Prop 31: v8.1.1 MAINNET MANTRA Chain Upgrade (Expedited)
MANTRA Chain v8.1.1 — Slash Repair and Stability Improvements
MANTRA CHAIN v8.1.1 Proposal
This expedited upgrade focuses on slash accounting repair and a series of stability and security fixes identified after the v8.0.0 mainnet release. The headline change is a repair to delegation slashing math: under specific conditions, large delegations could be silently skipped or under-slashed due to rounding and over-clamping in the slash routine. v8.1.1 corrects both issues so that slashes are applied accurately to all delegators, regardless of size. The release also closes an EVM gas-cap bypass, hardens the blacklist ante against nested MsgExec evasion, and fixes a wiring bug for the staking keeper.
Mainnet is upgrading directly from v8.0.0 to v8.1.1 and therefore receives all changes from both v8.1.0 and v8.1.1. The dukong testnet has run v8.1.0 and v8.1.1 sequentially and is operating cleanly.
Release Details:
- v8.1.0: github.com/MANTRA-Chain/mantrachain/releases/tag/v8.1.0
- v8.1.1: github.com/MANTRA-Chain/mantrachain/releases/tag/v8.1.1
Overall v8.1.1 Summary
This proposal triggers the MANTRA Chain v8.1.1 software upgrade. The upgrade repairs delegation slashing accuracy, enforces the EVM gas cap on inner calls, prevents MsgExec-based bypass of blacklist enforcement, corrects the staking keeper wired into the application, and ships a number of smaller correctness fixes accumulated since v8.0.0.
This is an expedited proposal due to the security-relevant nature of the CometBFT consensus/blocksync hardening, the EVM gas-cap and sanction-bypass fixes, and the importance of restoring correct slashing math for the validator set.
Motivation
After v8.0.0 went live on mainnet, two issues were identified in the slashing path that affect validator economics: rounding in the standard slashing flow could leave large delegations under-slashed, and the recently-introduced fixSilentlySkippedSlashes repair routine over-clamped its inputs and therefore did not fully repair the affected delegations. v8.1.1 addresses both so the chain's slashing accounting is consistent and complete.
Alongside the slashing repair, this release closes a security gap where eth_call and related EVM entry points ignored the configured gas cap (allowing arbitrarily expensive queries), tightens the blacklist ante to reject nested MsgExec payloads — a previously available bypass — and fixes a regression where the wrong staking keeper was wired into app.go, which could surface as inconsistent staking-related behavior in edge cases.
What Changed
| Area | Change |
|---|---|
| Slashing | fixSilentlySkippedSlashes no longer over-clamps; large delegations correctly repaired (#655) |
| Slashing | QuoTruncate used to prevent rounding loss on large delegations during slashing (#656) |
| EVM (security) | Gas cap parameter now honored in EVM calls; prevents excessive gas consumption via eth_call and friends (#647) |
| Sanctions (security) | Blacklist ante rejects nested MsgExec, closing an authz-based bypass (#648) |
| Staking | Correct staking keeper wired into app.go (#654) |
| ICS Provider | Redundant SetMaxValidators removed when seeding MaxProviderConsensusValidators (#645) |
| Distribution | Removed the precondition requiring withdraw address to equal delegator (#644) |
| Block sync | importBlockEvents now reports correct height count on failures (#642) |
| ERC20 | Error formatting in the ERC20 wrapper corrected (#643) |
| CometBFT (security) | CometBFT bumped from v0.38.21 to v0.38.23-pre, pulling in evidence-validation hardening and ExtendedCommit / full-commit verification fixes in blocksync (#641) |
Technical Module Changes
No state migrations are required. All fixes activate at the upgrade height as part of the standard binary swap.
- Slashing repair (
fixSilentlySkippedSlashes): The repair routine introduced to retroactively apply slashes that were silently skipped previously over-clamped its bounds, leaving some delegations un-repaired. v8.1.1 corrects the clamping logic so the routine fully reconciles affected delegations. - Slashing precision (
QuoTruncate): Standard slashing math now usesQuoTruncatein places where rounding could leave very large delegations slightly under-slashed. This brings slashing accounting into exact agreement with the slash factor for all delegation sizes. - EVM gas cap: Inner EVM calls now respect the configured gas cap parameter. Previously, the cap was ignored on certain code paths, which could allow a single query to consume excessive resources. This closes a denial-of-service vector at the RPC layer.
- Blacklist ante (nested
MsgExec): The blacklist ante handler now recursively inspectsMsgExecpayloads, rejecting transactions that attempt to wrap a sanctioned message inside an authzMsgExecto evade enforcement. - Staking keeper wiring: A regression in
app.gowired an incorrect staking keeper into one of the dependent modules. v8.1.1 restores the correct wiring; no state is affected, but downstream behavior is now consistent with intent. - ICS provider seeding:
MaxProviderConsensusValidatorsseeding no longer redundantly callsSetMaxValidators, which avoided a duplicate write but could mask intent during ICS-related parameter inspection. - Distribution withdraw address: The precondition that forced the withdraw address to equal the delegator address has been removed, restoring the documented behavior where a delegator may set an arbitrary withdraw address.
- Block event import: Error path in
importBlockEventsnow reports the correct processed-height count, improving operator visibility during state-sync and replay. - ERC20 wrapper error formatting: Error strings emitted by the ERC20 wrapper are now well-formed, fixing a cosmetic bug that affected client-side error parsing.
- CometBFT (security): Bumped from
v0.38.21to a pre-release ofv0.38.23(commit4928b26f, 2026-04-22). This pulls in the upstreamv0.38.22security release, which adds additional evidence validation and fixes incomplete commit verification in blocksync — specificallyExtendedCommitverification against the verified next block'sLastCommit, and full commit verification ofsecond.LastCommitduring sync. These fixes harden the consensus and blocksync paths against malformed evidence and unverified commit data.
Upgrade Mechanics
- At the upgrade block height, the chain halts and the
v8.1.1binary is applied. There are no state migrations associated with this release. - Upgrade handler: v8.1.1/app/upgrades/v8_1_1/upgrades.go
- Cosmovisor: Validators using Cosmovisor can configure automatic binary substitution via the published
cosmovisor.json. Pre-built binaries with SHA-256 checksums are available forlinux/amd64,linux/arm64,darwin/amd64, anddarwin/arm64:
https://raw.githubusercontent.com/MANTRA-Chain/net/refs/heads/main/mantra-1/upgrades/v8.1.1/cosmovisor.json
Binary Checksums
| Platform | SHA-256 |
|---|---|
linux/amd64 |
5e5363b0cae75757678f88dc36d3727beb3e45fa4efb225197755a0f2eff2fce |
linux/arm64 |
b60ddb3090a9e47dba25d91638ab0eb80f32186dc003f73aa63c104da87b6013 |
darwin/amd64 |
755ef4cf77ccdfee5b2b904c5f0021ee1b894dc1f88aaf5e7e4ca0c0af7095b4 |
darwin/arm64 |
d1983d716fbb490e8a47735674e556cd3b03ad85219976d47c79068acb8f8098 |
Release Changelog
| Release | Date | Key Changes |
|---|---|---|
v8.1.0 |
2026-04-30 | CometBFT security bump (v0.38.21 → v0.38.23-pre, evidence validation + blocksync commit verification); ICS SetMaxValidators cleanup; withdraw-address precondition removed; importBlockEvents height fix; ERC20 wrapper error formatting; nested MsgExec blacklist rejection; EVM gas-cap enforcement; staking keeper wiring fix |
v8.1.1 |
2026-05-01 | fixSilentlySkippedSlashes over-clamping fix; QuoTruncate applied to large-delegation slashing |
|
Field
|
Data
|
|---|---|
|
info
|
https://raw.githubusercontent.com/MANTRA-Chain/net/refs/heads/main/mantra-1/upgrades/v8.1.1/cosmovisor.json |
|
name
|
v8.1.1 |
|
time
|
0001-01-01T00:00:00Z |
|
height
|
14570000 |
|
upgraded_client_state
|