Protocol Upgrade - V3.16.0
Bear market or not, THORChain builders keep shipping. Merge Requests drop faster than the Fed prints bills. In V3.16.0, THORChain delivers 94 merged MRs!
Many of these upgrades work quietly under the hood focusing on strengthening stability, resilience, and security across the network. But a few will surprise you too, with foundations being laid for more chains. 👀
1️⃣ For all Chads
⛓️ Chain Integrations
New Chain Support
TLDR 👉 ZEC, SUI, ADA and POL are on their way!
🔹Add Sui chain and gas asset !4480
Introduces Sui support, including its native gas asset, expanding THORChain’s multi-chain connectivity and laying the groundwork for native cross-chain swaps involving Sui.
🔹Add Cardano chain and gas asset !4462
Introduces Cardano support, including its native gas asset and address handling. This expands THORChain’s multi-chain foundation and prepares the network for future native interoperability with Cardano.
🔹Add Polygon support !4460
Introduces Polygon integration using the existing EVM client framework, extending native cross-chain support to Polygon and improving access to EVM ecosystem liquidity.
🔹Add Zcash integration !4421
Adds native Zcash support, including chain-specific UTXO handling and RPC logic. This expands THORChain’s cross-chain reach and enables ZEC participation in native swaps.
🔹Oracle update for ZEC !4489
Adds ZEC support to the enshrined oracle, enabling native price tracking for Zcash within protocol logic. Also includes minor configuration and documentation fixes.
🔹Polygon scanner optimisation !4505Updates Polygon handling to use eth_getBlockReceipts, improving transaction scanning efficiency and reducing RPC overhead. This helps make Polygon observation more reliable and performant.
Facilitating Chain Integration
🔹Chainnet support added !4490
Introduces Chainnet as a new independent network type using real external chains and fresh addresses. It launches from a clean genesis with dedicated infrastructure, enabling a new environment for testing or deployment with real-chain connectivity.
🛣️ Router & EVM Infrastructure
TLDR 👉 Router V6 is finally coming on THORChain (Read more here ).
🔹[contract] EVM Router V6 !4094
Deploys Router V6.1, introducing a stateless router design where funds are forwarded directly to vaults. The upgrade enables memoless ERC20 deposits, batching for gas efficiency, and advanced integrations like transferOutAndCallV2, while simplifying the contract interface and improving upgrade flexibility for future iterations.
🔹[evm] Bifrost Router V6 Support !4175
Introduces automatic ERC20 approval handling for EVM chains ahead of Router V6. The client now checks allowances, submits approval transactions when required, and enforces sequential nonce safety so transfers only proceed once approvals succeed.
🔹[fix] Router Upgrade Solvency Handling !4553
Fixes multiple edge cases discovered during router upgrades. Solvency checks now validate balances against the correct router linked to each vault instead of relying on a single router reference. The update also enforces router-vault consistency to prevent funds being deposited into inactive routers, and improves inbound validation by correctly handling vault-origin transactions when contract whitelisting is disabled.
🔹fix(ethereum): pending balance check to prevent overspending !4386 Adds in-memory liability tracking for Ethereum signing so nodes account for unconfirmed outbounds before signing new ones. This prevents overspending and race conditions during high-volume events such as migrations, improving signing safety and balance accuracy.
🍰 App Layer & WASM
TLDR 👉 Permissions granted to DAODAO, introduction of a clear framework for the App Layer and security enhancement.
🔹WASM permissions update !4491
Adds the Redacted DAODAO multisig address to mainnet WASM permissions, allowing it to instantiate contracts.
🔹[ADR] App Layer Architecture Guide (ADR-020) !3999
Introduces the official design framework for THORChain’s hosted App Layer. It defines how permissioned WASM contracts run safely alongside the base layer, including strict execution boundaries, secured asset handling, governance controls, deployment guidelines, fee-sharing models, and emergency procedures. The ADR formalises the separation between base-layer security and app-level experimentation, enabling faster ecosystem development without adding systemic risk to THORChain.
🔹[P0] WASM contract execution whitelist !4452
Introduces a whitelist for L1 WASM contract execution, ensuring only approved contracts can be executed. This closes a critical security risk by preventing arbitrary user-controlled contract execution and adds governance-controlled activation via Mimir.
2️⃣ For the Advanced Chads and Nodes
Consensus / Chain Halt Prevention
🔸[Security] Churn retry division-by-zero protection !4497
Prevents a potential chain halt caused by division-by-zero if ChurnRetryInterval is set to zero via Mimir. The fix safely skips retry calculations while keeping normal validator churn operations working as expected.
🔸[Security] Asgard size division-by-zero protection !4496
Adds a safety guard to prevent a chain-halting division-by-zero error if AsgardSize is set to zero via Mimir. This ensures validator management logic remains safe under misconfiguration scenarios.
🔸[Security] Bad actor detection division-by-zero guard !4495
Prevents a potential chain halt by adding validation when BadValidatorRedline is set to zero. The update ensures validator monitoring logic safely handles invalid config values.
🔸[P0] Safe unmarshal in oracle BeginBlock !4431
Replaces panic-based decoding with safe error handling in the oracle manager. This prevents potential chain halts from corrupted data while allowing processing to continue safely.
🔸[Security] Safe unmarshalling in height iterators !4533
Replaces panic-based decoding with safe error handling when reading chain height data. This prevents potential chain halts caused by corrupted or malformed state during processes like state sync or genesis export, improving overall resilience.
🔸[Security] Propagate height tracking errors !4532
Improves safety by ensuring errors from chain height tracking are properly returned instead of silently ignored. This prevents edge cases where corrupted state could bypass validation checks and improves consensus safety.
🔸[Security] Node key validation hardening !4531
Moves key validation outside the node iterator to ensure empty or invalid keys are always rejected, even when no nodes exist yet. This strengthens keeper-level safety and prevents potential future edge cases during genesis or migrations.
🔸[P0] Gas price overflow protection !4440
Adds overflow validation in gas price calculations to prevent edge cases where extremely large values could bypass fee requirements. This closes a critical fee validation vulnerability and strengthens execution safety.
🔸[Security] CometBFT upgrade v0.38.21 !4451
Updates CometBFT to a patched security version, incorporating upstream fixes and improving consensus-layer stability and safety.
🔸3.15.0 security patch inclusion !4450
Includes additional security patches from the private 3.15.0 build into the public codebase, ensuring consistency between releases and maintaining aligned security fixes.
Accounting & Fund Safety
🔸[P0] Donation validation and pool balance protection !4457Adds strict validation to ensure donation amounts match the funds actually received on-chain before updating pool balances. This prevents potential pool balance inflation and strengthens fund accounting integrity.
🔸[P1] Pool accounting consistency fix !4465Fixes a pool accounting issue by ensuring balances are only reduced after fees are successfully transferred to the reserve. This prevents mismatches where funds could be deducted without being properly received.
🔸[P0] Swap refund error handling fix !4419Fixes a critical issue where failed swaps followed by failed refunds could silently succeed. The handler now returns errors properly, ensuring failures are visible and preventing funds from becoming stuck without notice.
🔸[P0] TCY staker error handling fix !4434Fixes a critical issue where staking errors were only logged but execution continued as successful. The handler now properly returns errors, preserving fund safety guarantees and ensuring accurate transaction outcomes.
🔸TCY claim atomicity and safety fix !4476Fixes TCY claim handling to ensure failed claims fully roll back instead of leaving inconsistent state. Also adds balance rechecks during processing to prevent edge-case double-spend scenarios.
🔸[P1] Bond handler security fixes !4474Improves bond handling by ensuring bond deductions only occur after successful transfers and by validating bond provider addresses. This prevents accounting inconsistencies and strengthens safety around bond operations.
🔸[Security] Bond provider fund safety fix !4524Fixes an edge case where bond providers could lose funds if payouts partially failed during validator cleanup. The update ensures records are only removed after successful transfers, preserving state and allowing safe recovery of remaining funds.
🔸[P0] Outbound preparation security hardening !4420Fixes multiple critical issues in outbound preparation, including fee handling, validation order, and error propagation. The update prevents pool balance corruption, enforces atomic accounting, and ensures fees and burns are correctly processed.
🔸[P0] Security fixes in refund handler !4405
Adds missing validation and vault checks in the refund flow. The update introduces duplicate refund protection and strengthens outbound safety by ensuring refunds cannot be processed multiple times or against invalid vault contexts.
🔸[P0] NoOp handler vault protection !4453Adds strict validation and authorisation checks to the NoOp handler to prevent arbitrary vault balance manipulation. This closes a critical vulnerability and strengthens vault security controls.
🔸Errata outbound processing hardening !4439Improves errata handling by reordering transfers to prevent state corruption on failure, bounding expensive loops, and validating compensation amounts against pool balances. This strengthens accounting safety and improves operational robustness.
🔸[Security] Outbound fee overflow protection !4518Adds explicit overflow checks when converting large values in outbound fee calculations. Instead of silently capping values, errors are now properly propagated, preventing hidden accounting issues and improving safety in gas and fee handling.
Validation & Handler Hardening
🔸[P0] Common outbound handler security hardening !4433Strengthens outbound processing with additional vault validation, deterministic logic fixes, and improved handling of operational transactions. These changes reduce risk of invalid outbounds and improve consistency in consensus execution.
🔸[P1] Observed outbound quorum safety fixes !4485Fixes nil-check and error-handling issues in outbound observation logic. The update prevents potential crashes and avoids silent state inconsistencies by ensuring failures are properly surfaced.
🔸[P1] TSS blame node validation !4477Adds validation limits on blame nodes in TSS pool messages to prevent excessive processing. This protects block performance by stopping expensive invalid messages before they reach execution.
🔸[P1] Safe logging validation order fix !4425Moves logging that accessed transaction coins to occur after validation checks, preventing a potential panic when coin data is missing. This improves stability and defensive safety.
🔸[P1] Limit swap modification safety fixes !4464Improves limit swap modification handling by preventing unnecessary store reads and ensuring donation failures cause the transaction to fully revert. This avoids potential gas griefing and guarantees atomic fund safety.
🔸[P0] THORName handler security hardening !4438Fixes multiple critical issues in THORName management, including division-by-zero and integer overflow risks, and prevents duplicate operations within the same transaction. This strengthens validation logic and protects against potential state manipulation or chain instability.
🔸Defensive Coins length check in trading halt logic !4539
Adds a safety check to prevent edge-case failures when a swap message contains empty asset data. The update ensures trading halt logic handles malformed transactions safely without risking unexpected execution errors.
🔸[Security] TCY trading halt boundary fix !4535
Corrects an off-by-one error that could allow TCY trading to continue for one extra block after a halt was triggered. The fix aligns TCY behaviour with other halt mechanisms, ensuring trading stops exactly when intended.
🔸[P0] Ragnarok address validation fix !4432
Adds proper error handling when deriving addresses during Ragnarok processing. This prevents invalid zero-value comparisons and avoids incorrect transaction matching in edge cases.
Swap Engine & Queue
Advanced Swap Queue Logic
🔸Rapid swap direction tracking !4507
Adds direction awareness to rapid swaps to prevent repeated same-direction swaps from draining pool liquidity. Same-direction swaps are skipped after the first iteration, while counter-direction swaps continue, improving liquidity balance and execution safety.
🔸Swap queue ordering update !4506
Reverts swap queue sorting back to pure fee and slip scoring instead of prioritising by swap type. This ensures higher-value swaps are processed first, improving execution efficiency and maximising protocol revenue.
🔸Advanced swap queue scoring improvements !4463
Improves swap queue prioritisation by scoring streaming swaps based on upcoming sub-swap size rather than total deposit, leading to fairer execution. Also introduces sorting refinements to better organise limit and market swaps while preserving score-based ordering.
🔸[P1] Swap queue error propagation fix !4422
Fixes legacy swap handling so failures to insert swaps into the queue are properly returned instead of silently ignored. This ensures failed swaps trigger refunds rather than leaving funds stuck without execution.
🔸Limit swap execution and state sync improvements !4530
Refines limit swap handling by improving event ordering, syncing streaming swap state correctly, and ensuring TTL errors are properly propagated. The result is more reliable swap execution, cleaner state tracking, and better consistency across limit and rapid swap flows.
Limit Swap Improvements
🔸[P1] Expired limit swap processing fix !4487
Removes a hard-coded loop limit that could prevent some limit swaps from being processed at expiry. The update ensures all swap indices are handled correctly, preventing potential fund lock situations.
🔸Expired limit refund handling fix !4516
Fixes an issue where refunds from expired limit orders could fail if tied to inactive vaults. The update ensures refunds are rerouted through active vaults when needed, improving reliability and preventing dropped outbound transactions.
🔸[Fix] Limit swap custom TTL handling !4510
Fixes a bug where limit swaps with a custom TTL above the maximum allowed value could set swap quantity to zero, causing repeated execution failures. The update ensures quantities remain valid and caps TTL values safely, restoring normal limit swap execution.
🔸Limit swap regression test expansion !4501
Adds comprehensive regression tests covering limit swap permissions, lifecycle behaviour, and secured asset scenarios. This strengthens testing coverage and helps prevent future regressions in advanced swap queue logic.
🔸[Security] Limit swap authorisation model documentation !4499
Adds documentation clarifying that a reported limit swap authorisation issue was a false positive. The change explains why spoofing is not possible in real message flow and improves audit clarity. No functional code changes.
Market / Streaming Swaps
🔸[Fix] Auto oversolvency calculation adjustment !4513
Updates solvency calculations to ignore native asset swaps and outbounds, preventing incorrect oversolvency signals. This improves accuracy of protocol safety checks and reduces false alerts in normal operation.
🔸[Fix] Auto oversolvency asset filtering !4435
Corrects oversolvency logic to properly exclude native and derived assets from processing, improving solvency calculation accuracy and preventing incorrect safety signals.
🔸[P2] Solvency check gas asset improvement !4444
Refines solvency checks by applying consistent validation across all assets, including gas assets, and introducing a fixed solvency gap threshold. This improves predictability and strengthens defensive accounting logic.
🔸Solvency calculation fix for streaming swaps !4454
Fixes a double-counting issue in solvency calculations where streaming swaps could be counted twice. The update now only accounts for the remaining amount still pending, resulting in more accurate network solvency reporting.
🔸[fix] Account for outbound fee in market swap limits !4402
Updates market (non order-book) swap logic to include outbound fees when enforcing limits, bringing behaviour in line with limit swaps. This improves consistency but may require integrators to adjust if they previously compensated by setting artificially higher limits.
Observations, Bifrost & P2P
🔸prevent mempool transactions from being marked as final !4389
Fixes a Bifrost bug where mempool outbounds were incorrectly flagged as final. The update keeps fast observation while correctly setting final=false until the transaction is actually confirmed on the external chain, avoiding attestation grouping issues.
🔸[Fix] Observation flow improvement !4470
Prevents cancel transactions from creating duplicate observations that could block other observations within the same block. This improves observation processing reliability and avoids stuck attestations.
🔸remove invalid transactions from deck to prevent log spam !4410
This MR fixes a long-standing observer spam issue where malformed transactions were getting stuck in the Bifrost observation deck and repeatedly retried, generating massive log noise.
🔸[fix] Node Gate Filter Min Bond Only !4552
Fixes a P2P gating issue where jailed nodes could not reconnect after keygen failures because preflight readiness blocked connections. The filter now only enforces minimum bond requirements, allowing jailed nodes to reconnect and recover while still maintaining basic network safety controls.
🔸[P2P] Connection gate for Bifrost !4484
Adds a connection gate to Bifrost P2P so only active and ready nodes can connect. This improves network hygiene and peer stability, with a Mimir switch allowing operators to disable it if needed.
🔸[Fix] Instant observe sensitivity increase !4481
Adjusts instant observation thresholds so a simple vault majority is enough to prevent cross-vault rescheduling. This reduces double-spend risk and strengthens outbound safety during observation.
🔸[Fix] Reduce errata noise on non-vault transactions !4478
Filters non-THORChain transactions from errata processing during reorgs, preventing unnecessary error logs and reducing extra processing. This improves signal quality and operational clarity.
Memo and Memoless
🔸[Security] Memoless reference memo risk documentation !4508
Adds clear documentation warning that changing MemolessTxnRefCount via governance can invalidate existing references. This is expected behaviour but now explicitly documented so operators can coordinate changes safely and avoid accidental state breakage.
🔸[Security] Reference memo behaviour documentation !4504
Adds documentation clarifying that stale hash aliases in reference memos are intentional and not a security risk, since memo data is already publicly visible on-chain. This is a documentation-only clarification with no logic changes.
🔸[Security] Prevent phantom reference memo writes !4503
Fixes an issue where missing reference memos could create empty placeholder records in state. The update adds existence checks to prevent unintended state writes and keeps the KV store clean and consistent.
🔸[Security] Bifrost amount normalisation clarification !4502
Adds documentation explaining the 1e8 amount normalisation rule applied by Bifrost before transactions reach THORNode. This clarifies expected precision handling across chains and helps avoid future implementation mistakes.
🔸[Security] Reference memo not-found handling fix !4500
Adds proper validation when looking up reference memos by hash, returning explicit errors instead of zero-value records. This prevents invalid lookups from being treated as valid data and improves query safety and consistency.
🔸Reference memo audit tracking clarification !4483
Clarifies that reference memo usage is intentionally tracked even on failed attempts to preserve a full audit trail. This is a documentation and clarity update, not a logic change.
🔸[Fix] Native memoless module consistency !4479
Fixes an issue where memoless native transactions could route funds to the wrong module, preventing state inconsistencies and ensuring correct internal fund handling.
Chain Fixes
🔸[Fix] TRON outbound reliability improvements !4493
Fixes issues that could cause TRON outbounds to get stuck by improving timestamp determinism, adjusting reference block handling, and treating duplicate broadcast errors as successful. This improves signing consistency and prevents nodes from getting blocked on completed transactions.
🔸[Fix] TRON outbound observation memo handling !4471
Fixes a case-sensitivity issue affecting failed TRON outbound detection, ensuring outbound observations are classified correctly and processed reliably.
🔸[Security] Solana scanner balance calculation fix !4523
Hardens Solana transaction parsing by deriving transfer amounts directly from instruction data instead of balance deltas, removing a potential inflation vulnerability. Also improves fee calculation reliability and protects internal ordering logic to maintain accurate scanner behaviour.
Migration and chain operation
🔸[Migrate] Bond slash refunds !4482
Processes refunds for bond slashes related to a previously observed double-spend incident. This migration restores affected funds and corrects validator accounting.
Cl / Infra
🔸[CI] Runtime optimisations !4537
Improves build and testing efficiency by adding smarter caching and reducing unnecessary processing during simulations. This speeds up development and testing cycles, helping upgrades and fixes move through the pipeline faster and more reliably.
🔸Use GitLab Dependency Proxy (CI stability) !4536
Routes Docker image downloads through GitLab’s caching proxy to avoid Docker Hub rate limits. This improves CI reliability and prevents build failures caused by pull limits, making testing and deployments more stable.
🔸[mocknet] Delay Litecoin MWEB activation !4534
Delays Litecoin MWEB activation in simulation environments to prevent test chains from stalling once a specific block height is reached. This improves mocknet stability and avoids intermittent failures during longer-running simulations.
Documentation and cleanup
🔸Network halt documentation update !4488
Improves and reorganises network halt documentation with clearer tables, added halt types, and updated operational references. This is a documentation clarity update to help operators better understand halt mechanisms.
🔸[Events] Nil dereference safeguards !4446
Fixes a potential crash related to memoless inbound lookups and adds additional defensive checks to prevent nil dereference edge cases, improving overall runtime stability.
🔸[Cleanup] Remove legacy version switching !4443
Cleans up outdated version-handling patterns across the codebase, simplifying maintenance and reducing complexity. This is a technical cleanup with no intended behavioural change.
🔸[Docs] EIP-7702 inbound support clarification !4442
Updates documentation to clarify that EIP-7702 support is inbound-only, improving developer understanding and reducing integration ambiguity.
🔸[fix] Preferred Asset Swap log noise !4414
Fixes noisy error logs caused by incorrect memo parsing for preferred-asset swaps (THOR-PREFERRED-ASSET-*). The update corrects the previous fix so affiliate fee handling no longer throws invalid tx type parsing errors during normal operation.
