Skip to content

Mainnet v4.8.x#4330

Open
vicsn wants to merge 69 commits into
mainnetfrom
main_net_v48
Open

Mainnet v4.8.x#4330
vicsn wants to merge 69 commits into
mainnetfrom
main_net_v48

Conversation

@vicsn

@vicsn vicsn commented Jun 28, 2026
edited
Loading

Copy link
Copy Markdown
Collaborator

Motivation

Release PR merging testnet into mainnet and updating snarkVM rev to ProvableHQ/snarkVM#3314

No crates.io release will be made yet in this PR, but we can do this retro-actively when certain applications require it.

  • sync test passed
  • prerelease testing passed

kaimast and others added 30 commits May 26, 2026 18:05
@kaimast
build: lint all scripts in CI and on pre-commit
a1f6bf2
@kaimast
fix: ensure dev-on-prod works as expected
57f751f
@ljedrz
tweak: improve synchronization when disconnecting
dcf721c 
Signed-off-by: ljedrz <ljedrz@users.noreply.github.com>
@ljedrz
tweak: relax connection accept backoff
7e55531 
Signed-off-by: ljedrz <ljedrz@users.noreply.github.com>
@ljedrz
tweak: guard against a niche underflow in CountingCodec
affaed8 
Signed-off-by: ljedrz <ljedrz@users.noreply.github.com>
@ljedrz
fix: bound the number of tasks spawned when accepting connections
95d1695 
Signed-off-by: ljedrz <ljedrz@users.noreply.github.com>
@kaimast
fix(cli): do not use empty path for endpoint
dbb252a
Initial plan
b3b3c7f
fix: source reported versions from release-version
427debd
@ljedrz
feat: RAII auto-disconnect + DisconnectOrigin
a2a72fe 
Signed-off-by: ljedrz <ljedrz@users.noreply.github.com>
@ljedrz
logs: notify on actual physical disconnect
8b56074 
Signed-off-by: ljedrz <ljedrz@users.noreply.github.com>
@ljedrz
tweak: apply review comments
c4c94d7 
Signed-off-by: ljedrz <ljedrz@users.noreply.github.com>
@vicsn
Bump snarkVM and snarkOS version
005cea1
@vicsn
Merge remote-tracking branch 'origin/staging' into fix/hotswap-ledger
6f74267
@vicsn
Install libclang-dev in circleci
055fb2a
@vicsn
Merge pull request #4266 from ProvableHQ/fix/hotswap-ledger
b9f4063 
[Fix] Ensure `--dev-on-prod works` as expected
@vicsn
Install missing deps for github workflows
b18c186
@vicsn
Merge pull request #4299 from ProvableHQ/fix_github_workflows
7ee95f2 
Install missing deps for github workflows
@vicsn
Merge remote-tracking branch 'origin/staging' into postrelease-merge-…
2f72a13 
…mainnet
@vicsn
Update Cargo.lock
e914c14
@vicsn
Merge pull request #4298 from ProvableHQ/postrelease-merge-mainnet
2502648 
Postrelease merge mainnet
Initial plan
96fa0cd
feat: enable telemetry by default build feature
0eeb475
docs: clarify telemetry default wording
531086a
@raychu86
Increase REST body limit
0c9b543
@vicsn
Merge pull request #4302 from ProvableHQ/copilot/make-telemetry-defau…
5193362 
…lt-feature

Make telemetry part of default snarkOS build features
@vicsn
Start consensus handlers only after CDN sync is complete
a0d5706
@vicsn
Merge pull request #4293 from ProvableHQ/fix_cdn_sync
6e5a05f 
Start consensus handlers only after CDN sync is complete
@raychu86 @vicsn
Increase REST body limit
813f871
@vicsn
Merge pull request #4303 from ProvableHQ/feat/increase-rest-body-size
db69605 
[Feat] Increase REST body limit
Copilot AI and others added 23 commits June 10, 2026 10:43
feat(rest): update snarkVM rev, add view-at-latest endpoint, extend d…
8a56f71 
…evnet test

- Update snarkVM rev from c457b6b9e to e4a7a945 (historic program edition support)
- Add POST /{network}/program/{id}/view/{function} endpoint for latest height
- Register new route in lib.rs alongside the height-specific route
- Add `view get_value` to test_program.aleo in test_devnet.sh
- Test both view endpoints (latest + specific height) in test_devnet.sh
fix(rest): capture latest height inside spawn_blocking, rename view fn
4caaa16 
- Move height capture inside spawn_blocking to minimize race window
- Rename test view function from get_value to compute_sum for clarity
@ljedrz
logs: be more explicit about unexpected peer status during promotion
ece5c23 
Signed-off-by: ljedrz <ljedrz@users.noreply.github.com>
@vicsn
Merge pull request #4313 from ProvableHQ/logs/more_explicit_peer_prom…
0aca11f 
…otion_warn

[Logs] Be more explicit about unexpected peer status during promotion
Apply remaining changes
9d9305c
@vicsn
Bump snarkVM and snarkOS version
8a6ccdb
@vicsn
Update Cargo.lock
0e4252b
@vicsn
Fix build
8ad736d
@vicsn
Bump snarkVM rev and Message::VERSIONS
a73632f
@vicsn
Comment out unused test
965c49a
@vicsn
Merge branch 'copilot/feature-expose-new-api-endpoint' into testnet
94cfd20
@vicsn
Bump time libraries warned for by cargo audit
60d952b
@vicsn
Bump snarkVM rev
72daf11
@vicsn
Merge remote-tracking branch 'origin/staging' into testnet
92b0589
@vicsn
Bump release version
4760005
@vicsn
Surface rejection reasons endpoint
519b23a
@vicsn @cursoragent
Resolve rejection reasons for both confirmed and unconfirmed transact…
ce2a437 
…ion IDs.

Rejection reasons are keyed by the fee transaction ID, so look up the unconfirmed
and confirmed transaction IDs when a direct lookup misses.

Co-authored-by: Cursor <cursoragent@cursor.com>
@vicsn
Bump release version
9041f52
@vicsn
Merge pull request #4329 from ProvableHQ/expose_rejection_reasons_api
5dc1a9f 
Surface rejection reasons endpoint
@vicsn
Cargo audit fix
c37d657
@vicsn
Merge remote-tracking branch 'origin/testnet' into main_net_v48
4ec48e2
@vicsn
Bump cargo release version
3d1856a
@vicsn
Bump snarkVM rev
2803318
@vicsn vicsn requested a review from Antonio95 June 28, 2026 11:32
@vicsn vicsn changed the title Mainnet v4.8.0 Mainnet v4.8.x Jun 28, 2026
veria-ai[bot]
veria-ai Bot reviewed Jun 28, 2026
View reviewed changes
Comment thread node/rest/src/routes.rs
// Evaluate the view function in a blocking task.
// The latest block's state is captured inside the task to minimise the window
// between state sampling and evaluation.
let (outputs, height) = match tokio::task::spawn_blocking(move || {

@veria-ai veria-ai Bot Jun 28, 2026

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Medium: Unbounded VM evaluation

This public route executes caller-selected view functions on Tokio's blocking pool without a semaphore or cost gate. A client can repeatedly POST to a costly deployed view function and keep CPU/blocking threads occupied; the history variant at line 1232 has the same pattern when that feature is enabled. Add a bounded permit around view evaluation or enforce a metered view-cost limit before spawning the work.

@veria-ai

veria-ai Bot commented Jun 28, 2026

Copy link
Copy Markdown

PR overview

This PR updates the Mainnet v4.8.x codebase, including REST routes that execute VM view functions against current and, when enabled, historical state.

One security issue remains open: the public view-function evaluation route can run caller-selected VM work without a concurrency or cost bound. A client could repeatedly invoke expensive view functions and consume CPU or Tokio blocking-pool capacity, degrading REST node availability. No issues have been addressed yet in this review cycle, so the PR still needs a bounded execution or metering control for these routes.

Open issues (1)

Fixed/addressed: 0 · PR risk: 6/10

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@veria-ai veria-ai[bot] veria-ai[bot] left review comments
@Antonio95 Antonio95 Awaiting requested review from Antonio95

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

5 participants

@vicsn @kaimast @ljedrz @raychu86