node-1.0.0-toolkit-1.0.0-runtime-1.0.0-rc.3

Git tag: node-1.0.0-toolkit-1.0.0-runtime-1.0.0-rc.3

Components

• 📦 node-1.0.0
• 🧰 toolkit-1.0.0
• ⚙️ runtime-1.0.0

Added

Upgrade ledger from 8.0.2 to 8.1.0-rc.1 (#1301) (#node)

Bumps the midnight-ledger dependency from 8.0.2 to 8.1.0-rc.1, picking up
new ledger types and conversion support.

PR: #1301
Issue: #1296

Changed

Add regression tests for nonce/nullifier distinction in zswap serialization (#1128, PM-22025) (#toolkit)

Add unit tests verifying that serialized zswap local state uses the coin
nonce (randomness), not the nullifier (spend identifier), for the nonce
field. Addresses Least Authority Q1 2026 Node DIFF audit Issue E.

PR: #1128
JIRA: https://shielded.atlassian.net/browse/PM-22025

Redact database connection details from error logs (#1067, PM-19904) (#node)

Database connection error messages no longer include the host, port, or database name at error level. Full connection details are available at debug log level for authorized troubleshooting.

PR: #1067
JIRA: https://shielded.atlassian.net/browse/PM-19904

Implements handler for C-to-M brige (#1188) (#node, #runtime)

Updates bridge to emit events.
Updates call by adding McTxHash to each transfer.
Updates handler API: handler is expected to return a value that is attached to events.

Implements the handler in Midnight runtime.

PR: #1188
Required for #1083

Add validation for `networkId` on node boot to avoid mismatch with genesis state (#1265, PM-22422) (#node, #binary)

Adds validation to ensure the networkId set in the chainspec matches the
networkId used to generate the genesis state.

PR: #1265
Fix for: https://shielded.atlassian.net/browse/PM-22422

Fix DustWallet spend state propagation (#877, PM-20016) (#toolkit)

Fix DustWallet::speculative_spend to return the updated DustLocalState
alongside spends, and extend mark_spent to commit the state atomically
with nullifier recording. This ensures DustLocalState::spend's
pending_until flags are propagated, preventing utxos() from returning
already-spent outputs in consecutive spend operations.

Addresses Least Authority audit finding Issue AO.

PR: #877
JIRA: https://shielded.atlassian.net/browse/PM-20016

Align node and runtime with polkadot-stable2512-3 SDK (#1262) (#node, #runtime)

Bumps Substrate dependencies to the polkadot-stable2512-3 tag and updates call sites for breaking API changes: Core::execute_block and BlockBuilder::check_inherents now use LazyBlock; SpawnTasksParams requires tracing_execute_block (set to None unless trace RPC is wired); MmrApi v3 gains generate_ancestry_proof while BeefyApi no longer exposes it; pallet-version test mock implements Core with LazyBlock. Partner-chains and lockfiles are updated in line with the same SDK line.

PR: #1262
Required for #1244

Align node, runtime, relay, and partner-chains with polkadot-stable2603 SDK (#1299) (#node, #runtime, #partner-chains)

Bumps Substrate dependencies to the polkadot-stable2603 tag and updates call sites for breaking API changes:

• Workspace: All polkadot-stable2512-3 git deps moved to polkadot-stable2603; tracing-subscriber pinned to =0.3.19 (required by sp-tracing on this line) with toolkit using the workspace entry.
• Node: sc_service::build_network gains spawn_essential_handle; new_full_parts_with_genesis_builder keeps the six-argument signature (no Grandpa pruning filters argument—unlike new_full_parts).
• Runtime: sp_session::SessionKeys::generate_session_keys now takes owner: Vec<u8> and returns OpaqueGeneratedSessionKeys; opaque key generate calls pass &owner.
• Partner-chains (vendored subtree): Aura Proposer uses ProposeArgs; demo node uses GrandpaPruningFilter with new_full_parts and spawn_essential_handle; toolkit inherent errors use Debug instead of sp_runtime::RuntimeDebug where needed.
• Ledger / primitives: RuntimeDebug derives replaced with core::fmt::Debug where sp_runtime::RuntimeDebug / frame_support::RuntimeDebug were removed.
• Pallets: RuntimeDebugNoBound replaced with DebugNoBound (e.g. federated-authority, throttle).
• Relay (BEEFY): BeefySignatureHasher removed; SignedCommitment::verify_signatures called with a single inferred authority type parameter.

Partner-chains Cargo.toml / README / changelog are aligned with the same SDK tag where applicable.

PR: #1299
Required for #1245

Early weight check in midnight pallet pre_dispatch (#1305) (#node)

Add an early block weight check in ValidateUnsigned::pre_dispatch before
expensive ledger validation. Substrate's Bare extrinsic path runs the pallet's
pre_dispatch before the CheckWeight extension, which means transactions that
won't fit in the block still undergo costly ledger validation before being
rejected. The new check mirrors the logic in calculate_consumed_weight and
exits early with ExhaustsResources when the block is full.

PR: #1305

Speed up toolkit syncing (#1263) (#toolkit)

Batch block-number-to-hash RPC calls into a single request instead of one call per block, reducing round trips during sync. Also simplifies several function parameters across the fetcher.

PR: #1263

📦 Node

Git tag: node-1.0.0-rc.3

Docker Images

DockerHub

• midnight-node

$ docker pull midnightntwrk/midnight-node:1.0.0-rc.3

Added

Add per-SQL-query Prometheus timing for midnight data source queries (#904, PM-22100) (#node)

Midnight-specific data sources (cNight observation, federated authority,
candidates) now record individual Prometheus timing histograms for each
SQL query executed against DBSync. 13 sub-query timers provide per-query
latency visibility at :9615/metrics under the
midnight_data_source_query_time_elapsed metric with query_name labels.

PR: #904
JIRA: https://shielded.atlassian.net/browse/PM-22100

Add `rpc.discover` endpoint with OpenRPC v1.4 API specification (PM-6402, #869) (#client, #node, #rpc, #api)

Registers a standards-compliant rpc.discover JSON-RPC method that returns a complete OpenRPC v1.4 document describing the node's API. Enables client code generation, request validation, and developer discoverability without reading source code.

• 16 custom Midnight methods fully documented with parameter types, return types, error definitions, and descriptions
• 52 standard Substrate methods listed as reference entries
• JSON Schema type definitions generated via schemars for all RPC response types
• Static docs/openrpc.json committed for offline access
• CI drift-detection tests ensure the schema stays in sync with registered methods

Jira: https://shielded.atlassian.net/browse/PM-6402
PR: #869

Point to midnightntwrk partner chains fork (#948, PM-22099) (#node)

Partner chains dependencies now reference th...

node-1.0.0-toolkit-1.0.0-runtime-1.0.0-rc.2

Midnight Node 1.0.0-toolkit-1.0.0-runtime-1.0.0-rc.2 Release Notes

Release date: 2026-04-15

Git tag: node-1.0.0-toolkit-1.0.0-runtime-1.0.0-rc.2

Tree hash: 5c3a1ed33865cc333fc4f24c44e41eb90cb2928b

Environment: All public networks (dev, qanet, preview, preprod).

Docker Images

docker pull midnightntwrk/midnight-node:1.0.0-rc.2
docker pull midnightntwrk/midnight-node-toolkit:1.0.0-rc.2

Summary

This is the second 1.0.0 release candidate. It bundles a runtime upgrade that migrates the extrinsic format from SignedExtension to TransactionExtension, adds Substrate SDK alignment with polkadot-stable2603, and extends the cNIGHT → Midnight bridge handler to emit events carrying Cardano transaction hashes. The toolkit gains a subxt v0.50 upgrade, faster syncing, and several robustness fixes.

⚠️ Runtime upgrade required. This release changes the on-chain transaction format. Collators, validators, and all signing clients must upgrade together — see Breaking Changes or Required Actions.

🚧 The cNIGHT → Midnight bridge is NOT complete and is currently disabled. The handler work in this release (#1188) lands plumbing only; do not rely on cross-chain transfers in this build.

Audience

• Node operators / validators
• Toolkit users
• Wallet and RPC-client developers
• Integrators signing extrinsics against the runtime

What Changed

Change	Upgrade Type	PR
Migrate runtime from SignedExtension to TransactionExtension	Runtime upgrade — transaction format change	#597
C-to-M bridge handler emits events with McTxHash (bridge still disabled)	Runtime upgrade (mixed runtime + node)	#1188
Align node and runtime with polkadot-stable2512-3 SDK	Runtime upgrade (mixed)	#1262
Align node, runtime, relay, and partner-chains with polkadot-stable2603 SDK	Runtime upgrade (mixed)	#1299
Early block-weight check in midnight pallet pre_dispatch	Runtime upgrade (pallet logic)	#1305
Upgrade ledger from 8.0.2 to 8.1.0-rc.1	Node upgrade	#1301
Validate networkId on node boot	Node upgrade	#1265
Redact database connection details from error logs	Node upgrade	#1067
Upgrade subxt from v0.44 to v0.50	Toolkit	#1229
Speed up toolkit syncing via batched RPC	Toolkit	#1263
Fix DustWallet spend state propagation	Toolkit	#877
Regression tests for nonce/nullifier distinction in zswap	Toolkit	#1128
checked_add on wallet seed increment	Toolkit	#1081
Use tracing for structured log fields	Toolkit	#1230
Toolkit images are versioned independently of node	Toolkit (infra)	#1261
Cardano hard fork script for local-env	Infrastructure	#1326

New Features

cNIGHT → Midnight bridge handler (#1188) — Runtime upgrade

🚧 Status: incomplete and disabled. The bridge is not yet usable end-to-end. The changes in this release ship handler plumbing only — do not depend on cNIGHT → DUST transfers in this build.

The bridge handler now emits runtime events for each transfer, and each transfer carries an McTxHash identifying the originating Cardano transaction. The handler API now returns a value that is attached to the emitted events. Once the bridge is re-enabled in a later release, downstream indexers will be able to follow cross-chain transfers end-to-end without reconciling against Cardano separately.

Ledger upgrade to 8.1.0-rc.1 (#1301) — Node upgrade

midnight-ledger is bumped from 8.0.2 to 8.1.0-rc.1. Same major version, accessed via host calls — the upgrade ships in the node binary.

networkId boot-time validation (#1265) — Node upgrade

The node now rejects startup if the networkId in the chainspec does not match the networkId used to generate the genesis state, preventing a class of misconfiguration that previously surfaced only later as opaque state errors.

Substrate SDK alignment: polkadot-stable2512-3 → polkadot-stable2603 (#1262, #1299) — Runtime upgrade

The runtime, node, relay, and vendored partner-chains are moved onto the polkadot-stable2603 SDK line. Notable API shifts handled by the runtime:

• Core::execute_block and BlockBuilder::check_inherents take LazyBlock.
• sp_session::SessionKeys::generate_session_keys now takes owner: Vec<u8> and returns OpaqueGeneratedSessionKeys.
• MmrApi v3 gains generate_ancestry_proof; BeefyApi no longer exposes it.
• tracing-subscriber pinned to =0.3.19 (required by sp-tracing).

subxt upgrade to v0.50 (#1229) — Toolkit

Toolkit, upgrader, relay, and e2e tests migrate to subxt's block-centric API, picking up new transaction types, granular error handling, and async metadata access.

Faster toolkit sync (#1263) — Toolkit

Block-number-to-hash lookups are batched into a single RPC request instead of one call per block, materially reducing round trips during initial sync and replay.

Features Requiring Configuration Updates

• networkId validation (#1265): operators must ensure the chainspec networkId matches the value used when the genesis state was built. A mismatch is now fatal at boot.

Improvements

• Early block-weight check in the midnight pallet's pre_dispatch rejects over-weight transactions before expensive ledger validation (#1305).
• DustWallet speculative_spend now returns the updated DustLocalState alongside spends, preventing utxos() from returning already-spent outputs on consecutive spends (Least Authority audit Issue AO) (#877).
• Database connection errors no longer leak host, port, or database name at error level; full details remain at debug for authorised troubleshooting (#1067).
• Wallet seed increment uses checked_add — overflow now returns an explicit error instead of producing a colliding seed (Least Authority audit Issue AL) (#1081).
• Regression tests confirm zswap serialization uses the coin nonce, not the nullifier (Least Authority audit Issue E) (#1128).
• Toolkit structured log fields are now routed through tracing instead of being silently dropped by log (#1230).
• Toolkit Docker images are versioned independently from the node via util/toolkit/Cargo.toml; toolkit-only releases use the toolkit-X.Y.Z tag format (#1261).
• New hardfork-pv11.sh script advances the local Cardano devnet from protocol version 10 to 11, with governance key generation and automated voting (#1326).

Breaking Changes or Required Actions

⚠️ This release contains a runtime upgrade AND changes the transaction format. Coordinated upgrade is required.

Transaction format change — SignedExtension → TransactionExtension (#597)

The runtime migrates from the deprecated SignedExtra type alias to the new TxExtension pattern and adds two extensions:

• AuthorizeCall
• WeightReclaim

The runtime now implements the offchain transaction-creation traits CreateTransaction, CreateBare, CreateSignedTransaction, and CreateAuthorizedTransaction. The benchmarking harness is updated to match.

Impact — any client that constructs or signs extrinsics against this runtime must be updated:

• Extrinsics built with the previous SignedExtension layout will be rejected by the new runtime.
• Wallets, SDKs, and any service that signs raw extrinsics must regenerate against the new metadata and use the TransactionExtension signing flow.
• The toolkit and upgrader in this release are already updated; third-party tooling is not.

Required actions for operators

1. Upgrade validators and collators to node-1.0.0-rc.2 before scheduling the runtime upgrade.
2. Schedule the runtime upgrade (`runtime-1.0.0-rc.2...

node-0.22.5-rc.1

Midnight Node 0.22.5-rc.1 Release Notes

Release date: 2026-04-09
Git tag: node-0.22.5-rc.1
Tree hash: 861d80c239d430037774169d5a965c07d7089fbb
Environment: All public networks

Note: Version 0.22.4 was skipped. This release follows directly from 0.22.3.

Docker Images

docker pull midnightntwrk/midnight-node:0.22.5-rc.1
docker pull midnightntwrk/midnight-node-toolkit:0.22.5-rc.1

Summary

This release adds a configurable transaction gas cost limit, allowing node operators to reject expensive transactions at the transaction pool level before they consume resources. This is a node-only change requiring a binary restart — no runtime upgrade is needed and this is an optional upgrade for FNOs.

Audience

• Node operators — new CLI flag / env var for gas cost filtering
• DApp developers — no API changes
• End users — no user-facing changes

What Changed

Change	Upgrade Type	PR
Transaction pool gas cost filtering	Node upgrade	#1251

New Features

Transaction Pool Gas Cost Filtering (Node upgrade)

Added --max-tx-gas-cost CLI argument and MAX_TX_GAS_COST environment variable to reject midnight transactions whose estimated gas cost exceeds a configurable limit. This allows node operators to protect their nodes from expensive transactions at the pool gateway level. The CLI argument takes precedence over the environment variable when both are set.

Breaking Changes or Required Actions

No runtime upgrade is required. Node operators should restart their nodes with the new binary to pick up the gas cost filtering capability. The feature is opt-in — nodes without the flag set will continue to accept all transactions as before.

Links and References

• PR: #1251 — Transaction pool gas cost filtering

Full Change Details

Added

Transaction pool gas cost filtering (#1251) (#node)

Added --max-tx-gas-cost CLI arg and MAX_TX_GAS_COST env var to reject midnight
transactions whose estimated gas cost exceeds a configurable limit. This allows node
operators to protect their nodes from expensive transactions at the pool gateway level.
The CLI arg takes precedence over the env var when both are set.

PR: #1251

node-1.0.0-rc.1

Midnight Node 1.0.0-rc.1 Release Notes

Release date: 2026-04-02
Git tag: node-1.0.0-rc.1
Tree hash: c0b6eef82d3de5f78b8e0798bd8d945d814a3526
Environment: All public networks (mainnet, preprod, preview, qanet)

Docker Images

docker pull midnightntwrk/midnight-node:1.0.0-rc.1
docker pull midnightntwrk/midnight-node-toolkit:1.0.0-rc.1

Summary

Midnight Node 1.0.0-rc.1 is the first release candidate for the 1.0.0 mainnet release. It includes two runtime changes — a governance weight-bound fix and a per-account transaction count throttle with storage migration — alongside significant node reliability improvements (chain-state truncation fix, graceful shutdown), security hardening across CI workflows and the toolkit, and a major toolkit overhaul with file-based caching, batch transaction generation, and performance improvements.

Audience

• Node operators — runtime upgrade with storage migration; node binary update required
• Toolkit users — new commands, breaking CLI and log format changes
• DApp developers — no direct API changes

What Changed

Change	Upgrade Type	PR
Add proposal_weight_bound parameter to motion_close	Runtime	#1032
Add per-account transaction count limit to throttle pallet (with migration)	Runtime	#1060
Add per-SQL-query Prometheus timing for data source queries	Node	#904
Add rpc.discover endpoint with OpenRPC v1.4 API specification	Node	#869
Point to midnightntwrk partner chains fork	Node	#948
Clean up Postgresql connection, add ssl_root_cert config	Node	#1029
Improve logging for ledger transaction errors	Node	#961
Cache multi_asset.id to avoid excessive joins	Node	#934
Fix chain-state truncation after unclean shutdown	Node	#1140
Drop ledger default storage on node shutdown	Node	#886
Reduce cNIGHT observation address logging level	Node	#905
Remove hard-fork test ledger version dependencies	Node	#1024
Reject unsupported system transaction types	Node	#840
Remove stale cost model stubs and re-enable integration test	Node	#839
Validate genesis file type and size before reading	Node	#832
Bump version to 1.0.0	Node	#919
Bump vulnerable dependencies	Node + Toolkit	#1079
Add --log-json structured logger flag, pretty log output by default	Toolkit	#859
Enable contract_custom builder for ledger 7	Toolkit	#864
Add batch-single-tx command for bulk transaction generation	Toolkit	#820, #939
Add show-block command to toolkit	Toolkit	#1068
Add option to write out contract on-chain state	Toolkit	#946
Add support for zswap state chaining	Toolkit	#879
File-based wallet and ledger state caching	Toolkit	#820, #939
Add support for fallible contract calls	Toolkit	#888
Add support for fallible inputs	Toolkit	#966
Support multiple shielded coin inputs in single-tx/batch-single-tx/batches	Toolkit	#1216
Improve block replay and transaction generation performance	Toolkit	#820, #939
Drop structured_logger for tracing_subscriber (breaking JSON log format)	Toolkit	#899
Fix Dust address format to match specification	Toolkit	#1059
Fix missing persist() on context fork / recursion depth	Toolkit	#881
Fix panic if first block has no midnight transactions	Toolkit	#1045
Fix nullifier used as nonce when encoding zswap state	Toolkit	#895
Change default cache location to ./toolkit_cache	Toolkit	#939
Restore long-form CLI flags for governance key arguments	Toolkit	#875
Harden bot workflows against TOCTOU and expression injection	Infrastructure	#848
CI/CD security hardening (permissions, data flow, actionlint)	Infrastructure	#861
Use content hashes for Docker image tags	Infrastructure	#783
Permissions hardening across all workflow files	Infrastructure	#855
Slim down node Docker image by ~200 MB	Infrastructure	#897
Migrate Renovate to org-wide hardened preset	Infrastructure	#1118

Known Issues

• Omission: RC.1 does not include the mainnet chainspecs.

New Features

Runtime

• Per-account transaction count throttle (Runtime, #1060) — Extends the existing per-account throttle to enforce a maximum number of transactions (MaxTxs) within each rolling block window, alongside the existing byte limit. Prevents governance committee members from filling blocks with small but high-weight transactions. Includes a storage migration from the 2-field AccountUsage tuple to a 3-field UsageStats struct.

• Proposal weight bound for motion_close (Runtime, #1032) — The motion_close extrinsic now requires a proposal_weight_bound parameter following the pallet_collective::close pattern, ensuring the declared weight includes the inner call's weight upfront. The extrinsic is also DispatchClass::Operational.

Node

• rpc.discover endpoint (Node, #869) — Standards-compliant OpenRPC v1.4 discovery method documenting 16 custom Midnight methods and 52 standard Substrate methods, with JSON Schema type definitions. Enables client code generation and request validation.

• Per-SQL-query Prometheus timing (Node, #904) — 13 sub-query timers provide per-query latency visibility at :9615/metrics under the midnight_data_source_query_time_elapsed metric with query_name labels.

• PostgreSQL ssl_root_cert configuration (Node, #1029) — New ssl_root_cert configuration option for PostgreSQL connections.

Toolkit

• Batch transaction generation (Toolkit, #820, #939) — New batch-single-tx subcommand generates multiple transactions from a JSON specification file with configurable concurrency and parallel ZK proving.

• File-based wallet and ledger state caching (Toolkit, #820, #939) — Two-tier file cache persists ledger snapshots and per-wallet state across runs, eliminating full chain replay on every invocation. New CLI flags: --ledger-state-db <path>, --fetch-only-cached, --seeds.

• Show-block command (Toolkit, #1068) — Diagnostic command to inspect individual blocks with human-readable and JSON output.

• Fallible contract calls and inputs (Toolkit, #888, #966) — Support for fallible contract calls and fallible inputs in transaction generation.

• **...

node-0.22.3

Midnight Node 0.22.3 Release Notes

Release date: 2026-03-25
Git tag: node-0.22.3
Tree hash: f99aa05d285b7576e4a4af564f54e3983b49fc4e
Environment: Preview network

Docker Images

docker pull midnightntwrk/midnight-node:0.22.3
docker pull midnightntwrk/midnight-node-toolkit:0.22.3

Summary

This is a config-only patch release that regenerates the preview network genesis state and chain specifications for 0.22.3, preserving existing cNightObservation data. No runtime, node binary, or toolkit code changes are included.

Audience

• Node operators (preview network): Must pull the new image to pick up updated genesis and chain spec files.
• Node operators (other networks): No action required.
• DApp developers: No action required.

What Changed

Change	Upgrade Type	PR
Regenerate preview genesis and chain spec for 0.22.3	Node upgrade (config only)	#1071

Improvements

• Regenerated preview network genesis state and chain specifications for the 0.22.3 release, preserving existing cNightObservation data (#1071, PM-22397)

Breaking Changes or Required Actions

Preview network operators must update to this image to use the regenerated genesis and chain spec files. No runtime upgrade is required.

Links and References

• PR #1071 — Regenerate preview for 0.22.3
• PM-22397

Full Change Details

Regenerate preview genesis and chain spec for 0.22.3 (#1071, PM-22397) (#node)

Regenerates preview network genesis state and chain specifications for 0.22.3, preserving existing cNightObservation data.

PR: #1071
JIRA: https://shielded.atlassian.net/browse/PM-22397

node-0.22.2

Git tag: node-0.22.2

Docker Images

DockerHub

• midnight-node
• midnight-node-toolkit

$ docker pull midnightntwrk/midnight-node:0.22.2
$ docker pull midnightntwrk/midnight-node-toolkit:0.22.2

This release just contains a config change for preprod. No other environments are affected.

node-0.22.1

Midnight Node 0.22.1 Release Notes

Release date: 2026-03-19
Git tag: node-0.22.1
Tree hash: 40368f4c7354b73deaeb4d9fe87a0fc3fb64d497
Environment: All public networks

Docker Images

docker pull midnightntwrk/midnight-node:0.22.1
docker pull midnightntwrk/midnight-node-toolkit:0.22.1

Summary

Security patch release addressing a yamux networking vulnerability and restricting peer info RPC methods to unsafe-only access. Node-only upgrade — no runtime changes. Fully backward compatible with node-0.22.0.

Audience

• Node operators / SPOs — binary restart required
• Runtime upgrade required — not required for this release
• DApp developers
• Toolkit users

What Changed

Change	Upgrade Type	PR
Fix yamux vulnerability (GHSA-vxx9-2994-q338)	Node	#1040
Mark peer info RPC methods as unsafe	Node	#1039

Improvements

• Yamux vulnerability fix — A malicious peer could crash a node by sending crafted yamux frames that trigger a panic via overflow in increase_send_window_by. This release bumps yamux 0.13.8 to 0.13.10 and patches yamux 0.12.1 to 0.12.2 via a custom fork, since upstream 0.12.x has no fix. Regression tests are included. Advisory: GHSA-vxx9-2994-q338.
• Peer info RPC methods restricted — The network_peerReputations, network_peerReputation, and network_unbanPeer RPC methods now require --rpc-methods unsafe to be called, preventing exposure of peer reputation data and peer management on public-facing RPC endpoints.

Breaking Changes or Required Actions

No breaking changes except if you call network_peerReputations, network_peerReputation, or network_unbanPeer RPC methods, you must now pass --rpc-methods unsafe to expose them via the node.

Links and References

• PR #1040 — Backport yamux fix
• PR #1039 — Backport mark peer RPCs unsafe
• GHSA-vxx9-2994-q338 — yamux advisory
• Custom yamux 0.12.x fork

Full Change Details

Backport yamux fix (#1040)

Backport fix for yamux vulnerability GHSA-vxx9-2994-q338. A malicious peer could crash a node by sending crafted yamux frames that trigger a panic via checked_add(...).expect(...) overflow in increase_send_window_by.

Changes:

• Bump yamux 0.13.8 → 0.13.10 (contains the fix)
• Patch yamux 0.12.1 → 0.12.2 via custom fork (midnightntwrk/rust-yamux) since upstream 0.12.x has no fix
• Add regression tests verifying the node does not panic on:
  • WindowUpdate with u32::MAX credit (overflow)
  • Oversized Data|SYN frame exceeding default credit
  • Two consecutive WindowUpdates that together overflow

PR: #1040

Mark peer info RPC methods as unsafe (#1039)

Marks the network_peerReputations, network_peerReputation, and network_unbanPeer RPC methods as unsafe so they require --rpc-methods unsafe to be called. This prevents exposing peer reputation data and peer management on public-facing RPC endpoints.

Backport of #1027 to release/node-0.22.1.

PR: #1039

node-0.22.1-rc.1

Midnight Node 0.22.1-rc.1 Release Notes

Release date: 2026-03-19
Git tag: node-0.22.1-rc.1
Tree hash: 40368f4c7354b73deaeb4d9fe87a0fc3fb64d497
Environment: All public networks

Docker Images

docker pull midnightntwrk/midnight-node:0.22.1-rc.1
docker pull midnightntwrk/midnight-node-toolkit:0.22.1-rc.1

Summary

Security patch release addressing a yamux networking vulnerability and restricting peer info RPC methods to unsafe-only access. Node-only upgrade — no runtime changes. Fully backward compatible with node-0.22.0.

Audience

• Node operators / SPOs — binary restart required
• Runtime upgrade required — not required for this release
• DApp developers
• Toolkit users

What Changed

Change	Upgrade Type	PR
Fix yamux vulnerability (GHSA-vxx9-2994-q338)	Node	#1040
Mark peer info RPC methods as unsafe	Node	#1039

Improvements

• Yamux vulnerability fix — A malicious peer could crash a node by sending crafted yamux frames that trigger a panic via overflow in increase_send_window_by. This release bumps yamux 0.13.8 to 0.13.10 and patches yamux 0.12.1 to 0.12.2 via a custom fork, since upstream 0.12.x has no fix. Regression tests are included. Advisory: GHSA-vxx9-2994-q338.
• Peer info RPC methods restricted — The network_peerReputations, network_peerReputation, and network_unbanPeer RPC methods now require --rpc-methods unsafe to be called, preventing exposure of peer reputation data and peer management on public-facing RPC endpoints.

Breaking Changes or Required Actions

No breaking changes except if you call network_peerReputations, network_peerReputation, or network_unbanPeer RPC methods, you must now pass --rpc-methods unsafe to expose them via the node.

Links and References

• PR #1040 — Backport yamux fix
• PR #1039 — Backport mark peer RPCs unsafe
• GHSA-vxx9-2994-q338 — yamux advisory
• Custom yamux 0.12.x fork

Full Change Details

Backport yamux fix (#1040)

Backport fix for yamux vulnerability GHSA-vxx9-2994-q338. A malicious peer could crash a node by sending crafted yamux frames that trigger a panic via checked_add(...).expect(...) overflow in increase_send_window_by.

Changes:

• Bump yamux 0.13.8 → 0.13.10 (contains the fix)
• Patch yamux 0.12.1 → 0.12.2 via custom fork (midnightntwrk/rust-yamux) since upstream 0.12.x has no fix
• Add regression tests verifying the node does not panic on:
  • WindowUpdate with u32::MAX credit (overflow)
  • Oversized Data|SYN frame exceeding default credit
  • Two consecutive WindowUpdates that together overflow

PR: #1040

Mark peer info RPC methods as unsafe (#1039)

Marks the network_peerReputations, network_peerReputation, and network_unbanPeer RPC methods as unsafe so they require --rpc-methods unsafe to be called. This prevents exposing peer reputation data and peer management on public-facing RPC endpoints.

Backport of #1027 to release/node-0.22.1.

PR: #1039

node-0.22.0-rc.11

Midnight Node 0.22.0-rc.11 Release Notes

Release date: 2026-03-16
Git tag: node-0.22.0-rc.11
Environment: All public networks (mainnet, preprod, preview)

Docker Images

docker pull midnightntwrk/midnight-node:0.22.0-rc.11
docker pull midnightntwrk/midnight-node-toolkit:0.22.0-rc.11

Summary

RC.11 finalises genesis construction and verification tooling, regenerates the preprod chainspec to start from ledger 8, generates the mainnet chain-spec, and updates mainnet bootnodes. No new runtime or toolkit changes since rc.10.

Audience

• Node operators / SPOs
• DApp developers
• Toolkit users

What Changed

Change	Upgrade Type	PR
Final genesis construction & verification changes	Node	#945
Update mainnet bootnodes	Node	#947
Regen preprod chainspec to start from ledger 8	Node	#933
Generate mainnet chain-spec	Node	#953

Improvements

• Genesis construction script receives final polish: genesis message verification, genesis timestamp verification, reserve auth script verification, and mainnet config preset (#945)
• Preprod chainspec regenerated to boot from ledger 8, with updated bootnodes and chain config (#933)
• Mainnet chain-spec generated with srtool-verified deterministic WASM, including genesis state, cardano tip, and permissioned candidates config (#953)
• Mainnet bootnode addresses updated (#947)

Breaking Changes or Required Actions

No new breaking changes in this RC. See rc.1 through rc.10 notes for the full list of breaking changes in the 0.22.0 release series.

Links and References

• PR #945 — Final genesis construction & verification changes
• PR #947 — Update mainnet bootnodes
• PR #933 — Regen preprod chainspec to start from ledger 8
• PR #953 — Generate mainnet chain-spec

Full Change Details

The following is the cumulative auto-generated release body for all changes in the 0.22.0 release series up to rc.11.

Expand cumulative change details

Git tag: node-0.22.0-rc.11

Docker Images

DockerHub

• midnight-node
• midnight-node-toolkit

$ docker pull midnightntwrk/midnight-node:0.22.0-rc.11
$ docker pull midnightntwrk/midnight-node-toolkit:0.22.0-rc.11

Added

Binary verification tooling (#635, SRE-1798) (#security, #operations)

Added scripts and documentation for SPOs and operators to verify signed binary releases:

• scripts/verify-binary.sh: Wrapper script for cosign verify-blob
• docs/security/binary-verification.md: Documentation with prerequisites, examples, and troubleshooting

PR: #635
JIRA: https://shielded.atlassian.net/browse/SRE-1798

Add ephemeral env configuration for govnet (#619)

Allow running govnet in local-environment

PR: #619

Op::Deploy and Op::Maintain filter (#894, PM-22280) (#node)

Runtime --filter-deploy-txs switch has been added along with a TransactionPool wrapper.
When the switch is used, then the node transaction pool won't accept extrinsics that contain
Midnight Op::Deploy or Op::Maintain operations.

PR: #894
JIRA: https://shielded.atlassian.net/browse/PM-22280

Finer grained ledger error codes (#745, PM-21798) (#node)

Map all known MalformedTransaction and TransactionInvalid variants to specific error codes instead of falling through to UnknownError. Fixes the u8 collision between MalformedError::UnknownError and SystemTransactionError::IllegalPayout (both previously mapped to 139). Adds a test to prevent future collisions.

PR: #745
JIRA: https://shielded.atlassian.net/browse/PM-21798

Genesis verification tool (#654, PM-20831) (#node, #genesis, #tooling)

Added a comprehensive genesis verification tool for validating chain specifications before network launch.

New CLI Commands

Genesis Verification

• verify-ledger-state-genesis - Verifies genesis state from chain-spec-raw.json (DustState, supply invariant, parameters)
• verify-cardano-tip-finalized - Verifies a Cardano block has enough confirmations based on security_parameter
• verify-auth-script - Verifies all upgradable contracts use the expected authorization script
• verify-federated-authority-auth-script - Verifies federated authority contract auth scripts
• verify-ics-auth-script - Verifies ICS validator contract auth scripts
• verify-permissioned-candidates-auth-script - Verifies permissioned candidates contract auth scripts

Interactive Verification Script

New interactive script scripts/genesis/genesis-verification.sh that performs 5 verification steps:

• Step 0: Cardano tip finalization check
• Step 1: Config file regeneration and comparison
• Step 2: LedgerState verification (DustState, supply invariant, parameters)
• Step 3: Dparameter verification
• Step 4: Authorization script verification for upgradable contracts

Additional Changes

• Both genesis scripts now prefill the Cardano tip prompt from res/<network>/cardano-tip.json if available
• Reorganized genesis code into node/src/genesis/creation/ and node/src/genesis/verification/ modules
• Added comprehensive documentation in docs/genesis/verification.md

PR: #654
Ticket: https://shielded.atlassian.net/browse/PM-20831

Add governance system transaction gating (#658, PM-21785) (#node, #runtime, #ledger)

Governance (federated-authority pallet) can currently dispatch any system
transaction via MidnightSystem::send_mn_system_transaction. This change adds a
new ledger runtime interface method that checks whether a given system
transaction is allowed for governance execution — only OverwriteParameters
(i.e. ledger parameter updates) is permitted.

PR: #658
Ticket: https://shielded.atlassian.net/browse/PM-21785

Add guardnet and ddosnet cfg presets (SRE-1941, #868) (#cfg)

Add res/cfg/guardnet.toml and res/cfg/ddosnet.toml so the binary
recognizes CFG_PRESET=guardnet and CFG_PRESET=ddosnet. Without
these files nodes crash immediately with "Failed to load config
guardnet/ddosnet".

Ticket: https://shielded.atlassian.net/browse/SRE-1941
PR: #868

Improve genesis contruction and verification (#694, PM-20554) (#node, #genesis)

• Genesis construction script (genesis-construction.sh) with interactive wizard supporting skippable verification steps, genesis messages, and fee checking
• Fixed genesis query bugs: policy_id decoding, asset name encoding, SQL amount casting to BIGINT
• UTXO filtering in cnight genesis to exclude UTXOs without a prior registration
• Enabled all verification steps for mainnet genesis
• Added genesis message
• Verify ledger fees
• Add bootnodes as a congif file
• Improve genesis generarion addid --no-cache to Earthly commands

PR: #694
JIRA: https://shielded.atlassian.net/browse/PM-20554

Additional logging for ledger (PM-21954, #727) (#ledger)

Added additional logging for operations performed on the ledger with additional t...

node-0.22.0

Midnight Node 0.22.0 Release Notes

Release date: 2026-03-16
Git tag: node-0.22.0
Tree hash: 13ab84502bba91a4b10fb63b3a9e501217b45975
Environment: All public networks (mainnet, preprod, preview)

Docker Images

docker pull midnightntwrk/midnight-node:0.22.0
docker pull midnightntwrk/midnight-node-toolkit:0.22.0

Summary

Node 0.22.0 is a major release that upgrades the ledger from version 7 to 8, introduces per-account transaction throttling for governance members, adds comprehensive genesis construction and verification tooling for mainnet launch, resolves multiple audit findings, and delivers significant improvements to determinism, memory management, and observability across both the node and toolkit.

Important: The on-disk ledger storage format has changed to v2. Existing chain data from previous releases is incompatible. Nodes upgrading to 0.22.0 must sync from genesis or use a pre-synced snapshot in the new ledger storage v2 format.

Important: Initially for the first few weeks mainnet is going to have permissioned contract submission, as such if you're running a validator external contract deploy transactions will not be gossiped to the validators and may languish in the mempool. You may wish to run with --filter-deploy-txs to prevent the mempool being filled with deploy transactions with no where to go.

Audience

• Node operators / SPOs
• DApp developers
• Toolkit users

What Changed

Change	Upgrade Type	PR
Upgrade Ledger to 8.0.2	Runtime	#636, #658, #765, #906
Per-account signed transaction throttling	Runtime	#770
Governance system transaction gating and reserve contract observation	Runtime	#658
Benchmarked weight and UTXO count validation for process_tokens	Runtime	#798
Remove UtxoOwners key after spending	Runtime	#317
Test coverage for UtxoOwners persistence guards	Runtime	#762
Guards on NextCardanoPosition updates	Runtime	#763
Prevent duplicate inherent execution within same block	Runtime	#575
Fix motion cleanup and member ordering in governance pallets	Runtime	#803
Fix storage initialization on rollback during hard-fork	Runtime	#586
Fix runtime-call panics caused by uninitialized storage during runtime upgrade	Runtime	#870
Fix CNGD ownership insertion order	Runtime	#757
Protect against missing Terms and Conditions values at genesis	Runtime	#646
Op::Deploy and Op::Maintain transaction filter	Node	#894
Finer grained ledger error codes	Node	#745
Genesis verification tool	Node	#654
Improve genesis construction and verification	Node	#694, #945
Generate mainnet chain-spec	Node	#953
Regen preprod chainspec for ledger 8	Node	#933
Update mainnet bootnodes	Node	#947
Memory headroom monitor	Node	#771
Peer reputation and unban RPC endpoints	Node	#649, #666
Binary verification tooling	Node	#635
Enable ledger storage v2 layout	Node	#847
Composite index on ma_tx_out for genesis queries	Node	#907
Metrics for partner chain operations	Node	#593
Validation cache TTL and TimeToIdle	Node	#737, #748, #659
Deterministic runtime WASM builds via srtool	Node	#681
Deterministic block production with non-deterministic sync	Node	#685, #700
Deterministic collection iteration in ledger	Node	#678
Additional ledger logging	Node	#727
Bump yamux to 0.13.8 to prevent panics	Node	#755
Fix sync issue between node-0.21.0 and node-0.22.0	Node	#852
Replace genesis state decode panics with error propagation	Node	#766
Replace unsafe usize-to-u32 cast	Node	#668
Ledger storage garbage collection improvements	Node	#657, #750
Remove unused SyncStatusExt and sync-status-monitor	Node	#811
Unify genesis state source for offline subcommands	Node	#768
Make toolkit-js optional in toolkit-image	Node	#676
Remove Default impl for WalletSeed	Node	#804
Clean up verbose logging	Node	#802
Update Ledger 7 to 7.0.2, bump ledger dependency versions	Node	#739, #816
Rename is_spend	Node	#710
Add guardnet and ddosnet cfg presets	Node	#868
UTXO ordering overrides for historical blocks	Node	#716
Support multiple ledger versions	Toolkit	#711
Add runtime-upgrade command	Toolkit	#834
Write out contract on-chain state during intent generation	Toolkit	#812
Add fetch-compute-concurrency option	Toolkit	#675
Use only cached transactions option	Toolkit	#682
Support for zswap inputs and transients	Toolkit	#784
Allow DUST address registration without owning DUST	Toolkit	#849
Pass latest ledger parameters on intent generation	Toolkit	#837
Use global_ttl from ledger parameters for transaction TTL	Toolkit	#791
Fix simple_tx panic with multiple inputs	Toolkit	#782
Fix NotNormalized error when dust spends are empty	Toolkit	#758
Restore untagged decoding for contract-address and coin-public	Toolkit	#853
Fix race condition in LedgerContext::update_from_tx	Toolkit	#767
Clean up toolkit input handling	Toolkit	#807
Remove unused replace-initial-tx command	Toolkit	#835
Update Compact version to 0.29.0	Toolkit	#728
srtool WASM build workflow for releases	Infrastructure	#795
Migrate ima...