Skip to main content

2 posts tagged with "cardano-database"

View All Tags

Mithril Cardano database snapshots security advisory

· One min read
Mithril Team

Mithril snapshots for Cardano database could be compromised by an adversary

The Mithril team has published a security advisory for users running the Mithril client on the mainnet infrastructure:

  • Identifier: GHSA-qv97-5qr8-2266
  • Title: Mithril snapshots for Cardano database could be compromised by an adversary
  • Location: GHSA-qv97-5qr8-2266
  • Severity: Moderate (4.9/10).
danger

We strongly encourage all mainnet users running a client library or client CLI to update to the latest versions to prevent the issue:

  • The Mithril client library has been fixed with version 0.12.2 and is available here
  • The Mithril client CLI has been fixed with version 0.12.1 and can be downloaded with the following command:
curl --proto '=https' --tlsv1.2 -sSf https://raw.githubusercontent.com/input-output-hk/mithril/refs/heads/main/mithril-install.sh | sh -s -- -c mithril-client -d 2517.1 -p $(pwd)

Note that all the previous versions must not be used anymore.

For any inquiries or assistance, contact the team on the Discord channel.

Breaking changes in client library and CLI

· 2 min read
Mithril Team

Breaking changes in client library and CLI

The 2517 release introduces breaking changes to the Mithril client CLI and library.

Client CLI

The command for downloading a certified Cardano database using the Mithril client CLI has been updated starting from version 0.12.1:

  • The existing command remains functional but no longer downloads ancillary files (ledger state snapshot and last immutable file) by default. As a result, the fast bootstrap feature is disabled, requiring the Cardano node to compute the ledger state from the genesis block during startup:
mithril-client cardano-database download latest
  • To include ancillary files and enable fast bootstrap, use the new command with the --include-ancillary option:
mithril-client cardano-database download latest --include-ancillary --ancillary-verification-key <ANCILLARY_VERIFICATION_KEY>
info

The new command requires an ancillary verification key. This key can be provided via the --ancillary-verification-key option or the ANCILLARY_VERIFICATION_KEY environment variable. Details are available on the Networks configuration page.

To update the Mithril client CLI, use the following one-line command. By default, it downloads to the current directory. To specify a custom folder, use the -p option:

curl --proto '=https' --tlsv1.2 -sSf https://raw.githubusercontent.com/input-output-hk/mithril/refs/heads/main/mithril-install.sh | sh -s -- -c mithril-client -d 2517.1 -p $(pwd)

For more details, refer to the Mithril client node documentation.

Client Library

The Mithril client library has also been updated. By default, it no longer downloads ancillary files (ledger state snapshot and last immutable file), which disables the fast bootstrap feature. Consequently, the Cardano node must compute the ledger state from the genesis block during startup.

To enable fast bootstrap, use the download_unpack_full function instead of download_unpack and provide the set_ancillary_verification_key parameter:

  • Set the ancillary verification key using the set_ancillary_verification_key method when building the client:
let client = ClientBuilder::aggregator(AGGREGATOR_ENDPOINT, GENESIS_VERIFICATION_KEY)
    .set_ancillary_verification_key(ANCILLARY_VERIFICATION_KEY.to_string()) // Added line
    .with_origin_tag(Some("EXAMPLE".to_string()))
    .build()?;
info

The ancillary verification key for the Mithril networks are available on the Networks configuration page.

  • Use the download_unpack_full function to download ancillary files:
client
    .cardano_database()
    .download_unpack_full(&snapshot, target_directory)
    .await?;

For more information and a complete example, refer to the Mithril client library documentation.

If you have any questions or need assistance, contact the team on the Discord channel.