CKB Dev Log 2026-06-24

[chenyukang]

Updates

Over the past two months, we have received more than a hundred reports from Bugbounty program.

Safety is always the top priority for CKB. We have fixed the urgent findings and observed that most of the CKB nodes have upgraded to the secure version.

We are grateful to the researchers for their contribution to the safety of the network.

As AI-assisted security analysis becomes more effective and accessible, expectations for software security are rising across the industry. We also have been integrating more AI tools into our development workflow to help identify potential issues earlier, and improve the overall security of CKB.

In response to the increasing number of security reports from AI tools, our bugbounty standards have also been adjusted accordingly.

Features

CKB v0.207.0 release

• CKB v0.207.0 was released on June 10, 2026 as a security release. This release includes urgent bug fixes from recent bug bounty reports, also with regular maintenance improvements: ckb 0.207.0 release

Tentacle QUIC transport

• Tentacle added end-to-end QuicSession support, wiring QUIC bidirectional streams into the existing protocol/session machinery while preserving the classic TCP/Yamux paths: quic: QuicSession implementation
• The final ServiceBuilder integration, public API polish, example, and documentation work is still under review: quic: ServiceBuilder integration

CKB voting and DAO treasury PoC

To activate CKB DAO treasury, there are two components we need provide technical solutions: treasury fund creating and proposals on-chain voting.

The activation depends on a hardfork and these remain research/PoC work rather than a confirmed CKB protocol change.

• DAO/voting research continued in ckb-vote-poc, now we have a completed on-chain voting with zero-knowledge solution.
• For treasury fund generating, we drafted Treasury Creating Component , outlining two spending paths for expired cell burning and approved proposal claims:
  • Creating component: creates treasury cells by consensus, similar to cellbase.
  • Expired treasury cells: can be burned after a lookback window with an incentive for the transaction creator
  • Approved proposals: can claim rewards through a matching proposal/reward script.

Improvements & Fixes

CKB core maintenance and hardening

• CKB continued security fixing, CI, tx-pool, relay, fee-statistics, storage/freezer, test-stability, and logging hardening.

  This work covered better orphan transaction handling, freezer hash validation, verify-queue behavior fixes, relayer notification/backpressure fixes, integration-test reliability improvements, and reduced remote-reject log amplification:

  • Fix: enhance orphan transaction handling and add test utilities
  • store: validate freezer hash lookups
  • Update cargo deny workflow to conditionally run security audit
  • fix: Respect tx-pool suspend commands before popping verify tasks
  • fix: Notify relayer when remote tx enqueue fails on full verify queue
  • fix: Ensure integration test required checks fail on chunk failures
  • chore: reduce remote reject log amplification

CKB-VM maintenance and educational content

• CKB-VM landed safer memory-fill cleanup, stricter RVC instruction reserved-bit handling, a decoder guard fix, release-workflow maintenance.
  • Refactor: replace unsafe memset implementation with safe slice.fill
  • Fix: update RVC instruction handling to enforce reserved bit checks
  • Decoder: fix self-comparison typo in rule_sbb MOP fusion guard
  • Update rust toolchain to v1.95.0
• The team published a series of educational notes on CKB-VM, covering snapshot architecture, snapshot evolution, and the W^X memory model. Related CKB-VM work continued around AI-assisted ckb-vm/ckb-script issue analysis and a follow-up ASM execution mode introduction.
  • Deep Dive into CKB-VM Snapshot V1: Architecture and Design Principles
  • Deep Dive into CKB-VM Snapshot V2: Evolution
  • Deep Dive into CKB-VM Memory Model: Design of W^X

CKB light client security

• CKB light client completed a batch of hardening fixes around arithmetic bounds, proof input validation, duplicate transaction hashes, and panic prevention. CKB-CLI also moved to the Rust 1.95.0 toolchain with clippy fixes.
  • fix: prevent overflow in update_latest_block_filter_hashes
  • fix: reject start_number beyond last_header to prevent underflow
  • fix: reject genesis last_header in verify_mmr_proof to prevent subtraction panic
  • fix: use checked arithmetic to prevent overflow in sampling code
  • fix: deduplicate tx hashes in GetTransactionsProof requests
  • chore: upgrade rust-toolchain to 1.95.0 and fix clippy warnings

Networking reliability and validation

• Tentacle tightened wasm X25519 peer-key validation, and the QUIC work continued from implementation into API/docs/review and follow-up reliability hardening.
  • Validate wasm X25519 peer key length exactly

In Pipeline

RocksDB storage schema optimization

• The RocksDB key schema refactor remains in review. The current design introduces block-number-prefixed storage keys, named column families, and an offline SST rebuild migration to reduce read/write amplification. Because it is an on-disk breaking change, migration and release timing are still being evaluated.
  • RocksDB schema refactor to reduce read/write amplification

Guix reproducible release flow

• A Guix reproducible build flow for Linux, macOS, and Windows remains open for review. The PR adds pinned Guix build scripts, Cargo source materialization from Cargo.lock, and repeated-build hash checks for release artifacts: build: add Guix reproducible release flow for Linux, MacOS, Windows

CKB core follow-up hardening

• Open CKB PRs continue around fee statistics, scheduled-audit permissions, supply-chain checks, verify-queue cleanup, fee-estimator bounds, workflow injection hardening, DAO lock validation, and public security issue cleanup:
  • chore: skip fee statistics blocks without tx sizes
  • ci: limit scheduled audit app token permissions
  • chore: avoid stored renotify permits in verify queue
  • fix: cap fee estimator bucket index
  • ci: harden Rust supply-chain checks
  • fix: Verify DAO lock size before tx-pool script execution
  • Fix some public security issues

Tentacle transport hardening

• There are still several security related fixes pending on reviewing:
  • fix: Enforce connection limits before inbound handshakes
  • fix: Apply backpressure when yamux substream delivery is blocked
  • fix: Avoid logging derived secio key material
  • Restore yamux write-stall timeout

CKB-VM and zkVM research

• Jolt-on-CKB-VM research continued with a no-std verifier port, benchmark work, and comparison against existing CKB cryptography libraries. The next step is to evaluate whether Jolt is a practical zkVM path for ckb-vm and turn the results into a feasibility report: jolt verifier port branch

CKB-CLI dependency and security cleanup

• CKB-CLI has follow-up dependency and security-audit cleanup PRs under review, including safer H160 error handling, rand audit handling, and dependency bumps for the CKB crate stack.
  • fix: replace H160::from_slice().unwrap() with proper error handling
  • fix: resolve security-audit rand unsound error
  • chore(deps): bump ckb-sdk from 5.0.0 to 5.1.0