Skip to main content

Mithril certificate chain security advisory

Β· 2 min read
Mithril Team

Mithril certificate chain could be manipulated by an adversarial signer (security advisory)​

info

The certificate chain of the release-mainnet aggregator has been re-genesised at epoch 539, and the network has resumed producing a valid chain at epoch 540.

The Mithril team has published a security advisory for users running the Mithril client on the mainnet infrastructure:

  • Identifier: GHSA-724h-fpm5-4qvr
  • Title: Mithril certificate chain could be manipulated by an adversarial signer
  • Location: GHSA-724h-fpm5-4qvr
  • Severity: High (5.3/10).
danger

We strongly encourage all the mainnet users running a client library, client CLI, or client WASM to update to the latest versions to prevent the issue:

  • The Mithril client library has been fixed with version 0.11.1 and is available here
  • The Mithril client WASM has been fixed with version 0.8.1 and is available here
  • The Mithril client CLI has been fixed with version 0.11.0 and can be downloaded with the following command:
curl --proto '=https' --tlsv1.2 -sSf https://raw.githubusercontent.com/input-output-hk/mithril/refs/heads/main/mithril-install.sh | sh -s -- -c mithril-client -d 2506.0 -p $(pwd)

Note that all the previous versions must not be used anymore.

For any inquiries or assistance, feel free to contact the team on the Discord channel.

Distribution `2506` is now available

Β· 2 min read
Mithril Team

Distribution 2506 is now available​

warning
  • This distribution embeds a fix for the Mithril certificate chain could be manipulated by an adversarial signer security advisory GHSA-724h-fpm5-4qvr
  • All users running a client library, client CLI, or client WASM are strongly encouraged to update to the latest versions.

We have released the 2506.0 distribution, which includes the following:

  • Support for certifying protocol parameters and epochs in the certificate chain in clients
  • Stable support for Cardano node v.10.1.4 in the signer and aggregator
  • Removal of support for the Thales era in the signer and aggregator
  • Stable support for aggregator HTTP response compression in the signer, aggregator, and clients
  • Building and publication of both a stable version (for release networks) and an unstable version (for testing networks) of the explorer.

This new distribution has been deployed to the Mithril aggregator of the release-mainnet and release-preprod networks.

If you are running a Mithril signer:

  • pre-release-preview network: no action is required at this time
  • release-preprod network: upgrade your signer node binary to version 0.2.228 – no configuration updates are required
  • release-mainnet network: upgrade your signer node binary to version 0.2.228 – no configuration updates are required.

You can easily update the Mithril signer with this one-line command. It downloads to the current directory by default, but a custom folder can be specified using the -p option:

curl --proto '=https' --tlsv1.2 -sSf https://raw.githubusercontent.com/input-output-hk/mithril/refs/heads/main/mithril-install.sh | sh -s -- -c mithril-signer -d 2506.0 -p $(pwd)

For any inquiries or assistance, feel free to contact the team on the Discord channel.

Minimum required `glibc` version bump

Β· 2 min read
Mithril Team
info
  • This change only affects users who rely on the precompiled Linux binaries provided by the Mithril team.
  • If you compile the binaries from source or use a different operating system, you are not affected.

Background​

Our continuous integration (CI) system uses GitHub Actions to build and test Mithril binaries across different platforms.

Currently, our CI targets Ubuntu 20.04, which results in a minimum required glibc version 2.31. This version is compatible with:

  • Ubuntu 20.04
  • Debian 11 (Bullseye).

However, GitHub Actions is deprecating Ubuntu 20.04 following the release of Ubuntu 24.04. Since GitHub Actions only supports the last two (LTS) versions, we need to update our CI environment to use a more recent version of Ubuntu.

Upcoming changes​

  • Distribution 2506 will be the last release with a minimum required glibc version 2.31
  • After distribution 2506, our CI builds will be updated to Ubuntu 22.04, raising the minimum required glibc version for our Linux binaries to 2.35.

Impact for users​

The new glibc 2.35 version is compatible with:

  • Ubuntu 22.04
  • Debian 12 (Bookworm).

If your system uses an older glibc version, you have two options:

  1. Upgrade your system to a version that supports glibc 2.35
  2. Compile the binaries from source.

Summary​

  • Current minimum glibc version: 2.31
    • Compatible with Ubuntu 20.04, Debian 11 (Bullseye)
  • New minimum glibc version: 2.35 (effective for distributions released from March 2025)
    • Compatible with Ubuntu 22.04, Debian 12 (Bookworm).

For any inquiries or assistance, contact the team on the Discord channel.

Distribution `2450` is now available

Β· 2 min read
Mithril Team

Distribution 2450 is now available​

We have released the 2450.0 distribution, which includes the following:

  • πŸ”₯ Breaking changes in the Mithril client library, CLI, and WASM:
    • Removed the deprecated network field from the internal CardanoDbBeacon
    • Mithril certificates of type CardanoImmutableFilesFull cannot be verified with older clients
    • Clients from distribution 2445 and earlier must be updated
  • Stable support for Cardano node v.10.1.3 in the signer and aggregator
  • Stable support for a one-line shell installation script for the Mithril node prebuilt binaries
  • Various bug fixes and performance improvements.

This new distribution has been deployed to the Mithril aggregator of the release-mainnet and release-preprod networks.

If you are running a Mithril signer:

  • pre-release-preview network: no action is required at this time
  • release-preprod network: upgrade your signer node binary to version 0.2.221 - no configuration updates are required
  • release-mainnet network: upgrade your signer node binary to version 0.2.221 - no configuration updates are required.

You can easily update your Mithril signer with this one-line command (it downloads to the current directory by default; you can specify a custom folder by using the -p option):

curl --proto '=https' --tlsv1.2 -sSf https://raw.githubusercontent.com/input-output-hk/mithril/refs/heads/main/mithril-install.sh | sh -s -- -c mithril-signer -d 2450.0 -p $(pwd)

For any inquiries or assistance, feel free to contact the team on the Discord channel.

Era switch to Pythagoras

Β· 2 min read
Mithril Team

Era switch to Pythagoras​

We have introduced the Pythagoras era in the Mithril networks. The switch to Pythagoras is a significant milestone that brings new features and improvements to the Mithril protocol.

Update 2025/02/09

The release-mainnet network has succesfully switched to the Pythagoras era at epoch 539!

Update 2025/01/31

The transaction to activate the era switch to Pythagoras has been created on the release-mainnet network at epoch 537. The era switch will be completed at the transition to epoch 539.

danger

Mithril signer versions compatible with the new Pythagoras era are:

  • 0.2.221
  • 0.2.209
  • 0.2.200.

All other versions are not compatible with the new era and must be updated.

tip

You can easily update your Mithril signer with this one-line command (it will be downloaded to the current directory by default; you can specify a custom folder with the -p option):

curl --proto '=https' --tlsv1.2 -sSf https://raw.githubusercontent.com/input-output-hk/mithril/refs/heads/main/mithril-install.sh | sh -s -- -c mithril-signer -d latest -p $(pwd)

Era switch plan for Pythagoras​

  • pre-release-preview network:

    • Create the era switch transaction (done at epoch 757)
    • Complete the era switch to Pythagoras at the transition to epoch 759
  • release-preprod network:

    • Create the era switch transaction (done at epoch 184)
    • Complete the era switch to Pythagoras at the transition to epoch 186
  • release-mainnet network:

    • Create the era switch transaction (done at epoch 537)
    • Complete the era switch to Pythagoras at the transition to epoch 539.
info

We use the era switch mechanism to introduce breaking changes in the Mithril protocol. Because these features are not backward compatible with the previous era, at least 95% of the stake must be running the new version for Pythagoras to activate. Refer to the Mithril network upgrade strategy ADR for more details.

For any inquiries or assistance, don't hesitate to contact the team on the Discord channel.

One line installer for Mithril binaries

Β· 2 min read
Mithril Team

One line installer for Mithril binaries​

To simplify the installation and updating of Mithril binaries, we have created a one line installer that downloads and installs the Mithril binaries for you. This installer is available for Linux and macOS and supports the Mithril signer, Mithril aggregator, and Mithril client CLI.

The one line command is also displayed in the various Download the pre-built binary sections across the documentation.

Examples of the one line installer​

  • Download the latest Mithril signer in the current directory:
curl --proto '=https' --tlsv1.2 -sSf https://raw.githubusercontent.com/input-output-hk/mithril/refs/heads/main/mithril-install.sh | sh -s -- -c mithril-signer -d latest -p $(pwd)
  • Download the latest Mithril client CLI in the current directory:
curl --proto '=https' --tlsv1.2 -sSf https://raw.githubusercontent.com/input-output-hk/mithril/refs/heads/main/mithril-install.sh | sh -s -- -c mithril-client -d latest -p $(pwd)
  • Download the unstable Mithril aggregator in the current directory:
curl --proto '=https' --tlsv1.2 -sSf https://raw.githubusercontent.com/input-output-hk/mithril/refs/heads/main/mithril-install.sh | sh -s -- -c mithril-aggregator -d unstable -p $(pwd)
  • Download the Mithril client of distribution 2445.0 in the current directory:
curl --proto '=https' --tlsv1.2 -sSf https://raw.githubusercontent.com/input-output-hk/mithril/refs/heads/main/mithril-install.sh | sh -s -- -c mithril-client -d 2445.0 -p $(pwd)

Installer usage​

curl --proto '=https' --tlsv1.2 -sSf https://raw.githubusercontent.com/input-output-hk/mithril/refs/heads/main/mithril-install.sh | sh -s -- -h

Install or upgrade a Mithril node
Usage: sh [-n node] [-v version] [-d distribution] [-p path]
-c node : Mithril node to install or upgrade (mithril-signer, mithril-aggregator, mithril-client)
-d distribution : Distribution to upgrade to (latest, unstable or distribution version e.g '2445.0')
-p path : Path to install the component

For any inquiries or assistance, feel free to contact the team on the Discord channel.

New Protocol Insights Dashboard released

Β· One min read
Mithril Team

A new Protocol Insights Dashboard has been released​

We have released a new version of the Protocol Insights Dashboard, which provides a comprehensive view of the Mithril network and its performance metrics.

The Protocol Insights Dashboard is a valuable tool for monitoring the network and understanding its behavior:

  • Participation metrics
  • Usage metrics
  • Health metrics
  • Artifacts metrics
  • Software metrics.

Protocol Insights Dashboard

For any inquiries or assistance, don't hesitate to contact the team on the Discord channel.

Mithril aggregator Prometheus endpoint is available

Β· One min read
Mithril Team

Mithril aggregator Prometheus endpoint is available​

With the release of distribution 2445, the Mithril aggregator now includes an optional Prometheus endpoint for monitoring basic metrics.

After configuring the Prometheus endpoint, remember to restart the Mithril aggregator for the changes to take effect.

To make setup easier, a Grafana template is available for creating a dashboard to visualize metrics from the Prometheus endpoint (ID 22165): Grafana dashboard.

Grafana dashboard

For questions or support, feel free to contact the team on the Discord channel.

Certification of Cardano stake distribution

Β· 2 min read
Mithril Team

Certification of Cardano stake distribution​

Update 2025/01/13

We have activated the Cardano stake distribution certification on the release-mainnet network.

Update 2024/10/21

We have released stable support for the Cardano stake distribution certification with distributions 2437 and 2442.

A threshold of at least 95% of the stake running version 0.2.182 (within 10 days after the distribution 2442 is released) is mandatory to activate the certification of the Cardano stake distribution on the release-mainnet network.

The Mithril Protocol Insights dashboard displays the adoption rate of the different signer versions on the release-mainnet network.

With the release of the new distribution 2437, we have started to roll out the certification of the Cardano stake distribution in the Mithril networks.

The Mithril network now provides certified Cardano stake distribution data without requiring a full Cardano node, a useful feature for applications such as bridges and layer 2 solutions. The key features include:

  • Certification of the Cardano stake distribution of the ending epoch at each epoch transition
  • New HTTP routes in the aggregator REST API to access this certified data
  • Updates to the Mithril client library and CLI for retrieving and verifying Cardano stake distribution
  • WASM client support for these functionalities
  • Mithril Explorer now displays certified Cardano stake distribution.

The roll-out plan of the feature is the following:

  • Distribution 2437:
    • Activation of the certification of Cardano stake distribution in the pre-release-preview network
    • Activation of the certification of Cardano stake distribution in the release-preprod network
  • Distribution 2442:
    • Activation of the certification of Cardano stake distribution in the release-mainnet network.

For any inquiries or assistance, don't hesitate to contact the team on the Discord channel.

Mithril client WASM breaking change

Β· One min read
Mithril Team

Breaking change introduced in the unstable features of the Mithril client WASM​

With the release of distribution 2437, we introduced a breaking change to the Mithril client WASM version 0.4.1. Unstable features are now activated using a configuration option instead of the .unstable property.

This change ensures a seamless transition when new unstable features become stable, eliminating breaking changes in developer code and enhancing the developer experience.

To activate unstable features, use the following code:

let client = new MithrilClient(aggregator_endpoint, genesis_verification_key, {
// The following option activates the unstable features of the client.
// Unstable features will trigger an error if this option is not set.
unstable: true,
});

The previous client.unstable implementation is not supported anymore and must be replaced with client:

// Before
let mithril_stake_distributions_message =
await client.unstable.compute_mithril_stake_distribution_message(
last_stake_distribution,
);
// After
let mithril_stake_distributions_message =
await client.compute_mithril_stake_distribution_message(
last_stake_distribution,
);

The Mithril client WASM documentation is available here.

For questions or assistance, contact the team on the Discord channel.