Skip to content

v1.7.19 - Marketplace & SFT Mint Security Release

Latest
Latest

Choose a tag to compare

View all tags
@github-actions github-actions released this 22 Jun 14:56
· 2 commits to develop since this release
v1.7.19
This tag was signed with the committer’s verified signature. The key has expired.
fbsobreira Fernando Sobreira
GPG key ID: 968D90BBCE4D0AFF
Expired
Verified
Learn about vigilant mode.
8bcc600
This commit was created on GitHub.com and signed with GitHub’s verified signature.
GPG key ID: B5690EEEBB952194
Verified
Learn about vigilant mode.

Release Notes - v1.7.19

Overview

This release remediates four coordinated-disclosure security advisories (two Critical, two High) in the asset / marketplace value layer — each an unbacked value-creation (mint) bug where KLV or KDA balances were credited with no matching debit, breaking supply conservation. It also ships a fork-gated consensus account freeze that immobilises the implicated accounts, an API-level rejection for those accounts, and a state-sync data-race fix.

⚠️ Consensus-affecting security release — upgrade all nodes. Unlike v1.7.18, this release changes transaction-processing rules, gated behind the fixMarketBuyOverflow fork flag. Every node MUST run a config whose fixMarketBuyOverflow activation epoch matches the network, or it will diverge from consensus. On mainnet the fork is active as of epoch 5741 (2026-06-05 19:00 UTC).

🔒 Security & Hardening

All consensus-affecting fixes below are gated behind the fixMarketBuyOverflow fork flag, so pre-fork history reprocesses identically and replay stays deterministic.

GHSA-p7gw-2pcp-5pf8 — Marketplace settlement value-creation / unbacked KLV mint (Critical · CVE-2026-54754)

executeBuyMarket split a buyer's payment into referral, royalty and market-owner shares, paying referral and royalties unconditionally while paying the owner share only when positive. When referral % + royalty % exceeded the bid, the owner share went negative and was silently skipped, so the protocol paid out more than it took in — minting the difference as spendable KLV.

  • Enforce at settlement that referral + royalties cannot exceed the bid; reject the transaction before any payout when the owner share would be negative.
  • Consensus account freeze (below) immobilises the implicated accounts.
  • Reported by @xportdao.

GHSA-cgc5-v3f2-8m2v — Integer overflow in split-royalty validation → unbounded KLV mint (Critical · CVE-2026-54755)

A uint32 overflow in split-royalty validation let split payouts exceed the royalty pool / 100%, minting unbacked native KLV.

  • Reject split-royalty payouts that exceed the royalty pool.
  • Reject over-100% split royalties at asset create and on the UpdateRoyalties trigger.

GHSA-v358-wf77-39xv — Percentage-royalty skips the source debit at exactly-100% splits (High · CVE-2026-55763)

The percentage-transfer royalty credited split recipients inside the loop but debited the sender only after the royaltiesToPay <= 0 early return. A split summing to exactly 100% drove the payable to 0 and skipped the debit, minting the royalty to recipients with no matching source debit.

  • Debit the sender up front, before the split loop, mirroring processFixedRoyaltiesTransfer.
  • Analyzed by @CertiK4Audit (CertiK).

GHSA-mrpp-v6pg-p54x — SFT add-quantity int64 overflow bypasses MaxSupply (High · CVE-2026-55764)

SFTAddCirculation added the amount then checked the signed cap; a large positive amount overflowed int64, wrapped Circulation negative, and let the mint proceed far past the declared MaxSupply (the fungible path had an equivalent guard; the SFT path did not).

  • Reject an add whose positive amount makes Circulation decrease, before persisting.

Consensus account freeze (fork-gated)

A canonical set of implicated accounts is immobilised: any transaction from a frozen account is rejected in txProcessor.ProcessTransaction (before any state is touched) and skipped on the proposer build path, so once the fork is active a block carrying such a tx is invalid fleet-wide. Submissions from these accounts are also rejected at the node API. The freeze blocks outgoing transfers only — balances are untouched — and is forward-prevention; it does not recover funds already moved out. A supply correction is tracked as a separate, deferred change.

Supporting hardening

  • Read KApp accounts uncached from the API and indexer goroutines, fixing a concurrent map read/write race against block processing on the shared cached instance.

🔄 Upgrade Notes

This is a consensus-affecting security release.

  • Upgrade all nodes to v1.7.19.
  • Ensure your node config's enableEpochs.fixMarketBuyOverflow matches the network's activation epoch. On mainnet the fork is active as of epoch 5741 (2026-06-05 19:00 UTC). A node running a different epoch for this flag will diverge from consensus.
  • No data migration is required.

Migration Path

Update to v1.7.19, set/confirm fixMarketBuyOverflow to the network activation epoch (mainnet: 5741), and restart nodes.

📦 What's Changed

The remediation was developed under embargo in a private security-advisory fork and merged as a single squashed commit (8bcc600b).

  • GHSA-p7gw-2pcp-5pf8 (CVE-2026-54754) — marketplace settlement value-creation fix + fork-gated consensus account freeze + API-level rejection
  • GHSA-cgc5-v3f2-8m2v (CVE-2026-54755) — split-royalty overflow: reject payouts over pool + reject over-100% royalties on create/trigger
  • GHSA-v358-wf77-39xv (CVE-2026-55763) — debit percentage-royalty pool before the split distribution
  • GHSA-mrpp-v6pg-p54x (CVE-2026-55764) — reject SFT add-quantity int64 circulation overflow
  • fix(state): read KApp accounts uncached from API and indexer goroutines

👥 Contributors

Security researchers

Thanks to the researchers who contributed to these advisories through coordinated disclosure:

Full Changelog: v1.7.18...v1.7.19

Contributors

fbsobreira, nickgs1337, and 2 other contributors
Assets 5
Loading