📣 Miner v3.1.1 security upgrade — Update your client (Windows + Linux)

[Scottcjn]

TL;DR: A multi-layer bug chain was preventing many miners from earning RTC, including a wallet-hijack vulnerability on the legacy unsigned attestation flow. Today's session fixed all of it server-side and shipped a new client release. If you're running v1.x of the Windows miner or any older Linux miner, you are either not earning OR you're vulnerable. Please update.

What changed (server side, deployed)

Five fixes landed across #6423, #6426, #6428, #6429, #6430. All deployed to Node 1, Node 2, and POWER8:

1. Canonical-JSON signature verification — server now accepts v3 Ed25519-signed attestations (was rejecting them all with INVALID_SIGNATURE)
2. HW-binding entropy field-names — accepts both legacy and v3 fingerprint field names; was tripping HARDWARE_BINDING_FAILED:entropy_insufficient on every fresh v3 miner
3. PowerPC cache profile — flat POWER8 cache hierarchies no longer falsely rejected
4. Settlement skip on epoch boundaries — miners enrolled in epoch N but attesting 1s after epoch end were silently dropped from rewards
5. Pentium M Banias antiquity tier — new 1.9× multiplier for 2003-era Pentium M (between PIII@2.0× and P4@1.5×)

What changed (client side)

Windows miner v3.1.1 is out, with Ed25519 signing on both /attest/submit AND /epoch/enroll.

• v1.0.0-miner (Feb 2026) or older: your attestations succeed but you earn ZERO. Old miner doesn't ship fingerprint_checks.py.
• v3.0.0-miner (briefly released today, yanked): attestation passes but enrollment unsigned — vulnerable to wallet-hijack on MITM scenarios.

Upgrade paths

Windows: download v3.1.1 ZIP from the release, extract, run rustchain_miner_setup.bat as administrator.

npm: npm install -g clawrtc@latest (1.8.0+ once published — pending refresh of publish auth)

pip: pip install -U clawrtc (1.8.0+ once published)

Verify your miner is signed

Server-side, when you attest:

• ✅ Good: [FINGERPRINT] Miner: YOUR_WALLET ... Passed: True with no UNSIGNED warning
• ❌ Bad: [ENROLL/SIG] UNSIGNED enrollment accepted for YOUR_WALLET... (upgrade miner to signed flow)

Or check signing_pubkey in your row of miner_attest_recent — non-empty 64-char hex = signed; NULL = unsigned.

Hardware-tier additions (PR #6423)

Hardware	Multiplier
Pentium M Yonah (2006)	1.6× NEW
Pentium M Dothan (2004)	1.8× NEW
Pentium M Banias (2003)	1.9× NEW

Full curve unchanged for all other tiers — see ANTIQUITY_MULTIPLIERS in node/rip_200_round_robin_1cpu1vote.py.

Verified

The IBM ThinkPad T40 (Pentium M Banias, 2003) we onboarded today went from 0 RTC earned → 0.270 RTC top-share in its first epoch after the settle-fix. POWER8 was earning ZERO from new attestations due to PowerPC cache profile rejection — now passing. Nathan's Windows machine + Victus laptop both clean Ed25519-signed end-to-end.

If you find a bug in v3.1.1, file an issue. If you're stuck on the upgrade, comment below with your platform.

[Scottcjn]

⚠️ UPDATE 2026-05-28 — critical fix in v3.1.2; please upgrade from v3.1.1

If you installed v3.1.1 (or v3.0.0, or v3.1.0), you have likely been earning ~zero RTC despite a passing attestation. The miner code lost its from fingerprint_checks import validate_all_checks import in a refactor that predates v3.0.0; the bundled fingerprint_checks.py has been an orphan ever since. Server records fingerprint_passed=False, reason=no_fingerprint_data and enrolls you at VM-tier weight (1e-9).

This was caught today when I noticed one of my own miners' weight had dropped to 1e-09 after the v3.1.1 deploy.

Fix shipped: v3.1.2-miner release restores the import + populates attestation["fingerprint"] before the Ed25519 signing block. Preserves all the security improvements from v3.1.1 (canonical-JSON signing + epoch enroll signing).

v3.1.1 release deleted (followed by v3.1.0 + v3.0.0 deletes earlier). v3.1.2 is the canonical install from this point.

Diagnostic for affected installs:

curl -s "https://50.28.86.131/api/miners" | findstr YOUR_WALLET

• ✅ Working: "fingerprint_passed": true and "antiquity_multiplier": 0.8 (or higher for vintage)
• ❌ Affected: "fingerprint_passed": null or false, and your epoch_enroll row shows weight 1e-09

Apologies for shipping v3.1.1 with this regression. Server-side state was honest — the empty fingerprint was being passed through unmodified — but the miner-side regression masked it from any user diagnostic that just checked "is my miner attesting?".

Sorry to anyone who's been silently failing to earn for weeks. The fix is one upgrade away.