github AztecProtocol/aztec-packages v5.0.1

5 hours ago
  █████   █████     █
  █       █   █    ██
  █████   █   █     █
      █   █   █     █
  █████   █████   █████

        A Z T E C

Date: 2026-07-15 · Tag: v5.0.1 · Baseline: v5.0.0 · Patch release — required for aztec.nr / aztec.js / PXE, optional for node operators

Install: aztec-up install 5.0.1 · Docker: aztecprotocol/aztec:5.0.1

Summary

v5.0.1 is a patch release focused on the client. It closes a set of note-discovery and message-handling issues that could leave a note undecryptable or permanently freeze note sync, hardens the handshake and secret-scoping paths, and makes PXE/wallet storage survive schema, rollup, and network changes instead of wiping.

Upgrade guidance

  • Required for anyone building with aztec.nr, aztec.js, or PXE. One breaking aztec.nr change tightens note-validation siloing, and a cluster of client-side fixes closes cases where a hostile sender could wedge a recipient's note sync or deliver an undecryptable note. Contract, wallet, and dApp builders should move to 5.0.1.
  • Optional for node operators. No coordinated upgrade is needed. Operators running prover nodes will still want it for the clean-shutdown fix below.

Breaking changes

  • feat!: note validation now silos on the note's own contract — the note-history validation helpers were computing the note-hash siloing key (nhsk) against the executing contract's address rather than the note's contract address, and did not stop callers from running them on external contracts. They now assert against external-contract use and have been renamed to reflect it. Contracts that validated notes belonging to another contract via history::note must update to the renamed helpers (#24644).

What contract developers should care about

  • Fee payer must be set in the non-revertible phasePrivateContext now asserts this instead of allowing a fee payer to be set in a revertible phase (#24479).
  • New getTxEffects oracle — fetch transaction effects in batch from contract/test code (#24636).
  • TXE: authorize all utility call targets — a new option in the TXE test runtime authorizes every utility call target at once, removing per-target setup boilerplate in contract tests (#24662).
  • Exported in-process testing network — the e2e scaffolding is now shipped as TypeScript (via aztec-kit) so external projects can spin up an in-process network for their own tests, replacing the previous unpublishable shell script (#24629).

What wallet / PXE users should care about

  • Stores survive schema, rollup, and network changes — PXE and wallet storage no longer wipes when the schema version or rollup address changes; distinct stores are kept per rollup/network (chain id included), so switching networks no longer destroys pre-existing local state. The kv-store package is no longer responsible for on-disk location or rollup-address knowledge for PXE/wallet storage (#24631).
  • Sender-tag sync no longer wedges on conflicting ranges — discovery could re-derive a different index range for an already-tracked (secret, txHash) pair and hit a Conflicting range throw that permanently wedged the secret, triggered by a same-PXE partial revert or a tx straddling a sync-window boundary. Discovery now merges with the existing range instead of throwing (#24655).
  • Browser SQLite handle-release fix — OPFS handles are released before the SQLite worker's close/delete acknowledgement, fixing a flake in the browser database-management path (#24647).

Security & correctness

The client hardening in this release centers on inputs an untrusted sender or counterparty controls:

  • Undecryptable-note vector closed — the ephemeral secret key used when encrypting a message comes from an unconstrained routine, so a malicious sender could substitute eph_sk = 0, yielding the point at infinity as the ephemeral public key. Its zero y-coordinate passed the y-sign check, but the broadcast x-coordinate (0) is not a valid curve point, so the recipient could never reconstruct the key — permanently breaking the constrained-delivery guarantee that a note delivered by an untrusted sender stays decryptable. Key generation now rejects the infinity ephemeral key (#24665).
  • Partial-note sync can't be frozen by malformed logs — partial-note discovery had four crash points on the completion path, each reachable by a malicious sender and each firing before the pending note advanced, so every subsequent sync re-hit it and permanently froze note sync for that contract (including the canonical token). All four are now tolerated (#24668).
  • Handshake forgery prevented — a recipient could forge a colliding handshake; a new HANDSHAKE_FORGERY_PROTECTION domain separator protects the handshake's shared secret against this (#24403).
  • Out-of-scope secret access closed — some stores were read without checking whether the associated accounts were in scope; scope checks were added on the log-retrieval service and inlined in the affected oracles (#24616).
  • Reject implausibly future-dated messages — a sanity check now rejects messages timestamped implausibly far into the future, which would otherwise never be evicted and would mask an inconsistency elsewhere (#24645).

What node operators should care about

This release is optional for operators — no consensus-affecting changes — but includes:

  • Prover node no longer aborts in-flight jobs on a clean shutdownSessionManager.stop() hardcoded abortJobs: true, so a deploy or restart aborted live top-tree broker jobs whose proofs were still valid and whose agents were mid-flight. Clean restarts now keep those jobs (#24579).
  • Validator-keys funding-account support in the CLIvalidator-keys new/add/set-funding-account gain --funding-account, moved into a dedicated set-funding-account subcommand, with keystore remote-signer inheritance for the address form (#24476).

Also in this release

  • Docs — fee README improvements (#24666).
  • Tests — fixed a proof_boundary startup race (#24671) and a non-empty-password case in the funding-encryption CLI test.

Reference

  • v5.0.0 release notes — the first stable v5 release and full v4→v5 migration reference.
  • Migration notes — per-change migration reference for contract and wallet developers.

Don't miss a new aztec-packages release

NewReleases is sending notifications on new releases.