Lisk v0.3.4 — Release Announcement
The latest Lisk client v0.3.4 has been released, and is now available for download via our downloads server. This version is a mandatory update, and is being released due to a critical transaction signature malleability issue found in the ed25519 implementation previously used by Lisk. Please note, in order to protect the network, all active delegates were patched prior to this release.
The implementation previously used: https://github.com/dazoe/ed25519, is based upon the default Ref10 specification, which does not check S<l when verifying signatures. This meant older transactions could be resent using a modified signature, S′=S+l. With this release v0.3.4, we have now switched our implementation to libsodium, which adds the necessary signature check. All node operators are therefore encouraged to update immediately.
An explanation of the issue is given here: http://crypto.stackexchange.com/questions/14712/no...
New versions of lisk-js, lisk-dapps-sdk, and lisk-cli have also been released. These are not directly affected by the vulnerability, but are now using the same library version to keep things in good order.
To install or update to Lisk v0.3.4 please read our official documentation.
As part of the current work-in-progress “Mainchain Stablisation” milestone, recently outlined in the Lisk Development Roadmap, we are making huge efforts to overhaul the existing code base and test-suite. The first release candidates for Lisk v0.4.0 are already in operation on testnet. Please go to the #testnet channel on Lisk.Chat if you are interesting in helping us test out new releases.
- Backporting transaction signature malleability fix. Replacing ed25519 implementation with js-nacl version 1.2.1, a high level API to libsodium.
For reference, you can always track our development progress via GitHub: https://github.com/LiskHQ/lisk