priv_validator/node_key JSON files.
FEATURES
- [test] docker-compose for local testnet setup (thanks Greg!)
BREAKING:
- [types] Merkle tree uses different encoding for varints (see tmlibs v0.8.0)
- [types] ValidtorSet.GetByAddress returns -1 if no validator found
- [p2p] require all addresses come with an ID no matter what
- [rpc] Listening address must contain tcp:// or unix:// prefix
FEATURES:
- [rpc] StartHTTPAndTLSServer (not used yet)
- [rpc] Include validator's voting power in
/status
- [rpc]
/tx
and/tx_search
responses now include the transaction hash - [rpc] Include peer NodeIDs in
/net_info
IMPROVEMENTS:
- [config] trim whitespace from elements of lists (like
persistent_peers
) - [rpc]
/tx_search
results are sorted by height - [p2p] do not try to connect to ourselves (ok, maybe only once)
- [p2p] seeds respond with a bias towards good peers
BUG FIXES:
- [rpc] fix subscribing using an abci.ResponseDeliverTx tag
- [rpc] fix tx_indexers matchRange
- [rpc] fix unsubscribing (see tmlibs v0.8.0)
BUG FIXES:
- [types] Actually support
app_state
in genesis asAppStateJSON
BREAKING:
- [types] WriteSignBytes -> SignBytes
IMPROVEMENTS:
- [all] renamed
dummy
(persistent_dummy
) tokvstore
(persistent_kvstore
) (name "dummy" is deprecated and will not work in the next breaking release) - [docs] note on determinism (docs/determinism.rst)
- [genesis]
app_options
field is deprecated. please rename it toapp_state
in your genesis file(s).app_options
will not work in the next breaking release - [p2p] dial seeds directly without potential peers
- [p2p] exponential backoff for addrs in the address book
- [p2p] mark peer as good if it contributed enough votes or block parts
- [p2p] stop peer if it sends incorrect data, msg to unknown channel, msg we did not expect
- [p2p] when
auth_enc
is true, all dialed peers must have a node ID in their address - [spec] various improvements
- switched from glide to dep internally for package management
- [wire] prep work for upgrading to new go-wire (which is now called go-amino)
FEATURES:
- [config] exposed
auth_enc
flag to enable/disable encryption - [config] added the
--p2p.private_peer_ids
flag andPrivatePeerIDs
config variable (see config for description) - [rpc] added
/health
endpoint, which returns empty result for now - [types/priv_validator] new format and socket client, allowing for remote signing
BUG FIXES:
- [consensus] fix liveness bug by introducing ValidBlock mechanism
BREAKING CHANGES:
- [config] use $TMHOME/config for all config and json files
- [p2p] old
--p2p.seeds
is now--p2p.persistent_peers
(persistent peers to which TM will always connect to) - [p2p] now
--p2p.seeds
only used for getting addresses (if addrbook is empty; not persistent) - [p2p] NodeInfo: remove RemoteAddr and add Channels
- we must have at least one overlapping channel with peer
- we only send msgs for channels the peer advertised
- [p2p/conn] pong timeout
- [lite] comment out IAVL related code
FEATURES:
- [p2p] added new
/dial_peers&persistent=_
unsafe endpoint - [p2p] persistent node key in
$THMHOME/config/node_key.json
- [p2p] introduce peer ID and authenticate peers by ID using addresses like
ID@IP:PORT
- [p2p/pex] new seed mode crawls the network and serves as a seed.
- [config] MempoolConfig.CacheSize
- [config] P2P.SeedMode (
--p2p.seed_mode
)
IMPROVEMENT:
- [p2p/pex] stricter rules in the PEX reactor for better handling of abuse
- [p2p] various improvements to code structure including subpackages for
pex
andconn
- [docs] new spec!
- [all] speed up the tests!
BUG FIX:
- [blockchain] StopPeerForError on timeout
- [consensus] StopPeerForError on a bad Maj23 message
- [state] flush mempool conn before calling commit
- [types] fix priv val signing things that only differ by timestamp
- [mempool] fix memory leak causing zombie peers
- [p2p/conn] fix potential deadlock
BREAKING CHANGES:
- [p2p] enable the Peer Exchange reactor by default
- [types] add Timestamp field to Proposal/Vote
- [types] add new fields to Header: TotalTxs, ConsensusParamsHash, LastResultsHash, EvidenceHash
- [types] add Evidence to Block
- [types] simplify ValidateBasic
- [state] updates to support changes to the header
- [state] Enforce <1/3 of validator set can change at a time
FEATURES:
- [state] Send indices of absent validators and addresses of byzantine validators in BeginBlock
- [state] Historical ConsensusParams and ABCIResponses
- [docs] Specification for the base Tendermint data structures.
- [evidence] New evidence reactor for gossiping and managing evidence
- [rpc]
/block_results?height=X
returns the DeliverTx results for a given height.
IMPROVEMENTS:
- [consensus] Better handling of corrupt WAL file
BUG FIXES:
- [lite] fix race
- [state] validate block.Header.ValidatorsHash
- [p2p] allow seed addresses to be prefixed with eg.
tcp://
- [p2p] use consistent key to refer to peers so we dont try to connect to existing peers
- [cmd] fix
tendermint init
to ignore files that are there and generate files that aren't.
BREAKING CHANGES:
- consensus/wal: removed separator
- rpc/client: changed Subscribe/Unsubscribe/UnsubscribeAll funcs signatures to be identical to event bus.
FEATURES:
- new
tendermint lite
command (andlite/proxy
pkg) for running a light-client RPC proxy. NOTE it is currently insecure and its APIs are not yet covered by semver
IMPROVEMENTS:
- rpc/client: can act as event bus subscriber (See tendermint#945).
- p2p: use exponential backoff from seconds to hours when attempting to reconnect to persistent peer
- config: moniker defaults to the machine's hostname instead of "anonymous"
BUG FIXES:
- p2p: no longer exit if one of the seed addresses is incorrect
BREAKING CHANGES:
- abci: update to v0.8 using gogo/protobuf; includes tx tags, vote info in RequestBeginBlock, data.Bytes everywhere, use int64, etc.
- types: block heights are now
int64
everywhere - types & node: EventSwitch and EventCache have been replaced by EventBus and EventBuffer; event types have been overhauled
- node: EventSwitch methods now refer to EventBus
- rpc/lib/types: RPCResponse is no longer a pointer; WSRPCConnection interface has been modified
- rpc/client: WaitForOneEvent takes an EventsClient instead of types.EventSwitch
- rpc/client: Add/RemoveListenerForEvent are now Subscribe/Unsubscribe
- rpc/core/types: ResultABCIQuery wraps an abci.ResponseQuery
- rpc:
/subscribe
and/unsubscribe
takequery
arg instead ofevent
- rpc:
/status
returns the LatestBlockTime in human readable form instead of in nanoseconds - mempool: cached transactions return an error instead of an ABCI response with BadNonce
FEATURES:
- rpc: new
/unsubscribe_all
WebSocket RPC endpoint - rpc: new
/tx_search
endpoint for filtering transactions by more complex queries - p2p/trust: new trust metric for tracking peers. See ADR-006
- config: TxIndexConfig allows to set what DeliverTx tags to index
IMPROVEMENTS:
- New asynchronous events system using
tmlibs/pubsub
- logging: Various small improvements
- consensus: Graceful shutdown when app crashes
- tests: Fix various non-deterministic errors
- p2p: more defensive programming
BUG FIXES:
- consensus: fix panic where prs.ProposalBlockParts is not initialized
- p2p: fix panic on bad channel
BUG FIXES:
- upgrade tmlibs dependency to enable Windows builds for Tendermint
BREAKING CHANGES:
- rpc/client: websocket ResultsCh and ErrorsCh unified in ResponsesCh.
- rpc/client: ABCIQuery no longer takes
prove
- state: remove GenesisDoc from state.
- consensus: new binary WAL format provides efficiency and uses checksums to detect corruption
- use scripts/wal2json to convert to json for debugging
FEATURES:
- new
Verifiers
pkg contains the tendermint light-client library (name subject to change)! - rpc:
/genesis
includes theapp_options
. - rpc:
/abci_query
takes an additionalheight
parameter to support historical queries. - rpc/client: new ABCIQueryWithOptions supports options like
trusted
(set false to get a proof) andheight
to query a historical height.
IMPROVEMENTS:
- rpc:
/genesis
result includesapp_options
- rpc/lib/client: add jitter to reconnects.
- rpc/lib/types:
RPCError
satisfies theerror
interface.
BUG FIXES:
- rpc/client: fix ws deadlock after stopping
- blockchain: fix panic on AddBlock when peer is nil
- mempool: fix sending on TxsAvailable when a tx has been invalidated
- consensus: dont run WAL catchup if we fast synced
IMPROVEMENTS:
- blockchain/reactor: respondWithNoResponseMessage for missing height
BUG FIXES:
- rpc: fixed client WebSocket timeout
- rpc: client now resubscribes on reconnection
- rpc: fix panics on missing params
- rpc: fix
/dump_consensus_state
to have normal json output (NOTE: technically breaking, but worth a bug fix label) - types: fixed out of range error in VoteSet.addVote
- consensus: fix wal autofile via https://github.com/tendermint/tmlibs/blob/master/CHANGELOG.md#032-october-2-2017
BREAKING:
-
genesis file: validator
amount
is nowpower
-
abci: Info, BeginBlock, InitChain all take structs
-
rpc: various changes to match JSONRPC spec (http://www.jsonrpc.org/specification), including breaking ones:
- requests that previously returned HTTP code 4XX now return 200 with an error code in the JSONRPC.
rpctypes.RPCResponse
uses newRPCError
type instead ofstring
.
-
cmd: if there is no genesis, exit immediately instead of waiting around for one to show.
-
types:
Signer.Sign
returns an error. -
state: every validator set change is persisted to disk, which required some changes to the
State
structure. -
p2p: new
p2p.Peer
interface used for all reactor methods (instead of*p2p.Peer
struct).
FEATURES:
- rpc:
/validators?height=X
allows querying of validators at previous heights. - rpc: Leaving the
height
param empty for/block
,/validators
, and/commit
will return the value for the latest height.
IMPROVEMENTS:
- docs: Moved all docs from the website and tools repo in, converted to
.rst
, and cleaned up for presentation ontendermint.readthedocs.io
BUG FIXES:
- fix WAL openning issue on Windows
IMPROVEMENTS:
- docs: Added Slate docs to each rpc function (see rpc/core)
- docs: Ported all website docs to Read The Docs
- config: expose some p2p params to tweak performance: RecvRate, SendRate, and MaxMsgPacketPayloadSize
- rpc: Upgrade the websocket client and server, including improved auto reconnect, and proper ping/pong
BUG FIXES:
- consensus: fix panic on getVoteBitArray
- consensus: hang instead of panicking on byzantine consensus failures
- cmd: dont load config for version command
FEATURES:
- control over empty block production:
- new flag,
--consensus.create_empty_blocks
; when set to false, blocks are only created when there are txs or when the AppHash changes. - new config option,
consensus.create_empty_blocks_interval
; an empty block is created after this many seconds. - in normal operation,
create_empty_blocks = true
andcreate_empty_blocks_interval = 0
, so blocks are being created all the time (as in all previous versions of tendermint). The number of empty blocks can be reduced by increasingcreate_empty_blocks_interval
or by settingcreate_empty_blocks = false
. - new
TxsAvailable()
method added to Mempool that returns a channel which fires when txs are available. - new heartbeat message added to consensus reactor to notify peers that a node is waiting for txs before entering propose step.
- new flag,
- rpc: Add
syncing
field to response returned by/status
. Istrue
while in fast-sync mode.
IMPROVEMENTS:
- various improvements to documentation and code comments
BUG FIXES:
- mempool: pass height into constructor so it doesn't always start at 0
FEATURES:
- Enable lower latency block commits by adding consensus reactor sleep durations and p2p flush throttle timeout to the config
IMPROVEMENTS:
- More detailed logging in the consensus reactor and state machine
- More in-code documentation for many exposed functions, especially in consensus/reactor.go and p2p/switch.go
- Improved readability for some function definitions and code blocks with long lines
FEATURES:
- Use
--trace
to get stack traces for logged errors - types: GenesisDoc.ValidatorHash returns the hash of the genesis validator set
- types: GenesisDocFromFile parses a GenesiDoc from a JSON file
IMPROVEMENTS:
- Add a Code of Conduct
- Variety of improvements as suggested by
megacheck
tool - rpc: deduplicate tests between rpc/client and rpc/tests
- rpc: addresses without a protocol prefix default to
tcp://
.http://
is also accepted as an alias fortcp://
- cmd: commands are more easily reuseable from other tools
- DOCKER: automate build/push
BUG FIXES:
- Fix log statements using keys with spaces (logger does not currently support spaces)
- rpc: set logger on websocket connection
- rpc: fix ws connection stability by setting write deadline on pings
Includes major updates to configuration, logging, and json serialization. Also includes the Grand Repo-Merge of 2017.
BREAKING CHANGES:
-
Config and Flags:
- The
config
map is replaced with aConfig
struct, containing substructs:BaseConfig
,P2PConfig
,MempoolConfig
,ConsensusConfig
,RPCConfig
- This affects the following flags:
--seeds
is now--p2p.seeds
--node_laddr
is now--p2p.laddr
--pex
is now--p2p.pex
--skip_upnp
is now--p2p.skip_upnp
--rpc_laddr
is now--rpc.laddr
--grpc_laddr
is now--rpc.grpc_laddr
- Any configuration option now within a substract must come under that heading in the
config.toml
, for instance:[p2p] laddr="tcp://1.2.3.4:46656" [consensus] timeout_propose=1000
- Use viper and
DefaultConfig() / TestConfig()
functions to handle defaults, and removeconfig/tendermint
andconfig/tendermint_test
- Change some function and method signatures to
- Change some function and method signatures accomodate new config
- The
-
Logger
- Replace static
log15
logger with a simple interface, and provide a new implementation usinggo-kit
. See our new logging library and blog post for more details - Levels
warn
andnotice
are removed (you may need to change them in yourconfig.toml
!) - Change some function and method signatures to accept a logger
- Replace static
-
JSON serialization:
- Replace
[TypeByte, Xxx]
with{"type": "some-type", "data": Xxx}
in RPC and all.json
files by usinggo-wire/data
. For instance, a public key is now:"pub_key": { "type": "ed25519", "data": "83DDF8775937A4A12A2704269E2729FCFCD491B933C4B0A7FFE37FE41D7760D0" }
- Remove type information about RPC responses, so
[TypeByte, {"jsonrpc": "2.0", ... }]
is now just{"jsonrpc": "2.0", ... }
- Change
[]byte
todata.Bytes
in all serialized types (for hex encoding) - Lowercase the JSON tags in
ValidatorSet
fields - Introduce
EventDataInner
for serializing events
- Replace
-
Other:
- Send InitChain message in handshake if
appBlockHeight == 0
- Do not include the
Accum
field when computing the validator hash. This makes the ValidatorSetHash unique for a given validator set, rather than changing with every block (as the Accum changes) - Unsafe RPC calls are not enabled by default. This includes
/dial_seeds
, and all calls prefixed withunsafe
. Use the--rpc.unsafe
flag to enable.
- Send InitChain message in handshake if
FEATURES:
- Per-module log levels. For instance, the new default is
state:info,*:error
, which means thestate
package logs atinfo
level, and everything else logs aterror
level - Log if a node is validator or not in every consensus round
- Use ldflags to set git hash as part of the version
- Ignore
address
andpub_key
fields inpriv_validator.json
and overwrite them with the values derrived from thepriv_key
IMPROVEMENTS:
- Merge
tendermint/go-p2p -> tendermint/tendermint/p2p
andtendermint/go-rpc -> tendermint/tendermint/rpc/lib
- Update paths for grand repo merge:
go-common -> tmlibs/common
go-data -> go-wire/data
- All other
go-
libs, exceptgo-crypto
andgo-wire
, are merged undertmlibs
- No global loggers (loggers are passed into constructors, or preferably set with a SetLogger method)
- Return HTTP status codes with errors for RPC responses
- Limit
/blockchain_info
call to return a maximum of 20 blocks - Use
.Wrap()
and.Unwrap()
instead of eg.PubKeyS
forgo-crypto
types - RPC JSON responses use pretty printing (via
json.MarshalIndent
) - Color code different instances of the consensus for tests
- Isolate viper to
cmd/tendermint/commands
and do not read config from file for tests
BUG FIXES:
- Fix bug in
ResetPrivValidator
where we were using the global config and log (causing external consumers, eg. basecoin, to fail).
FEATURES:
- Transaction indexing - txs are indexed by their hash using a simple key-value store; easily extended to more advanced indexers
- New
/tx?hash=X
endpoint to query for transactions and their DeliverTx result by hash. Optionally returns a proof of the tx's inclusion in the block tendermint testnet
command initializes files for a testnet
IMPROVEMENTS:
- CLI now uses Cobra framework
- TMROOT is now TMHOME (TMROOT will stop working in 0.10.0)
/broadcast_tx_XXX
also returns the Hash (can be used to query for the tx)/broadcast_tx_commit
also returns the height the block was committed in- ABCIResponses struct persisted to disk before calling Commit; makes handshake replay much cleaner
- WAL uses #ENDHEIGHT instead of #HEIGHT (#HEIGHT will stop working in 0.10.0)
- Peers included via
--seeds
, underseeds
in the config, or in/dial_seeds
are now persistent, and will be reconnected to if the connection breaks
BUG FIXES:
- Fix bug in fast-sync where we stop syncing after a peer is removed, even if they're re-added later
- Fix handshake replay to handle validator set changes and results of DeliverTx when we crash after app.Commit but before state.Save()
BREAKING CHANGES:
- Update ABCI to v0.4.0, where Query is now
Query(RequestQuery) ResponseQuery
, enabling precise proofs at particular heights:
message RequestQuery{
bytes data = 1;
string path = 2;
uint64 height = 3;
bool prove = 4;
}
message ResponseQuery{
CodeType code = 1;
int64 index = 2;
bytes key = 3;
bytes value = 4;
bytes proof = 5;
uint64 height = 6;
string log = 7;
}
BlockMeta
data type unifies its Hash and PartSetHash under aBlockID
:
type BlockMeta struct {
BlockID BlockID `json:"block_id"` // the block hash and partsethash
Header *Header `json:"header"` // The block's Header
}
-
ValidatorSet.Proposer
is exposed as a field and persisted with theState
. UseGetProposer()
to initialize or update after validator-set changes. -
tendermint gen_validator
command output is now pure JSON
FEATURES:
- New RPC endpoint
/commit?height=X
returns header and commit for block at heightX
- Client API for each endpoint, including mocks for testing
IMPROVEMENTS:
Node
is now aBaseService
- Simplified starting Tendermint in-process from another application
- Better organized Makefile
- Scripts for auto-building binaries across platforms
- Docker image improved, slimmed down (using Alpine), and changed from tendermint/tmbase to tendermint/tendermint
- New repo files:
CONTRIBUTING.md
, GithubISSUE_TEMPLATE
,CHANGELOG.md
- Improvements on CircleCI for managing build/test artifacts
- Handshake replay is doen through the consensus package, possibly using a mockApp
- Graceful shutdown of RPC listeners
- Tests for the PEX reactor and DialSeeds
BUG FIXES:
- Check peer.Send for failure before updating PeerState in consensus
- Fix panic in
/dial_seeds
with invalid addresses - Fix proposer selection logic in ValidatorSet by taking the address into account in the
accumComparable
- Fix inconcistencies with
ValidatorSet.Proposer
across restarts by persisting it in theState
BREAKING CHANGES:
- New data type
BlockID
to represent blocks:
type BlockID struct {
Hash []byte `json:"hash"`
PartsHeader PartSetHeader `json:"parts"`
}
Vote
data type now includes validator address and index:
type Vote struct {
ValidatorAddress []byte `json:"validator_address"`
ValidatorIndex int `json:"validator_index"`
Height int `json:"height"`
Round int `json:"round"`
Type byte `json:"type"`
BlockID BlockID `json:"block_id"` // zero if vote is nil.
Signature crypto.Signature `json:"signature"`
}
- Update TMSP to v0.3.0, where it is now called ABCI and AppendTx is DeliverTx
- Hex strings in the RPC are now "0x" prefixed
FEATURES:
- New message type on the ConsensusReactor,
Maj23Msg
, for peers to alert others they've seen a Maj23, in order to track and handle conflicting votes intelligently to prevent Byzantine faults from causing halts:
type VoteSetMaj23Message struct {
Height int
Round int
Type byte
BlockID types.BlockID
}
- Configurable block part set size
- Validator set changes
- Optionally skip TimeoutCommit if we have all the votes
- Handshake between Tendermint and App on startup to sync latest state and ensure consistent recovery from crashes
- GRPC server for BroadcastTx endpoint
IMPROVEMENTS:
- Less verbose logging
- Better test coverage (37% -> 49%)
- Canonical SignBytes for signable types
- Write-Ahead Log for Mempool and Consensus via tmlibs/autofile
- Better in-process testing for the consensus reactor and byzantine faults
- Better crash/restart testing for individual nodes at preset failure points, and of networks at arbitrary points
- Better abstraction over timeout mechanics
BUG FIXES:
- Fix memory leak in mempool peer
- Fix panic on POLRound=-1
- Actually set the CommitTime
- Actually send BeginBlock message
- Fix a liveness issues caused by Byzantine proposals/votes. Uses the new
Maj23Msg
.
FEATURES:
- Enable the Peer Exchange reactor with the
--pex
flag for more resilient gossip network (feature still in development, beware dragons)
IMPROVEMENTS:
- Remove restrictions on RPC endpoint
/dial_seeds
to enable manual network configuration
IMPROVEMENTS:
- Type safe FireEvent
- More WAL/replay tests
- Cleanup some docs
BUG FIXES:
- Fix deadlock in mempool for synchronous apps
- Replay handles non-empty blocks
- Fix race condition in HeightVoteSet
BUG FIXES:
- Set mustConnect=false so tendermint will retry connecting to the app
FEATURES:
- New TMSP connection for Query/Info
- New RPC endpoints:
tmsp_query
tmsp_info
- Allow application to filter peers through Query (off by default)
IMPROVEMENTS:
- TMSP connection type enforced at compile time
- All listen/client urls use a "tcp://" or "unix://" prefix
BUG FIXES:
- Save LastSignature/LastSignBytes to
priv_validator.json
for recovery - Fix event unsubscribe
- Fix fastsync/blockchain reactor
BREAKING CHANGES:
- Strict SemVer starting now!
- Update to ABCI v0.2.0
- Validation types now called Commit
- NewBlock event only returns the block header
FEATURES:
- TMSP and RPC support TCP and UNIX sockets
- Addition config options including block size and consensus parameters
- New WAL mode
cswal_light
; logs only the validator's own votes - New RPC endpoints:
- for starting/stopping profilers, and for updating config
/broadcast_tx_commit
, returns when tx is included in a block, else an error/unsafe_flush_mempool
, empties the mempool
IMPROVEMENTS:
- Various optimizations
- Remove bad or invalidated transactions from the mempool cache (allows later duplicates)
- More elaborate testing using CircleCI including benchmarking throughput on 4 digitalocean droplets
BUG FIXES:
- Various fixes to WAL and replay logic
- Various race conditions
Strict versioning only began with the release of v0.7.0, in late summer 2016. The project itself began in early summer 2014 and was workable decentralized cryptocurrency software by the end of that year. Through the course of 2015, in collaboration with Eris Industries (now Monax Industries), many additional features were integrated, including an implementation from scratch of the Ethereum Virtual Machine. That implementation now forms the heart of Burrow. In the later half of 2015, the consensus algorithm was upgraded with a more asynchronous design and a more deterministic and robust implementation.
By late 2015, frustration with the difficulty of forking a large monolithic stack to create alternative cryptocurrency designs led to the invention of the Application Blockchain Interface (ABCI), then called the Tendermint Socket Protocol (TMSP). The Ethereum Virtual Machine and various other transaction features were removed, and Tendermint was whittled down to a core consensus engine driving an application running in another process. The ABCI interface and implementation were iterated on and improved over the course of 2016, until versioned history kicked in with v0.7.0.