Changelog

​

New

• Exit-certificate claimer service: a new exit_certificate_claimer HTTP service in AggKit serves the data needed to call claimAsset on L1 for the bridge exits available to an address, with helper scripts (list-bridges.sh, claim-asset.sh, claim-all.sh). The service can run standalone or derive its config from an existing exit-certificate run via --exit-certificate-config. Default port 7080 (#1650).
• Off-chain LER computation in the exit-certificate tool: Step G is split into G1 (lite L2 bridge sync) and G2 (NewLocalExitRoot computation). G2 now supports an off-chain mode that computes the LER directly from the lite exit tree without an Anvil shadow-fork, alongside the default shadow-fork verification mode. exitAddress is now mandatory and several option names switch to the ignore* convention. Config files now accept JSON or TOML (#1633).
• Settlement attempt and job persistence: settlement attempts and jobs are persisted to storage before submission to L1, so pending settlements can recover attempt metadata and job payload after a node restart (#1550, #1551).

​

Updated

• Docker image version reporting: agglayer Docker and CI builds now stamp a real git-derived version at compile time, so the node startup log prints the version instead of VERGEN_IDEMPOTENT_OUTPUT (#1568).

​

Fixed

• Stuck settled-but-InError certificates: re-certification now queries the aggchain hash at the pre-settlement L1 block instead of latest, so stateful aggchain contracts no longer revert reconciliation with L2BlockNumberLessThanNextBlockNumber() after nextBlockNumber advances past the certificate’s L2 range. L1 archive access is required on the same path that already required it (#1563).
• l1infotreesync upgrade loop: upgrading from a legacy syncer (for example 0.8.x) to the multidownloader implementation no longer leaves the syncer stuck with not found in storage or blocks_reorged. When the last-processed block is at or below the finalized block, the multidownloader validates it against L1 by hash and resumes from lastBlock+1 on a match, removing the need to manually delete the DB (#1639, #1645).
• Bare-filename config paths: agglayer accepts a bare filename config path (for example agglayer.toml) again, without requiring a parent directory (#1553).

​

New

• Unified wallet connection with SVM: the widget’s wallet connection flow surfaces EVM and Solana wallets in the same connect dialog (#1019).
• Wallet screening for quote requests: quote requests are subject to wallet screening before a quote is returned (#853).
• intents.disable_v1_intent_protocol config and GetSupportedIntentProtocols API: deployments can disable the v1 intent protocol, and the supported-protocols RPC reflects the setting (#876, #884).
• Recipient picker pulse and a same-chain WETH↔ETH calldata demo scenario in the widget (#1080, #1079).

​

Updated

• Source-token selector: shows all wallet tokens and supports API-based search inline (#1006).
• Solana wallet cancellations are retryable: cancellations from Solana wallets during signing are treated as retryable rather than fatal (#1072).
• Solana destination edge timeline: Solana destination edge transaction states are included in intent state, and duplicate edge-tx rows in the Solana edge timeline are removed (#866, #1076).
• Default connector set: select native wallet connectors are removed from the widget’s default connector set (#1068).

​

Fixed

• Mainnet CCTP routes: a testnet-mode gate that was breaking mainnet CCTP routes is removed (#861).
• Expired persisted fee quotes: dispatch now regenerates a fresh fee quote when the persisted quote is within 1 minute of its 10-minute expiry, instead of sending an expired quote and being rejected. Stuck DESTINATION transactions also time out after 1 hour rather than waiting forever and starving the dispatch queue (#868).
• Deposit starvation behind in-flight rows: the dispatch dequeue no longer includes RELAYING/MINING rows, so stale in-flight rows from crashed or restarted workers no longer block recovery or starve deposit-dependent transactions (#858).
• Same-chain calldata cases: same-chain swaps with calldata, including same-chain same-token with exact input, route correctly (#1074, #1078).
• Solana destination flows: destination token selection updates correctly, destination fills no longer double-fill, and Fund is disabled until a Solana recipient is selected when the destination is Solana (#1073, #1082, #1083).
• Edge metadata rail persistence is retained correctly on intent records (#857).
• IntentTransactionGasFee.totalFeeUsd is now typed as float64 instead of string, aligning the API contract with how it is serialized (#854).
• Widget polish: connect-wallet close button, WETH demo icons, clipboard fallback compatibility, and inline-SVG canvas rendering (#1070, #1088, #1085, #1086).

​

New

• Private Send REST flow and status UI: Private Send now runs on the REST send flow with fee quoting, order creation, deposit submission, order polling, and a five-step lifecycle and status view. Failures after the deposit hand-off are tracked as recoverable rather than fatal (#304).
• Private Send recovery: a Settings recovery surface lets a connected wallet look up saved recoverable orders, inspect stuck balances, and submit stuck-UTXO withdrawals (#306).
• Wallet screening auth gate: authenticated wallets and connected EOAs are checked against a screening service before sign-in, OAuth callback, route loaders, auth-token setup, and the experimental wallet and login routes proceed. Blocked wallets are cleared from local auth state, redirected to sign-in, and shown a blocked-wallet notice. Screening URL and key are configured via environment variables (#287).

​

Updated

• Private Send availability analytics: availability now reports unsupported_chain for non-supported EVM chains and unsupported_token for collectibles and non-coin records before checking other eligibility (#305).

​

New

• 429 response on POST /auth/token (get bearer token): the token endpoint is rate-limited per client IP. When the limit is exceeded, the endpoint returns 429 with an ErrorResponse body and a Retry-After response header carrying the integer number of seconds to wait. Clients should branch on 429 alongside 200, 400, 401, and 500 and honor Retry-After before retrying.

​

Removed

• GET /accounts/{id}/balance: the standalone account-balance endpoint is no longer part of the public API. Read balances through GET /wallets/{id}/balance instead. The AccountBalance schema is removed.
• Account tag: the Account grouping is dropped from the API. Endpoints that referenced it now live under Wallet.

​

Updated

• GET /accounts/{id}/transactions is now a Wallet operation: the endpoint is re-tagged from Account to Wallet and the summary becomes “List wallet transactions.” The path parameter id now expects a wallet ID with the wlt_ prefix. The path itself is unchanged, so existing integrations continue to work; update tooling, examples, and SDK groupings to file the endpoint under wallets.

​

New

• 502 response on POST /transactions (execute a transaction): synchronous provider failures during transaction execution now return 502 with a Transaction body in failed status, so clients can distinguish “created but failed at the provider” from “not created.” Handle 502 alongside 201 when calling the execute endpoint.

​

New

• Agentic wallet mode: dedicated landing experience with a terminal-style prompt copy flow for AI coding agents, plus an in-wallet inventory prompt card with docs link, reduced-motion support, and dismiss persistence.
• Earn interest disclosures and deposit terms: tooltip-based interest disclosures across the Earn list, detail, and deposit surfaces, with the APY column relabeled to Interest. A terms-and-conditions notice now appears below Review Deposit.
• Earn coin filters: switch between “Yours” (vaults for tokens in your inventory) and “All” to discover other opportunities, replacing the previous third “Vaults available for your funds” table.
• Inventory and empty-state defaults: collectibles are hidden by default until enabled in settings, the header wallet avatar stack is hidden when only one wallet exists, decorative placeholder cards are removed from empty states, and Earn defaults to all vaults when no coin tokens are held.

​

Updated

• Earn UX: vault data is now cached across page navigation with background refresh, sorting is available on any column with retained filters and sort order across navigation, deposit and withdraw amounts can be entered as a direct percentage, and vault selection rules now require APY under 100 percent (alongside the existing $300k minimum TVL and non-deprecated criteria) to filter out stale high-APY vaults.
• Private Send flow: refreshed UI with new step transitions, token selection, recipient selection, amount entry, and final send states.
• Terms of Use and Privacy Policy updated.

​

Fixed

• Transaction flow reliability: transaction relay and finality waiting now resolves only after a confirmed final status and handles cancellation and failure consistently; the sign-transaction modal scopes requested transactions correctly and keeps selected transactions visible while progressing; dapp send-wallet-transaction recovery handles wallet sync, duplicate approvals, stored transaction ids, the success idle state, and error rendering consistently.
• Inventory cache regressions after the persisted query cache migration: auth inventory prefetch now writes the canonical summary shape consumed by the inventory query hook, and recovery inventory reads are scoped to the requested recovery wallet, including the per-chain selection flow.
• Empty inventory notice no longer flickers when refreshing inventory.
• Earn snapshot initialization no longer gets permanently stuck if a background refresh is interrupted; the refresh lease now expires within 90 seconds and the next request re-triggers initialization.
• Private Send withdraw finalization behavior corrected.
• Trails success modal content fixed in the in-wallet cross-chain flow.
• Agentic mode terminal: text overflow fixed and generated CLI prompt arguments are now wrapped in double quotes for terminal-safe copy and paste.

​

New

• Mainnet block time reduced from 1.75 s to 1.5 s: on June 3 the network moved to 1.5-second blocks with the block gas limit held at 140 million, raising the effective execution rate from around 80 Mgas/s to around 93.3 Mgas/s. No operator action is required. As a heads-up, a follow-on block-gas-limit increase from 140 million to 160 million is currently scheduled for June 16 as the final step on the path to 5,000 TPS.
• Heimdall hard fork activated on mainnet at block 46361000: the validator-set fee-withdrawal gate hard fork activated on Polygon PoS mainnet at block 46361000 on June 2 at 14:00 UTC, with heimdall v0.8.1 as the matching public release. After the fork, fee-withdrawal operations on heimdall are restricted to addresses in the active validator set; requests from non-validators are rejected at message-handling time. The fork also activates the v0.8.x features documented in the June 1 entry (planned-downtime successor nomination, deterministic state syncs gated on visibilityTimeHeight, and the related bridge and consensus guards).

​

New

• Networks can be marked as disabled in configuration, so operators can stop accepting certificates from a chain without removing it from the deployment (#1160)

​

Updated

• Breaking: the admin API replaces forceSetCertificateStatus with forceEditCertificate, which takes a certificate ID, a process-now=true|false flag, and structured operations such as set-status,from=InError,to=Candidate or set-settlement-tx-hash,from=0x...,to=null. Update any operator tooling that called the previous endpoint (#1159)
• Breaking: prover transport is now gRPC-only. The prover_entrypoint config key is removed and the [grpc] block is mandatory; prover references a ProverType from the provers repository (#1195)
• Breaking: the [extra-certificate-signer] configuration variable is removed; drop the matching block from deployment configs (#1206)
• Default settlement confirmations raised from 1 to 12. Deployments that set this parameter explicitly are unaffected; deployments relying on the default now wait 12 blocks before processing a settlement (#1470)

​

New

• Hyperlane routes: Trails routes can now traverse Hyperlane Warp Routes, including first-party USDC HWR support across Arbitrum, Base, Polygon, Ethereum, and Katana. Hyperlane is enabled in AUTO routing with market-rate fee estimation, supports EXACT_INPUT trades, and includes destination-collateral checks, worker recovery, and underfunded-deposit refund handling.
• LayerZero Value Transfer (LZ_TRANSFER) routes: a new route provider built on the LayerZero Value Transfer API replaces the deprecated lz_stargate route. The widget exposes it as a selectable bridge option.
• Open Intents Framework (OIF) routes: OIF is wired in as a route provider, with an expired-order refund worker, explicit rejection of partial-fill quotes, and demo coverage for ETH USDC → Katana USDC.
• OMS Wallet widget theme: a new widget theme aligned with OMS Wallet, including a refreshed selected-wallet background.
• Recover funds screen: a dedicated screen in intent history for recovering stuck funds, replacing the prior inline recovery surface. Edge wallet intents are now included in history.
• Fund exact output: funding flows can now target an exact output amount.
• Recent chains in the chain selector: previously used chains surface at the top of the chain selector.
• Token selector refresh: a refresh control on the token selector reloads token lists inline.
• Widget chain and token filtering: new supportedChains and supportedTokensByChain widget props let integrators restrict the chains and tokens shown to users.
• GetEdges discovery API: a new RPC enumerates enabled edge rails so integrators can discover available cross-chain routes at runtime.
• Intent history filters: history and search now accept edge address, rail, mode, provider, and participant-address filters.
• Edge metadata on intent endpoints: intent receipts now include IntentEdgeMetadata with EdgeStatus, refund transaction hashes, and rail metadata.
• Same-chain “Swap & Receive” label: same-chain terminal swap steps are labeled clearly in transaction summaries.
• Wagmi auto-detection: the widget detects an active wagmi provider without explicit adapter configuration.
• Composable action resolver APIs: the composable-action resolver helpers are now exported for integrator use. See the Trails docs.
• Somnia chain support: Somnia is supported as a route destination, including USDC.e ↔ USDso swaps and SOMI OFT routes for cross-chain SOMI transfers, with refreshed SOMI branding in the widget.
• EVM↔Solana edge support (in QA): end-to-end EVM↔Solana intents are merged to master and available in the dev demo, with SVM wallet auto-detection, Solana-standard wallet support, Solana funding and settings rows, Solana-side refund and failure handling, and server-side edge execution via a new edge monitor worker. Targeting a follow-up SDK release once QA completes.

​

Updated

• Hyperlane fee breakdown: Hyperlane now shows as a Bridge rather than a Swap in the fee breakdown.
• WETH passthrough: self-wrap and self-unwrap quote shapes are now supported through passthrough.
• lz_stargate removed: the deprecated lz_stargate route provider has been removed in favor of LZ_TRANSFER.
• xai and blast chains removed: both chains are no longer supported by the Trails SDK.
• Widget input scope tightened: from.currency is restricted to fiat and from.token to ERC-20 in the widget.
• Multi-swap route discovery: routing now discovers multi-swap routes through intermediary tokens, broadening coverage.
• GetEarnPools chain list: refreshed list of chains exposed by the earn-pools endpoint.
• WaitIntentReceipt synthesis: receipts are now synthesized from intent state when no receipt row exists, removing a class of “pending” hangs.

​

Fixed

• Polygon USDT permit: salt-based EIP-712 domain handling now works correctly for the Polygon USDT permit flow.
• EVM signer resolution: quote requests now resolve the EVM signer address when a wallet session is connected but walletClient is still null (for example, MetaMask on Polygon before wagmi materializes the client).
• Embedded wallet approval prompt: the “Please approve…” prompt is hidden for embedded wallets, including OMS Wallet.
• Embedded wallet intent recovery: resolves a recovery hang for embedded wallets on v1 intents.
• Quote owner resolution: the connected EVM wallet is always used as the quote owner; the recipient address is never substituted.
• Quote route provider fee labels: corrected labels for route provider fees in quote breakdowns.
• Fund method disabled state: unlisted fund methods now render as disabled rather than enabled.
• WalletConnect recovery flow: the WalletConnect recovery flow now completes without stalling.
• WalletConnect funding: WalletConnect funding now redirects to token selection and exposes a disconnect button. WalletConnect wallets are also shown when direct-transfer is hidden from fund methods.
• Native wallet reconnect on reload: native wallet sessions now reconnect on page reload.
• Recovery fee options: fee options no longer break for WaaS wallets in the recovery flow.
• v1.5 depositSignature: v1-only fields in depositSignature are now guarded for v1.5 compatibility.
• Credit-card flow placeholder: fund amount placeholder text fixed in the credit-card flow.
• SDK edge sends: the SDK no longer auto-executes intents after an edge deposit; server workers handle execution.
• Same-chain quote math: fixed PriceImpactUSD, native token normalization, and EXACT_INPUT calldata for same-chain quotes.
• Edge quote timeout: intents now abort cleanly on edge quote timeout.
• Fee caps: exact-input fees are capped to the residual amount, and CollectorFeeCap is scoped to EXACT_OUTPUT to fix an EXACT_INPUT bridge gas regression.
• Edge worker transaction hashes: init and refund transaction hashes now persist correctly through worker updates.
• Token decimals cache: scoped by chain to prevent cross-chain collisions.
• Deposit transfer logs: matching deposit transfer logs are summed instead of taking the first match.
• Outer approvals: redundant outer approvals are skipped for SDK-managed hydrateExecuteAndSweep multicalls.
• Multi-swap recipients: replay of multi-swap intents now preserves the original per-step recipients.
• Fee collector: corrected fee-collector validation, tokenlist fallthrough, and receipt-state edge cases.
• Send-transaction destination context: corrected propagation of destination context for send-transaction calls.

​

Updated

• Inbound blockchain networks: the BlockchainInNetwork enum used by the deposit-address simulation endpoint (POST /deposit-addresses/{depositAddressId}/simulate) now accepts INK and SUI in addition to BASE, ETHEREUM, and SOLANA. Integrators using the deposit-address flow can now simulate inbound USDC, USDT, or USAT transfers from Ink and Sui in sandbox.

​

New

• Heimdall-to-bor gRPC transport (opt-in): every bor-facing JSON-RPC now has a gRPC counterpart, selectable per-node via bor_grpc_flag in heimdall’s app.toml against bor’s new [grpc] config section. The GetBlockInfoInBatch call used in the consensus-critical ExtendVoteHandler path is around 4.4× faster on gRPC, and the wire path allocates 50 to 67 percent fewer bytes across the seven methods. Defaults are unchanged, and heimdall performs a startup hash-parity check across both transports before continuing.
• State-sync transaction tracing: state-sync (bor bridge event) transactions are now first-class in the debug_* tracing RPCs, including debug_traceBlockByNumber, debug_traceBlockByHash, debug_traceTransaction, debug_traceChain, debug_traceCall, debug_intermediateRoots, and debug_standardTraceBlockToFile. A new wrapped tracing hook collects multiple bridge events under a single synthetic root call frame per state-sync transaction, so callTracer-class tracers see one root with N sub-calls instead of N independent traces. The legacy debug_traceBorBlock RPC method has been removed; switch any callers to debug_traceBlockByNumber or debug_traceBlockByHash.
• p2p.nosnap config flag: decouples the local snapshot tree from serving the snap/1 p2p sub-protocol. Block producers can keep the flat-state snapshot enabled for fast local reads while declining to serve snap sync to peers, which removes unnecessary network and CPU overhead on validator boxes.
• miner.disable-pending-block flag: disables the pending-block creation loop in miner/worker. RPC queries against the pending tag return nil. Intended for non-validator and serving nodes that do not need a pending block.
• Builder-phase prefetch and new metrics: the builder pipeline now runs three additional, builder-synchronized prefetch phases (upfront plan scan, per-transaction forwarding, and freed-gas overflow), reducing cache-miss costs on contract-heavy blocks. New metrics include worker/prefetch/builder_added_percent and worker/txApplyDuration/{prefetched,notPrefetched}. Additional block-building timing metrics cover prepare-work duration, pending-transaction fetch time, and the count of header-time extensions.
• Heimdall planned downtime can nominate a successor: MsgSetProducerDowntime now accepts an optional target_producer_id to nominate a specific replacement. If the target is invalid, inactive, or also down for the range, selection falls back to round-robin. Gated on a coordinated hard fork.
• Heimdall deterministic state syncs: introduces height-pinned, one-block-delayed visibility for clerk events so that during heimdall halts pending events remain excluded and all validators derive identical query results. Activation is gated on visibilityTimeHeight, which is 0 (disabled) on all networks until the next hard fork is scheduled.
• Heimdall bridge self-healing expanded: the bridge self-heal loop now recovers SignerChange and UnstakeInit events in addition to StakeUpdate, unified through a single combined subgraph query that returns the max L1 nonce across the three event types. Receipt validation now rejects reverted L1 transactions and logs emitted by unexpected contracts.
• prepareProposalBudget in heimdall: implements an explicit time budget for proposal preparation in ABCI, bounding the work the proposer can do before block dissemination.

​

Updated

• Witness filestore is now the default: the filesystem-backed witness storage is now enabled by default in bor’s CLI. Existing operators on the database-backed store continue to work; new nodes pick up the filestore without additional flags.
• Witness configuration template hint: bor packaging templates now show [witness] with enable = false instead of the deprecated top-level witnessprotocol key, which the current parser no longer consumes. Update any custom configs that still use witnessprotocol.
• rpc.batchlimit renamed to rpc.batch-request-limit: bor’s templates and example config now use rpc.batch-request-limit, matching the runtime parser. The previous rpc.batchlimit key was silently ignored, which could leave nodes on the default batch limit of 1000 unintentionally.
• cache.triejournaldirectory is now wired end-to-end: operators who set this key in config.toml now get the configured directory respected. When unset, behavior is unchanged and the journal stays under <DATADIR>/triedb.
• Heimdall pruning defaults retuned: the shipped config.toml now defaults indexer = "null" (cometbft transaction index disabled), with the pruning interval reduced from 3h to 10m and EnforcedMinRetainBlocks reduced from 2,500,000 to 2,000,000. The effect on a mainnet RPC node is around 23 GB freed at steady state and the elimination of large pruning bursts. Operators who do not use /tx or /tx_search can also reclaim around 43 GB by removing the existing tx_index.db after upgrading.
• Heimdall bridge metric rename: the three self-heal Prometheus metrics moved into the heimdallv2 namespace and follow Prometheus naming conventions. self_healing_<chain>_StakeUpdate is now heimdallv2_self_healing_stake_events_processed_total, self_healing_<chain>_StateSynced is now heimdallv2_self_healing_state_syncs_processed_total, and self_healing_<chain>_NewHeaderBlock is now heimdallv2_self_healing_checkpoint_acks_processed_total. Update any dashboards or alerts that reference the old names.
• Heimdall bridge performance: vote-extension processing now pre-fetches L1 receipts in a single batched RPC call, the root-chain listener uses an O(1) topic-to-event map instead of a per-log linear ABI scan, and the clerk mempool check uses the typed CometBFT RPC client.
• Amoy bootnodes updated: bor’s compiled-in Amoy static peer list now points at the current set of Amoy bootnodes. Operators relying on the embedded list no longer need a manual override.
• Heimdall mainnet seeds and persistent peers: refreshed to the current working set, so nodes regenerating their config pick up working peers without manual intervention.

​

Fixed

• Bor recovers from milestone-mismatch forks without manual wipe: nodes that briefly forked off the canonical chain due to a heimdall startup hiccup or span propagation gap could enter a state where rewinding required canonical-chain blocks that the downloader refused to deliver, requiring an operator to wipe chain data. The mismatch-rewind path now resyncs the canonical segment from peers while still rejecting genuine sidechain ghost-state attacks.
• Forkid wire-format change reverted: a change that included polygon-specific forks (Rio, Madhugiri, Dandeli, Lisovo, Giugliano, Chicago, others) in the eth p2p handshake forkid hash was reverted because changing the wire forkid is a breaking peer-to-peer change. Nodes running the changed code could not handshake with older bor peers. A future, coordinated rollout will reintroduce the fix gated on a fork block.
• eth_estimateGas no longer fails on non-validator nodes: nodes whose configured signer is not in the active validator set previously returned “insufficient funds for transfer” against the pending block because Prepare() was failing on every block and the pending snapshot was never refreshed. Prepare() no longer fails for unauthorized signers; Seal() continues to reject blocks from unauthorized signers independently, so no invalid blocks can be produced.
• Live tracing no longer conflicts with the miner: bor running with live tracing enabled could call live tracing hooks from the miner path once it reached live, causing problems. The miner now disables the tracer in its vm.Config so only block synchronization invokes the tracer.
• Heimdall checkpoint submission off-by-one fixed: the bridge stopped submitting checkpoints to L1 after the indexer = "null" migration because the new tx-bytes lookup was passing the event’s block height instead of the height of the block that contained the checkpoint transaction. The lookup now uses height - 1, matching the invariant established by the side-tx post-handler running in the block after the one that included the message.
• Heimdall producer downtime span off-by-one fixed: veBlop spans created by PostHandleSetProducerDowntime were one block longer than intended (6,401 instead of 6,400), causing overlaps with adjacent spans. Gated behind producerDowntimeSpanFixHeight to preserve pre-fork behavior.
• (*Header).GetValidatorBytes no longer panics on short Extra: an exported helper used by indexers, light clients, and explorers panicked with slice bounds out of range when passed a header whose Extra field was shorter than 97 bytes on pre-Cancun configurations. The pre- and post-Cancun branches now share a single length guard and return nil for malformed input.
• Witness size recovers when filesystem metadata and DB disagree: if a crash interrupted a witness write between renaming the file on disk and writing the size key to the DB, witness pagination paths could silently fail because ReadWitnessSize returned nil. The lookup now falls back to os.Stat on the witness file when DB metadata is missing.
• Miner state-machine wedges closed: four silent stall paths in the producer state machine that could leak the pendingWorkBlock or pendingTasks map entry on edge cases (peer count zero during production, syncing-check early return, sealhash interrupt, full resultCh) are now plugged, with regression tests for each.
• SpanStore.PurgeCache no longer races its own poll loop: a background poller could write a freshly purged span back into the cache before the next test read, producing intermittent CI flakes. The poll goroutine is now cancelled and waited on before state is reset.
• Milestone websocket subscriber shuts down cleanly: the heimdall milestone subscriber outlived chainDb.Close() because it was launched with context.Background(). It now exits on the bor close channel, eliminating the burst of pebble: closed errors during shutdown.

​

New

• SP1 prover upgraded to v6 with backward-compatible reads of legacy v5 proofs and certificates, improving proof generation and verification performance during the migration window (#1525, #1545)
• gRPC ingress now rejects certificates carrying non-writable SP1 proof versions with a dedicated UnsupportedProofVersion error instead of failing downstream (#1522)
• Settlement service gains an auto-retry helper (retry_callback_until_success) that recovers from transient RPC errors instead of panicking (#1476)
• aggkit exit-certificate tool: Step A is split into A1 (tracing) and A2 (receipt-recovery fallback), addressable individually or together via --step a1, a2, or a, with automatic migration of legacy output files (#1630)
• aggkit exit-certificate tool: new stepAWindowSize option (default 5000) for independent Step A chunk sizing, and an abort-on-error mode that stops all workers on the first trace failure when ContinueOnTraceError=false. Trace errors now surface both the transaction hash and the underlying RPC message (#1629)
• aggkit exit-certificate tool: targetBlock accepts finality keywords (LatestBlock, FinalizedBlock), decimal/hex values, and relative offsets like LatestBlock/-10. The resolved block is persisted and reused across resumed runs (#1627)
• aggkit LET operator tooling: new craft-cert, send-cert --no-db, cert-status, and export-cert-exits subcommands, with stronger fallback diagnostics when aggsender bridge-exit data is unavailable (#1616, #1570)
• aggkit RPC client: new BatchBlockHeaderRetrieval option lets operators disable batch header requests and fall back to sequential calls for nodes that do not support batching (#1601)

​

Updated

• Per-epoch certificate rate limiting is restored: MAX_CERTIFICATE_PER_EPOCH and epoch-capacity gating in NetworkTask once again enforce one certificate per network per epoch (#1514)
• aggsender startup recovery now requires a manual database wipe when local certificate state diverges from AggLayer, replacing the previous automatic reconciliation (#1570)
• aggkit docs now document that event logs must be available from genesis and provide reth configuration for disabling receipt pruning to prevent historical sync failures (#1610)

​

Fixed

• aggkit exit-certificate tool now patches ERC-20 balances correctly for smart-contract-locked exits in Step G, supporting both OpenZeppelin v4 (slot 0) and v5 (namespaced storage) layouts. Resolves ERC20InsufficientBalance errors during SC-locked exit processing (#1622)
• aggkit Docker images now embed VERSION, GITREV, and GITBRANCH build metadata, so docker run aggkit version reports the correct values instead of empty fields (#1619, #1621)
• aggkit l2gersync no longer emits ERROR-level logs for max-block-range responses that are already handled by automatic chunking (#1607)
• aggkit ParseMaxRangeFromError now recognizes the query exceeds max block range RPC error format, so ClaimSyncer retries with chunked requests instead of failing (#1589)
• aggkit bridge-call matching now filters debug trace frames to actual CALL operations only, ignoring DELEGATECALL, STATICCALL, CALLCODE, and untyped frames (#1609)
• Pending certificate validation now uses the correct error type instead of CertificateCandidateError::UnexpectedHeight (#1289)

​

New

• Composable Actions: chain multiple destination calls into a single intent, with dynamic balance routing and support for multiple ERC-20 tokens in dynamic-amount slots. Integrators can sequence approvals, swaps, and custom calls inside one quote, with backend validation rejecting ambiguous recipient or passthrough configurations. See the Trails docs for usage.
• Token-first widget destinations: widgets now accept token-specific destination lists, letting you configure a fixed set of destination tokens (and chains) that users can pick from. Persisted token selections survive across sessions.
• Quote auto-refresh: expired quotes refresh automatically on the next user interaction before signing, so users no longer see an “Intent quote has expired” error in the pre-signing state. Refresh is suppressed once signing has begun.
• Wallet runtime adapters: Trails wallet runtimes are now decoupled behind explicit adapters, giving integrators a cleaner extension point for embedding custom wallet stacks.
• Configuration validation and offline recovery: intent configuration is now validated up front and cached locally, with pruning of stale entries. This enables offline recovery of in-flight intents.

​

Updated

• Widget lifecycle callbacks renamed: onSwapComplete, onPaymentComplete, onFundingComplete, and onWithdrawComplete are now onSwapSuccess, onPaymentSuccess, onFundingSuccess, and onWithdrawSuccess for consistency. Update your widget props to match the new names.
• WalletConnect: improved QR rendering, deep-link handling, and loading state in the WalletConnect flow.
• Quote input: clearer error states when the input amount or token is invalid.
• Send flow: destination chain now defaults to the connected wallet’s chain when no destination is specified.
• Mesh exchange: mesh exchange queries can now run without a configured trailsApiUrl.
• Receipt step ids: receipt step ids are now stable across renders, making them safer to use as React keys and analytics identifiers.
• SDK packaging: improved compatibility with Node environments and better tree-shaking for smaller bundles. Server-side rendering with Trails actions is now safe.

​

Fixed

• Fixed swap funding method selection so the chosen method is preserved across re-renders.
• Fixed the receiver token picker losing account context when switching accounts.
• Fixed chain-switch detection in the widget when users change networks mid-flow.
• Fixed Privy wallet modes incorrectly rendering a ConnectKit button.
• Fixed useQuote so QuoteError is available as a runtime value rather than a type-only export.
• Fixed missing deposit transaction enrichment in intent history.
• Wrapped errors now propagate via Error.cause, preserving the original stack and context for debugging.
• Composable-action quotes now reject a top-level recipient (which is per-call only) and omit the quote recipient in earn mode.
• Guarded against undefined details in UnknownRpcError checks to prevent spurious crashes.
• Removed a duplicate Pay fallback path that could double-trigger the pay flow.

​

New

• gRPC ingress now rejects certificates carrying non-writable SP1 proof versions and returns a structured UnsupportedProofVersion error, giving integrators explicit feedback when submitting proofs built with unsupported versions
• BatchBlockHeaderRetrieval is now configurable in [L1NetworkConfig.RPC] and [Common.L2RPC] in aggkit; set to false to disable batch RPC requests for endpoints that do not support them (v0.10.0-rc3)

​

Fixed

• Node process no longer panics on corrupt certificate rows; storage decode failures now surface as CodecError::Serialization instead of unwinding the process
• Pending certificate validation now returns the correct error type; previously reused CertificateCandidateError::UnexpectedHeight for a case it was not designed for
• ClaimSyncer now recognizes the “query exceeds max block range” RPC error and automatically retries with smaller block ranges, preventing sync failures on restrictive RPC endpoints (aggkit v0.10.0-rc2, v0.8.3-rc2)
• Bridge and claim sync debug traces now correctly match only CALL frames, preventing incorrect calldata extraction from DELEGATECALL, STATICCALL, or CALLCODE frames (aggkit v0.10.0-rc3, v0.8.3-rc3)

​

New

• Batch block header retrieval is now configurable via RPCClientConfig in aggkit, letting operators control how many block headers are fetched per RPC call (v0.10.0-rc3)

​

Fixed

• Pending certificate validation in agglayer now returns the correct error type; the code previously reused CertificateCandidateError::UnexpectedHeight, which is semantically reserved for epoch-context candidate certificates
• aggkit no longer emits a spurious error log when l2gersync encounters a block range that exceeds the RPC provider limit (v0.10.0-rc3)
• Bridge call matching in debug traces is corrected (aggkit v0.10.0-rc3, v0.8.3-rc3)
• aggkit now parses query exceeds max block range responses from RPC providers and retries with a reduced range instead of surfacing an unhandled error (v0.10.0-rc2, v0.8.3-rc2)

​

New

• PIP-86 recalibrates CHECKPOINT_REWARD on the L1 StakeManager to hold annual POL emission at the 1% target (103,530,000 POL/yr) as Polygon Chain transitions to faster block times. The parameter decreases from 34,695.98 POL to 29,414.92 POL per checkpoint when block time moves to 1.75s (planned May 5), and to 25,212.79 POL per checkpoint at 1.5s (planned May 19). No contract upgrades are required; both changes execute via updateCheckpointReward() through the existing Governance contract.
• PIP-87 proposes a fixed-cost payments program that gives payment companies predictable, fiat-denominated pricing for blockspace on Polygon. Revenue from the program is converted to stablecoins and distributed to validators and stakers via the existing PIP-65/82/85 framework, with a portion used to buy POL from the market for staker distribution and for the PIP-24 burn.

​

New

• Added miner.disable-pending-block config option to disable the pending block creation loop; when set, all pending block RPC queries return nil

​

Updated

• RPC gas cap is now bypassed only for internal system transactions; external eth_call and simulation requests are subject to the configured gas cap
• Private transaction relay now purges stale transactions more aggressively using per-block-producer error tracking, preventing unbounded in-memory growth under sustained relay load

​

Fixed

• eth_simulateV1 is re-enabled in v2.7.2; a context propagation error in the RPC path was causing the method to return incorrect results
• Fixed exponential memory growth in the pathDB BFS preload path: the node-child enumeration was enqueuing all 16 nibble children regardless of node type, causing the visited map to grow as O(16^depth) and consuming up to 14 GB per goroutine on restart, stalling block import for up to two hours on archive and full nodes
• Go runtime updated to 1.26.2, resolving 6 standard library CVEs in crypto/tls and crypto/x509 including a TLS 1.3 KeyUpdate denial-of-service and several certificate validation bypass issues

​

New

• Intents now support gas fee option selection. Specify fee options at quote time; the API validates the selected option against quoted options before execution, giving integrators explicit control over transaction costs.
• Wallet configuration is now stored at quote time and returned with the quote response, enabling reliable intent recovery and re-execution across sessions.

​

Fixed

• Recovery now correctly applies custom address overrides when deriving wallet context, preventing derived-address mismatches for intents configured with non-default addresses.

​

New

• The SDK now automatically resolves the best intent protocol version for each transaction. An explicit override, global config, or SDK default is checked in order, with a fallback to the API-provided default when the preferred version isn’t supported.

​

Updated

• The widget highlights the recipient address when it differs from the sender, making it easier to spot send-to-other flows before confirming.
• Expired quote errors now show a warning icon and offer a clear recovery path so users can retry without restarting the flow.

​

Fixed

• Fixed an issue where the recipient address could go stale after switching wallets in the widget.
• Fixed the add-wallet flow in the recipient selector so users can successfully add new recipient addresses.

​

New

• Added opt-in EVM execution optimization via --switch-dispatch CLI flag or EnableSwitchDispatch config option, introducing a fixed-size opcode stack and a switch-dispatch fast path for hot opcodes ported from GEVM

​

Updated

• Tuned PebbleDB write path (1 MiB BytesPerSync, adaptive compaction) and increased PathDB state buffer to 2 GB with intelligent carry-over across flushes, reducing write stalls for archive and full nodes
• Removed legacy UpdateDeps/GetDep DAG algorithm from BlockSTM, fully replaced by the DepsBuilder implementation

​

Fixed

• Fixed goroutine leaks in the witness request path that caused unbounded memory growth when peers disconnected during parallel stateless import

​

Fixed

• Claim syncer now determines its starting block from the earliest settled reference block (not the latest) when the database is empty on startup, preventing sync errors on fresh starts

​

Updated

• Increased max transaction packet size from 100 KB to 1 MB, improving transaction propagation between peers
• Reduced SRC buffer from 500ms to 100ms, allowing block producers to spend more time on transaction execution

​

Fixed

• bor_getLogs and bor_getLatestLogs now correctly return state-sync logs from blocks produced before the Madhugiri upgrade
• Prometheus _count metrics no longer reset to zero on each scrape, restoring correct rate(), increase(), and latency calculations for node operators

​

New

• Added end-to-end private send flow via Hinkal, including a dedicated status screen for deposit, withdraw, success, and failure states, and refreshed gas and privacy fee display with up to 4 decimal place precision
• Added Yield vault support to the Earn tab

• Default confirmations for L1 settlement increased from 1 to 12. Deployments that do not set this value explicitly are now safer by default.

• Added intents.disable_passthrough_quotes option. When set, the API omits passthrough quotes from intent results, giving integrators tighter control over which quote sources are returned.