github celestiaorg/celestia-core v0.40.0
on GitHub

13 hours ago

This is a major release of celestia-core with several breaking changes, important security fixes, and performance improvements. It requires Go 1.26.1+.

Breaking Changes

  • PebbleDB is now the only supported database backend (#2867). All other backends (GoLevelDB, CLevelDB, BoltDB, RocksDB, BadgerDB) have been removed. cometbft-db is
    bumped from v0.14.1 to v1.0.4 — PebbleDB no longer requires a build tag. Operators using any other backend must migrate to PebbleDB before upgrading.
  • Non-CAT mempool implementations removed (#2803). The v0 (flood/CListMempool) and v1 (priority) mempool implementations are removed. The CAT mempool is now the only
    supported mempool type (besides nop). Since celestia-app v6 already forcibly overrode any non-CAT configuration, real-world impact is minimal.
  • Mempool type field removed from config.toml template (#2811). Newly generated configs will no longer contain the mempool type field. Existing config files are
    unaffected — the field still parses without error.
  • Node halts on consensus failures (#2547). Nodes now panic on consensus failures rather than continuing in a potentially inconsistent state.

Security Fixes

  • BlobTx crash replay determinism (#2846). ExecCommitBlock now strips BlobTx wrappers to match applyBlock behavior, fixing a crash recovery replay issue where
    different transaction bytes were sent to FinalizeBlock during replay vs normal execution. (CELESTIA-215, via HackenProof)
  • CompactBlock proof cache poisoning (#2847). CompactBlock.Proofs() now validates Merkle root hashes before committing to the cache, preventing invalid proofs from
    being served on subsequent calls. (CELESTIA-216, via HackenProof)
  • LCA evidence PubKey-Address binding (#2848). validateABCIEvidence now verifies that PubKey.Address() matches the Address field, preventing LightClientAttackEvidence
    with swapped PubKeys from redirecting slash attribution to innocent validators. (CELESTIA-220, via HackenProof)
  • Socket client DoS via QuerySequence (#2844). Added missing QuerySequence case to resMatchesReq in the socket ABCI client, which previously caused the client to treat
    a valid response as unexpected and terminate the node. (via HackenProof)
  • P2P receive buffer memory pinning (#2815). Fixed a memory pinning issue where large P2P receive buffers (~128 MiB per connection on the BLOCKSYNC channel) were
    retained for the entire connection lifetime, potentially pinning ~5 GiB of heap with 40 inbound peers.
  • State sync peer poisoning (#2814). Peers rejected by the ABCI application during state sync are now disconnected at the P2P layer, preventing malicious peers from
    continuously sending poisoned ChunkResponse messages in an infinite retry loop.
  • Propagation reactor liveness (#2813). Added a default case to handleHaves select to prevent the reactor's message-processing goroutine from blocking indefinitely
    when a per-peer channel is full. (CELESTIA-185)
  • Unbounded Txs message validation (unreleased changelog entry). Peers that send a Txs message with more than one transaction, empty transactions, or an entirely empty array are now disconnected, preventing unbounded
    CPU and memory growth from malicious batched messages.

Bug Fixes

  • Bump Go version to 1.26.1, resolving 5 stdlib vulnerabilities including html/template URL escaping, os.Root file escape, net/url IPv6 parsing, and crypto/x509 issues
    (#2845)
  • Bump github.com/cloudflare/circl to v1.6.3 (#2840)

Improvements

  • gRPC service for privval/fiber (#2868). Exposes a gRPC service to the private validator subsystem for use by the compact block propagation system (fiber).
  • PebbleDB write performance (#2865). Increased maxBlockPartsToBatch to 600 for improved PebbleDB write throughput.
  • Legacy block propagation throughput (#2699). Throughput is now also reduced when only the legacy (non-compact-block) propagation path is running.
  • Block sync catchup retry (#2828). Catchup retry time cut in half.
  • CAT mempool priority ordering tests (#2839). Added tests for priority ordering in the CAT mempool.
  • Blocksync max-height poisoning regression test (#2818).
  • Increased consensus test timeouts to reduce CI flakes (#2849, #2850,
    #2841, #2842, #2851,
    #2810)

What's Changed

  • build(deps): Bump google.golang.org/grpc from 1.78.0 to 1.79.1 by @dependabot[bot] in #2808
  • chore!: remove mempool type from config.toml template by @rootulp in #2811
  • fix: reduce flakiness in three consensus tests by @rootulp in #2810
  • chore: remove non-CAT mempool implementations by @rootulp in #2803
  • fix: add default case to handleHaves select to prevent reactor halt by @rootulp in #2813
  • fix: disconnect peers that send invalid chunks during state sync by @rootulp in #2814
  • chore: add blocksync max-height poisoning regression test by @rach-id in #2818
  • build(deps): Bump goreleaser/goreleaser-action from 6 to 7 by @dependabot[bot] in #2819
  • build(deps): Bump github.com/adlio/schema from 1.3.9 to 1.4.0 by @dependabot[bot] in #2820
  • build(deps): Bump github.com/aws/aws-sdk-go-v2/credentials from 1.19.7 to 1.19.9 by @dependabot[bot] in #2821
  • build(deps): Bump github.com/aws/aws-sdk-go-v2/config from 1.32.7 to 1.32.9 by @dependabot[bot] in #2822
  • fix: release P2P channel receive buffer after large message EOF by @rootulp in #2815
  • chore: panic on consensus failures by @rach-id in #2547
  • chore: cut catchup retry time in half by @ninabarbakadze in #2828
  • build(deps): Bump actions/upload-artifact from 5 to 7 by @dependabot[bot] in #2830
  • build(deps): Bump github.com/aws/aws-sdk-go-v2/credentials from 1.19.9 to 1.19.10 by @dependabot[bot] in #2831
  • build(deps): Bump golang.org/x/net from 0.50.0 to 0.51.0 by @dependabot[bot] in #2834
  • build(deps): Bump github.com/go-git/go-git/v5 from 5.16.5 to 5.17.0 by @dependabot[bot] in #2837
  • build(deps): Bump github.com/aws/aws-sdk-go-v2/config from 1.32.9 to 1.32.10 by @dependabot[bot] in #2835
  • build(deps): Bump github.com/aws/aws-sdk-go-v2/service/s3 from 1.96.0 to 1.96.2 by @dependabot[bot] in #2836
  • chore: also reduce the throughput when only the legacy block prop is running by @rach-id in #2699
  • fix: bump github.com/cloudflare/circl to v1.6.3 by @rootulp in #2840
  • fix: increase ensureVote timeout to fix flaky TestStateOversizedBlock by @rootulp in #2842
  • fix: use assert.Eventually in TestReactorRecordsVotesAndBlockParts by @rootulp in #2841
  • test: add CAT mempool priority ordering tests by @rootulp in #2839
  • fix: add missing QuerySequence case to socket client resMatchesReq by @rootulp in #2844
  • fix: bump Go to 1.25.8 to resolve stdlib vulnerabilities by @rootulp in #2845
  • fix: enforce PubKey-Address binding in LCA evidence validation by @rootulp in #2848
  • fix: prevent CompactBlock.Proofs() cache poisoning on validation failure by @rootulp in #2847
  • fix: strip BlobTx wrappers in ExecCommitBlock during crash replay by @rootulp in #2846
  • fix: increase TestByzantinePrevoteEquivocation timeout to reduce flakes by @rootulp in #2850
  • fix: use dynamic ports in node tests to prevent port conflicts by @rootulp in #2851
  • fix: increase base ensureTimeout from 200ms to 400ms by @rootulp in #2849
  • build(deps): Bump docker/build-push-action from 6.19.2 to 7.0.0 by @dependabot[bot] in #2853
  • build(deps): Bump docker/setup-buildx-action from 3.12.0 to 4.0.0 by @dependabot[bot] in #2855
  • build(deps): Bump docker/login-action from 3.7.0 to 4.0.0 by @dependabot[bot] in #2856
  • build(deps): Bump go.opentelemetry.io/otel/sdk from 1.40.0 to 1.42.0 by @dependabot[bot] in #2852
  • build(deps): Bump golang.org/x/sync from 0.19.0 to 0.20.0 by @dependabot[bot] in #2858
  • build(deps): Bump github.com/aws/aws-sdk-go-v2/credentials from 1.19.10 to 1.19.11 by @dependabot[bot] in #2863
  • build(deps): Bump github.com/sasha-s/go-deadlock from 0.3.6 to 0.3.7 by @dependabot[bot] in #2862
  • build(deps): Bump github.com/aws/aws-sdk-go-v2/service/s3 from 1.96.2 to 1.96.4 by @dependabot[bot] in #2860
  • build(deps): Bump go.opentelemetry.io/otel/exporters/stdout/stdouttrace from 1.40.0 to 1.42.0 by @dependabot[bot] in #2859
  • build(deps): Bump google.golang.org/grpc from 1.79.1 to 1.79.2 by @dependabot[bot] in #2861
  • build(deps): Bump github.com/aws/aws-sdk-go-v2/config from 1.32.10 to 1.32.11 by @dependabot[bot] in #2864
  • chore: adjust maxBlockPartsToBatch to 600 for improved pebbleDB performance by @rach-id in #2865
  • feat!: switch to PebbleDB as only supported DB backend by @rach-id in #2867
  • build(deps): Bump github.com/aws/aws-sdk-go-v2 from 1.41.3 to 1.41.4 by @dependabot[bot] in #2873
  • build(deps): Bump styfle/cancel-workflow-action from 0.13.0 to 0.13.1 by @dependabot[bot] in #2872
  • build(deps): Bump github.com/klauspost/reedsolomon from 1.13.2 to 1.13.3 by @dependabot[bot] in #2874
  • build(deps): Bump slackapi/slack-github-action from 2.1.1 to 3.0.1 by @dependabot[bot] in #2870
  • build(deps): Bump golang.org/x/net from 0.51.0 to 0.52.0 by @dependabot[bot] in #2878
  • build(deps): Bump github.com/aws/aws-sdk-go-v2/config from 1.32.11 to 1.32.12 by @dependabot[bot] in #2876
  • build(deps): Bump github.com/aws/aws-sdk-go-v2/service/s3 from 1.96.4 to 1.97.1 by @dependabot[bot] in #2877
  • feat: expose gRPC service to privval for fiber by @ninabarbakadze in #2868

Full Changelog: 0.39.25...v0.40.0

Check out latest releases or
releases around celestiaorg/celestia-core v0.40.0

Don't miss a new celestia-core release

NewReleases is sending notifications on new releases.

Get notifications