Skip to content

Release/10.5.0#3394

Merged
basfroman merged 89 commits into
masterfrom
release/10.5.0
Jun 25, 2026
Merged

Release/10.5.0#3394
basfroman merged 89 commits into
masterfrom
release/10.5.0

Conversation

@basfroman

@basfroman basfroman commented Jun 25, 2026

Copy link
Copy Markdown
Collaborator

10.5.0 /2026-06-25

What's Changed

New Contributors

Full Changelog: v10.4.1...v10.5.0

basfroman and others added 30 commits May 26, 2026 20:14
Subtensor.commit_weights and AsyncSubtensor.commit_weights accepted a
version_key but never passed it to commit_weights_extrinsic, so the
commit hash was built with the default version_key. A reveal made
with the intended version_key then mismatched the committed hash and
was rejected on-chain.

Forward version_key=version_key in both wrappers, matching how
reveal_weights already does. Behavior-preserving for the default
(version_as_int); adds sync+async forwarding tests and sync+async
symptom-level commit/reveal hash-equality tests.
…atest-release

Fix after aiohttp latest release
…ts-version-key

Forward version_key from commit_weights
Update docstrings for kill_pure_proxy_extrinsic
…ock_hash-improvement

Improvement for async `determine_block_hash` method
basfroman and others added 22 commits June 15, 2026 20:07
…s-runtime-api-support

Add proxy types runtime api support
…ability-support

add `get_stake_availability_for_coldkeys` support
default_verify gated the signature check behind
`if synapse.dendrite.signature`, so a request with an empty or absent
signature skipped verification entirely. This lets anyone impersonate
any dendrite hotkey (e.g. a high-stake validator) by simply omitting the
signature — the request then passes verify and reaches blacklist/forward
as if it were genuinely signed.

Require a signature to be present, mirroring the existing "Missing Nonce"
guard, then verify it. A present-but-invalid signature was already
rejected; this closes the empty-signature hole.
default_verify gated the signature check behind
`if synapse.dendrite.signature`, so a request with an empty or absent
signature skipped verification entirely. This lets anyone impersonate
any dendrite hotkey (e.g. a high-stake validator) by simply omitting the
signature — the request then passes verify and reaches blacklist/forward
as if it were genuinely signed.

Require a signature to be present, mirroring the existing "Missing Nonce"
guard, then verify it. A present-but-invalid signature was already
rejected; this closes the empty-signature hole.
Exercise Axon.default_verify directly: a valid signature passes (nonce
recorded), an empty or absent signature now raises "Missing Signature"
(the auth-bypass regression this branch fixes), and a present-but-invalid
signature still raises "Signature mismatch".

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
… test

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
…re-bypass

fix(axon): reject requests with missing signature in default_verify
@github-actions

Copy link
Copy Markdown

Bittensor SDK virtual environment sizes by Python version:

Comparing 5cceeb8 (before) → b9af04a (after).

Python Before After Δ
3.10 195 MB 195 MB 0 MB
3.11 211 MB 210 MB -1 MB
3.12 203 MB 194 MB -9 MB
3.13 203 MB 194 MB -9 MB
3.14 206 MB 197 MB -9 MB

@basfroman basfroman merged commit c4dca6b into master Jun 25, 2026
852 of 855 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

Projects

None yet

Development

Successfully merging this pull request may close these issues.

7 participants