Skip to content

Changelog

All notable changes across the XE network components: core, explorer, web-wallet, and proof-of-uptime.

v0.6.0 — 2026-04-13

Multisig wallet support, XUSD faucet restrictions, and testnet token model.

Core

Features

  • Multisig wallets (#260) — M-of-N threshold signing with hash-derived addresses. New block types: multisig_open (registers keyset) and multisig_update (rotates keyset). Spending operations require threshold signatures; receives require only 1-of-N. Keyset storage rebuilt on startup.
  • XUSD-only faucet (#256) — Claims restricted to XUSD asset. Fixed amount of 100 XUSD per claim. Rate limited to once per account per 24 hours, enforced at ledger level.
  • Genesis block (#255) — One-time XE supply minting (1,000,000 XE) via pre-signed embedded genesis block. XE can no longer be claimed.
  • Delegation weight tracks XUSD — Voting weight now based on XUSD balance instead of XE, making governance accessible to faucet-funded testnet accounts.

API

  • POST /blocks/multisig_open — open a multisig account
  • POST /blocks/multisig_update — rotate a multisig keyset
  • GET /accounts/{address}/keyset — query multisig keyset

CLI

  • xe fund simplified to single 100 XUSD claim per invocation (was xe fund <amount> with looping)

Explorer

  • Multisig badge on account pages showing "M of N" threshold
  • Keyset display with full key list and copy buttons
  • Signatures array display on block detail pages
  • Conditional rendering for multisig vs single-key signatures

Deployment

  • Testnet wiped and redeployed with new token model
  • All 5 nodes updated (3 bootstrap + 2 provider)
  • Peer IDs refreshed after data wipe

v0.4.2 — 2026-04-02

Performance certificates, memory-hard benchmarks, and security hardening.

Core

Features

  • Performance certificates — providers run a ~60 second benchmark (375M iteration SHA-256 hash chain + 256MB memory-hard phase) on startup. Certificate includes attested timestamps, score, and merkle-root attestation proofs. Required for lease acceptance.
  • Certificate gossip — certificates broadcast via xe/certificates GossipSub topic. All nodes cache certificates. GET /certificate/{provider} serves cached certs from any node.
  • Compact certificate format — attestation merkle roots replace full arrays (2.6KB → 837 bytes, 69% reduction).
  • Memory-hard benchmark phase — 256MB lookup table with 1M sequential-dependency random reads. Prevents outsourcing (10,000× slower over network).
  • Benchmark tuning — 375M iterations targets ~60s on mid-range hardware. bm1: 59s, bm2: 62s.

Security

  • Mandatory attestationslease_accept and lease_settle require timekeeper attestations. No self-reported timestamps. Closes #44.
  • Certificate validation in ledgerlease_accept verified against gossip cache: certificate must exist, belong to provider, and not be expired.
  • Iteration count validation — certificates with wrong iteration count rejected.
  • Per-wallet SSH keys — SSH key path derived from wallet file. Cross-wallet VM access prevented.
  • Timekeepers in genesissys.timekeepers required in state chain. Provider nodes refuse to start without it.

v0.4.1 — 2026-04-01

Unified CLI, mandatory attestations, sync optimizations, VM lifecycle hardening, and security fixes.

Core

Features

  • Unified xe CLI — single binary replaces xe-node, cli, xe-tool, and xe-lease-tool. 15 commands: node, wallet, fund, send, receive, providers, lease, vm, ssh, keygen, sign-block, and more. Interactive REPL removed.
  • Network ID — block hashes now include sys.network_id (e.g. "testnet"), preventing cross-network block replay and cross-epoch sync contamination after testnet wipes.
  • SSH gateway: direct-tcpip — SSH gateway supports direct-tcpip channels (ProxyJump). Consumer's SSH client negotiates end-to-end with the VM's sshd through the gateway tunnel. No man in the middle.
  • Shared client/ package — HTTP API client extracted for use by CLI and external tools.

Security

  • Mandatory attestationslease_accept and lease_settle blocks are rejected without valid timekeeper attestations. Self-reported timestamps removed entirely. Closes #44.
  • Per-wallet SSH keys — SSH key path derived from wallet file, preventing cross-wallet VM access. Each wallet gets its own key.
  • Provider startup check — provider nodes refuse to start if sys.timekeepers is not configured in the state chain.
  • Timekeepers in genesissys.timekeepers added to genesis with bootstrap node keys (threshold 2 of 3).

Performance

  • Sync frontier tracking — periodic sync skips peers when frontiers haven't changed. Zero sync traffic when idle (was ~90 log lines per 45 seconds).
  • Block quarantine — permanently-invalid blocks (wrong hash, missing attestations) quarantined after first rejection. No repeated validation or log spam.

VM Lifecycle

  • Resource validation — provider checks available vCPUs, memory, and disk before accepting leases. Tracks reserved resources for in-flight provisions.
  • Provision-before-accept — VM provisioned before lease_accept block is committed. If provisioning fails, lease is not accepted.
  • Synchronous teardown — settlement tears down VMs synchronously instead of fire-and-forget. Orphan cleanup catches VMs that survived failed teardowns.
  • Dedup auto-accept — prevents gossip handler and watch loop from racing to accept the same lease.
  • VM status proxy/vms/{hash} works via any node. Bootstrap nodes proxy to the provider via libp2p vm_status message.

Fixes

  • Tunnel validator allows any peer to relay (enables SSH gateway proxy)
  • Orphan cleanup only targets settled leases (was destroying in-flight provisions)
  • Fix bootstrap node dial configs after peer ID changes from testnet wipes

v0.3.1 — 2026-03-13

Multi-resource leasing, account directory, and P2P chat improvements.

Core

Features

  • Replace single units dimension with vcpus, memory_mb, and disk_gb on lease blocks
  • Add account directory service for account-to-node routing via gossip
  • Add account-to-account chat with directory-based peer resolution
  • Rename DM protocol to /xe/msg/1.0.0
  • Rename Go module to github.com/xe-poc-2/core

Fixes

  • Add identify handler and fallback peer discovery for VM credential delivery
  • Gossip directory registration immediately on startup
  • Account for clock skew in chat E2E test

Explorer

  • Add providers page with capacity metrics and progress bars
  • Update leases page for multi-resource model (vcpus, memory_mb, disk_gb)
  • Match provider field names to API response format

Web Wallet

  • Add compute page for VM lease management with terminal
  • Update compute page for multi-resource model
  • Add account-based chat with signed envelopes and directory registration
  • Match provider field names to API response format

v0.3.0 — 2026-03-10 to 2026-03-12

State chain governance, VM management, P2P messaging, and timekeeper attestations.

Core

Features

  • Add state chain package — deterministic replicated state machine for DAO governance with multisig blocks, KV store, and sync protocol
  • Add state chain API endpoints (/statechain/tip, /statechain/blocks, /statechain/kv, /statechain/keyset)
  • Add Kademlia DHT for peer discovery
  • Enable circuit relay and hole punching for NAT traversal
  • Add P2P direct messaging protocol over libp2p streams
  • Add chat message store with ring buffer and SSE support
  • Wire DHT, DM, and chat into node and API
  • Add VM manager package with mock implementation
  • Wire VM lifecycle into node and expose API endpoints (/vms, /vms/{lease}/exec)
  • Add timekeeper attestation system for lease blocks — signed timestamps from trusted nodes with quorum validation and median selection
  • Add attestation API endpoint and lease attestation demo
  • Regenerate genesis with known keys and add signing tests

Fixes

  • Validate sys.dao_keyset and sys.timekeepers structure at write time
  • Avoid stale state in lease accept/settle by deferring mutex acquisition
  • Tighten attestation skew to 10 minutes and use conservative (lower-middle) median
  • Add per-peer rate limiting to attestation DM handler
  • Cap attestation count per block at 20 and rate-limit attestation requests
  • Strip attestations from non-lease blocks to prevent gossip pollution
  • Reject attestations with timestamps too far from current time
  • Reject blocks on accounts with unresolved conflicts
  • Resolve data races in AddBlock and test helpers
  • Buffer votes arriving before conflict detection
  • Improve convergence timeout in conflict test script
  • Resolve conflict cleanup and gossip propagation lag

Refactor

  • Rename protocol prefix from blocklattice to xe

Tests

  • Add state chain integration and E2E tests
  • Add VM E2E test script
  • Add chat E2E and stress/adversarial test scripts
  • Add ChatStore unit tests and extended DM protocol tests

Explorer

  • Add state chain block list, block detail, and KV browser pages
  • Normalize text sizing, colors, and truncation across all pages
  • Simplify hash truncation to 4...4 format
  • Truncate hashes in tables to prevent horizontal scroll
  • Rename binary from blocklattice to xe in Docker Compose

Web Wallet

  • Add DAO governance page — draft blocks, collect multisig signatures, submit
  • Add state inspector — browse state chain blocks and KV state
  • Add chat page with P2P messaging
  • Add compute page for VM management
  • Widen layout to match explorer, add version footer
  • Normalize text sizing, colors, and truncation

v0.2.0 — 2026-02-24 to 2026-03-06

Multi-asset support, compute leasing, security hardening, explorer rewrite, and web wallet.

Core

Features

  • Add multi-asset support — dual assets XE and XUSD with per-account per-asset balance tracking
  • Add emit (later renamed to claim) block type for minting tokens
  • Remove genesis block requirement — accounts open via claim or receive
  • Add compute lease system — lease, lease_accept, lease_settle block types with marketplace protocol
  • Overflow-safe lease cost calculation with deterministic pricing formula
  • Add POST /pow endpoint for server-side proof of work
  • Add accounts, all-pending, and recent-blocks API endpoints
  • Add build versioning with git SHA
  • Increase API rate limit from 2/s to 100/s
  • Add timestamps to accounts, pending, and peers API responses
  • Show peer IP:port and version in node info
  • Add bootstrap peer retry with 10-second interval
  • Persist libp2p host identity to disk
  • Add GET /node endpoint for peer and network info
  • Add CORS middleware and Dockerfile
  • Add configurable block timestamp validation with monotonicity checks

Security fixes (45+ findings addressed)

  • Bind HTTP API to localhost by default instead of all interfaces
  • Remove POST /accounts endpoint that exposed private key seed
  • Restrict CORS to specific origin instead of wildcard
  • Normalize hex fields to lowercase to prevent address identity splitting
  • Add request size limits to API and gossip to prevent OOM
  • Add HTTP server timeouts to prevent slowloris DoS
  • Add IP-based rate limiting with TTL eviction and 100k entry cap
  • Exempt OPTIONS preflight from rate limiting
  • Check proxy headers for client IP in rate limiter
  • Tighten gossip message size limit from 1 MiB to 4 KiB
  • Add vote gossip pre-validation to prevent CPU exhaustion
  • Add field length checks to gossip pre-validation
  • Snapshot vote weights at conflict detection time to prevent manipulation
  • Use big.Int for quorum weight tallying and total weight (overflow prevention)
  • Use snapshotted total weight for quorum threshold denominator
  • Reject duplicate votes from same representative on same conflict
  • Snapshot vote weight at cast time instead of tally time
  • Serialize HasVoted+PutVote with per-conflict mutex (TOCTOU fix)
  • Validate staged conflict winners before swap promotion
  • Add PoW validation for staged winner in confirmConflict
  • Add VerifyBlock call at start of SwapBlock
  • Hold per-account lock in confirmConflict to prevent orphaned blocks
  • Save demoted block to staging before swap to prevent data loss
  • Deep-copy WeightSnapshot map in MemStore conflict methods
  • Reject send-to-self blocks
  • Reject open blocks with non-empty source to prevent token minting
  • Reject negative timestamps to prevent int64 overflow bypass
  • Add uint64 overflow checks on receive balance arithmetic
  • Use overflow-safe absolute difference for timestamp window checks
  • Add length checks to VerifyBlock to prevent ed25519 panic
  • Cap conflict set to 10 entries to prevent unbounded growth
  • Cap sync client total blocks to prevent OOM
  • Add read size limits and server-side block cap to sync protocol
  • Rate-limit sync requests per peer to prevent amplification DoS
  • Rate-limit outbound sync per peer
  • Add concurrency limit to /pow endpoint to prevent CPU exhaustion
  • Add context cancellation and 30-second timeout to PoW computation
  • Cap snapshotWeights at MaxUint64 instead of dropping large weights
  • Atomic block commits to prevent token loss/duplication on crash
  • Add periodic BadgerDB value log garbage collection
  • Use non-blocking send on gossip channels to prevent backpressure
  • Fire conflict callback asynchronously to avoid holding account lock
  • Strip sensitive fields from /node endpoint and cache block count
  • Stop BadgerStore GC goroutine on Close
  • Track bootstrap retry goroutine with WaitGroup
  • Wait for handler goroutines in Node.Stop before closing store

Lease system fixes

  • Use ceiling division for lease duration to prevent underpayment
  • Use atomic addAssetBalance for lease stake return
  • Cap lease duration at 12 months to prevent expiry overflow
  • Serialize autoAcceptLease and trySettleExpiredLeases
  • Check provider capacity and XUSD balance before auto-offering
  • Add TTL eviction and size cap to pendingOffers map
  • Marketplace offer check compares against stake, not total cost
  • Prevent XUSD stake double-counting on restart after lease settlement

Other fixes

  • Correct delegation weight handling in SwapBlock for cross-asset swaps
  • Preserve delegation weight through blocks without Representative field
  • Update pending sends and delegation weights in SwapBlock
  • Validate conflict blocks before staging
  • Read all blocks in single transaction in GetAccountChain
  • Add offset/limit pagination to GetAllAccounts and GetAllPending
  • Limit per-account scan depth in GetRecentBlocks
  • Bound GetRecentBlocks memory by updating minTs during iteration
  • Use allowlist for retryable sync errors and reduce max retries
  • Skip accounts with unrecognised frontier hashes during sync
  • Retry sync blocks with unmet cross-account dependencies
  • Skip retrying permanently invalid blocks during sync
  • Return error when BadgerStore chain references missing block
  • Return error when settling a missing lease in BadgerStore
  • Release MemStore lock before calling IterateDelegations callback
  • Deep-copy votes in MemStore PutVote and GetVotesByConflict
  • Log errors in AllFrontiers instead of silently swallowing
  • Lower PoW difficulty to ~1s target
  • Invert PoW threshold check so anti-spam is functional
  • Return PoW nonce as string to avoid JS precision loss
  • Add MaxMessageSize to NewGossip fallback path
  • Increase gossip channel buffers from 64 to 256
  • Guard frontier write in CommitBlock to prevent corruption on non-frontier swaps
  • Warn when PoW difficulty is zero (validation disabled)
  • Warn when running as genesis node with hardcoded seed
  • Log warning when CORS wildcard origin is used
  • Prevent uint64 underflow in Node.Send balance calculation
  • Remove hardcoded genesis seed, use deterministic vote tie-breaking
  • Support loading genesis seed from file instead of env var
  • Add asset field to CLI send and receive commands

Refactor

  • Remove genesis block system, rename emit to claim
  • Replace node.New positional args with Config struct
  • Consolidate sync to v2 only, remove v1
  • Remove fork system, export interfaces, expand MemStore
  • Wire vote broadcasting via GossipSub
  • Rename image to core, update deploy paths and API endpoints
  • Remove stale v1/v2 sync naming and rewrite README

Tests

  • Add comprehensive E2E test suite for live cluster
  • Add three-node cluster test script (ldn, ffm, nyc)
  • Add crypto, genesis, MemStore, node, and conflict endpoint tests
  • Add integration tests with 3-node and 10-node clusters
  • Add competing open block conflict detection test
  • Update conflict test to handle fast resolution
  • Update Claim() callers and add XUSD claim/send/receive test
  • Rewrite all tests for claim-based setup

Explorer

Features

  • Full rewrite with TailwindCSS v4 — TUI-inspired monospace aesthetic
  • Rewrite all components: header, block card, block list, pending list, address link, hash link, copy button, truncation
  • Rewrite all pages: home dashboard, accounts, account detail, block detail, frontiers, conflicts, peers, pending
  • Add stats grid, node info section, and navigation cards to home page
  • Add peers page with node info and connected peers table
  • Add sortable tables with timestamp columns
  • Add pending page
  • Add leases page with current and historic leases
  • Add wallet link and responsive mobile layout
  • Split account balances into separate XE and XUSD columns
  • Show asset on all block types
  • Add amount, sender, recipient to recent transactions
  • Compute amount from balance delta for claim and receive blocks
  • Standardise font sizes and spacing across explorer
  • Add build versioning with git SHA
  • Delegate PoW to server with animated progress bar

Fixes

  • Use BigInt for nanosecond timestamps to prevent hash mismatch
  • Parse PoW nonce as BigInt to preserve uint64 precision
  • Block page signature style, hide genesis previous, fix NaN balance

Deployment

  • Add GitHub Actions CI workflow with Docker build and multi-host deploy
  • Add Caddy reverse proxy with wallet proxy, core domain support
  • Switch to GHCR images and relative API URL

Web Wallet

Features

  • Initial web wallet with auto-receive
  • Multi-wallet support with AES-GCM encryption (PBKDF2 100k iterations)
  • 5-minute idle session timeout with auto-lock
  • Background poller (5s interval) for pending transaction detection
  • Client-side PoW computation with Blake2b
  • Client-side ed25519 signing with TweetNaCl
  • Multi-asset support — XE and XUSD
  • Claim block support
  • V2 binary encoding matching Go implementation
  • Add /wallet base path, Dockerfile, and CI/CD workflow

Fixes

  • Use receive block type for all incoming transactions
  • Remove unused imports, dedupe getFrontier call

Proof of Uptime

Research and prototypes

  • PoC 1: Linear hash chain — dual-signed heartbeats chained via SHA-256
  • PoC 2: Merkle tree epochs — compress heartbeats into 32-byte epoch roots with selective disclosure
  • PoC 3: VDF-anchored chain — verifiable delay function prevents batch fabrication
  • PoC 4: Combined hash chain + merkle epochs (production candidate) — three-layer architecture with 3,681x compression
  • PoC 5: Combined + VDF — full construction with time-binding
  • Interactive demo script simulating 24 hours of uptime

Documentation

  • Problem statement defining core requirements
  • 10 approaches to proof of uptime (systematic survey)
  • Deep dive on fisherman model and ghost node defences
  • Competitive analysis across Akash, Flux, Phala, iExec, Golem, Render, and others
  • Staged rollout progression from MVP to confidential VMs
  • Red team v1 (20 questions on PoC 5) and v2 (updated for PoC 4)

v0.1.0 — 2026-02-21 to 2026-02-23

Initial block lattice implementation.

Core

  • Block lattice with account-per-chain architecture
  • Deterministic binary encoding for blocks (v2 format)
  • Ed25519 key pairs for account identity and block signing
  • SHA-256 block hashing
  • Blake2b proof of work for anti-spam
  • Store interface with MemStore and BadgerDB implementations
  • Pending send index by destination for efficient receive lookups
  • Per-account locking for parallel block processing
  • Fork detection for equivocating accounts
  • Delegation model and vote weight tracking (XE-only)
  • Conflict detection and equivocation tracking
  • Vote messages and vote casting with deterministic tie-breaking
  • Quorum tallying and block confirmation at 67% threshold
  • Frontier-based sync protocol (v2) for block synchronisation
  • HTTP REST API with account, block, pending, and frontier endpoints
  • Interactive CLI with send, receive, balance, chain, and peers commands
  • GossipSub for block and vote broadcasting
  • mDNS local peer discovery
  • Persistent node keypair across restarts
  • AllFrontiers support in BadgerStore for sync
  • Proof of work validation and computation wired into node

Explorer

  • Initial SvelteKit block explorer and wallet web app