github opentensor/subtensor v3.4.5-419
on GitHub

5 hours ago

Security hotfix — resolves a set of findings from a recent security audit, primarily hardening the proxy permission system along with several hotkey-swap and staking edge cases. Mainnet upgraded to spec_version 419. All findings were reproduced with regression tests before being fixed.

🔒 Security advisories

Advisory Severity Summary
GHSA-m759-m8mv-q3m5 🟠 High Restricted proxies (NonTransfer/NonFungible/NonCritical) can take over an entire coldkey via the announce/swap coldkey-swap lifecycle
GHSA-qh57-vpv2-3fvp 🟠 High NonFungible proxy denylist omits live swap_hotkey_v2 (call 72), letting a scoped delegate reassign a victim's hotkey identity
GHSA-xm63-2wwx-pm6w 🟡 Moderate Owner proxy except sudo_set_sn_owner_hotkey carve-out is bypassable via the duplicate alias sudo_set_subnet_owner_hotkey
GHSA-h98r-p37h-h4mv 🟡 Moderate set_weights/commit_weights family is Pays::No with the per-neuron rate limit enforced only in the dispatch body, enabling fee-free block-fill flooding
GHSA-6c95-q3r3-rgwq 🟢 Low Root cleanliness gate omits RootClaimed, letting a hotkey-swap merge inflate the claimed high-water mark and under-pay future root dividends
GHSA-vpjj-mhgr-cphg 🟢 Low Per-subnet hotkey-swap cooldown (HotkeySwapOnSubnetInterval) is bypassable via the all-subnets swap path
GHSA-rhmm-mqf8-v6gv 🟢 Low StakingColdkeysByIndex / NumStakingColdkeys grow monotonically and are never pruned
GHSA-wc2g-rc74-vgw3 🟢 Low Per-subnet ChildkeyTake is not migrated during hotkey swap, silently resetting it

What's changed

  • Proxy filter hardening — cover the coldkey-swap lifecycle, swap_hotkey_v2, and the sudo_set_subnet_owner_hotkey alias in the restricted-proxy filters (#5, #6, #7)
  • Weight-setting throttle — enforce the per-neuron set_weights/commit_weights rate limit pre-dispatch (#10)
  • Hotkey-swap correctnessRootClaimed watermark accounting (#14), per-subnet swap cooldown on the all-subnets path (#15), per-subnet ChildkeyTake migration (#18), plus review follow-ups merging RootClaimed by sum and extending the cooldown to parent-key subnets (#22)
  • Storage housekeeping — prune the staking-coldkey index when no longer needed (#16)
  • Bump spec_version to 419

Full Changelog: v3.4.4-417...v3.4.5-419

Check out latest releases or
releases around opentensor/subtensor v3.4.5-419

Don't miss a new subtensor release

NewReleases is sending notifications on new releases.

Get notifications