Bera Geth v1.011608.0

Summary

This includes security fixes from upstream geth released in v1.16.8.

This is a security fix release and is recommended for all users. It resolves two p2p
vulnerabilities reported through the Ethereum Foundation bug bounty program.

Update Priority

This table provides priorities for which classes of users should update particular components.

User Class	Priority
Payload Builders	Required
Non-Payload Builders	Required

All Changes

• Merge branch 'dos-fixes' into release/1.16
• version: release go-ethereum v1.16.8 stable
• crypto/ecies: use aes blocksize
• core/txpool: drop peers on invalid KZG proofs
• version: begin v1.16.8 release cycle
• Merge branch 'master' into release/1.16

Binaries

System	Architecture	Binary	PGP Signature	Notes
	amd64	bera-geth-linux-amd64-v1.011608.0-e8f8f968.tar.gz	Signature	Most Linux systems
	arm64	bera-geth-linux-arm64-v1.011608.0-e8f8f968.tar.gz	Signature	64-bit ARM systems
	amd64	bera-geth-alltools-linux-amd64-v1.011608.0-e8f8f968.tar.gz	Signature	All tools bundle (amd64)
	arm64	bera-geth-alltools-linux-arm64-v1.011608.0-e8f8f968.tar.gz	Signature	All tools bundle (arm64)
System	Option	-	Resource
	Docker		ghcr.io/berachain/bera-geth

Verifying Binary Signatures

All release binaries are signed with PGP. To verify:

1. Download the public key
2. Import the key: gpg --import release.asc
3. Verify the signature: gpg --verify <filename>.asc <filename>

Docker Images

Docker images are available at ghcr.io/berachain/bera-geth and are signed with Cosign using keyless signing from GitHub Actions OIDC.

To verify a specific release image (recommended: by digest):

cosign verify \
  --certificate-oidc-issuer "https://token.actions.githubusercontent.com" \
  --certificate-identity-regexp "^https://github.com/berachain/bera-geth/.github/workflows/docker.yml@.+" \
  ghcr.io/berachain/bera-geth@$(docker buildx imagetools inspect ghcr.io/berachain/bera-geth:v1.011608.0 | awk '/^Digest:/ {print $2; exit}')

To verify the latest unstable image instead (not recommended; tags can move):

cosign verify \
  --certificate-oidc-issuer "https://token.actions.githubusercontent.com" \
  --certificate-identity-regexp "^https://github.com/berachain/bera-geth/.github/workflows/docker.yml@.+" \
  ghcr.io/berachain/bera-geth@$(docker buildx imagetools inspect ghcr.io/berachain/bera-geth:latest | awk '/^Digest:/ {print $2; exit}')

Installation

The archives contain the geth binary and license file. Extract and run:

tar -xzf bera-geth-linux-amd64-v1.011608.0-e8f8f968.tar.gz
./geth

The alltools archives additionally contain:

• abigen - Source code generator for Ethereum contracts
• evm - Developer utility for the Ethereum Virtual Machine
• rlpdump - Developer utility for RLP data
• clef - Ethereum account management tool

Bera Geth v1.011607.0

Summary

This release introduces the Prague4 fork, which undoes the Prague3 account and transfer freezes to protect against the Balancer exploit of Nov 3 2025. It is essential to upgrade to this version on Berachain mainnet before the hard fork occurring on Nov 12 2025 @ 16:00:00 UTC.

This also includes changes from upstream geth and is built on top of go-ethereum v1.16.7.

Update Priority

This table provides priorities for which classes of users should update particular components.

User Class	Mainnet
Payload Builders	Required
Non-Payload Builders	Recommended

All Changes

• core/forkid: fix unit tests (#112) (#113)
• all: prague4 fork (#24)

Binaries

System	Architecture	Binary	PGP Signature	Notes
	amd64	bera-geth-linux-amd64-v1.011607.0-c1dbdabd.tar.gz	Signature	Most Linux systems
	arm64	bera-geth-linux-arm64-v1.011607.0-c1dbdabd.tar.gz	Signature	64-bit ARM systems
	amd64	bera-geth-alltools-linux-amd64-v1.011607.0-c1dbdabd.tar.gz	Signature	All tools bundle (amd64)
	arm64	bera-geth-alltools-linux-arm64-v1.011607.0-c1dbdabd.tar.gz	Signature	All tools bundle (arm64)
System	Option	-	Resource
	Docker		ghcr.io/berachain/bera-geth

Verifying Binary Signatures

All release binaries are signed with PGP. To verify:

1. Download the public key
2. Import the key: gpg --import release.asc
3. Verify the signature: gpg --verify <filename>.asc <filename>

Docker Images

Docker images are available at ghcr.io/berachain/bera-geth and are signed with Cosign using keyless signing from GitHub Actions OIDC.

To verify a specific release image (recommended: by digest):

cosign verify \
  --certificate-oidc-issuer "https://token.actions.githubusercontent.com" \
  --certificate-identity-regexp "^https://github.com/berachain/bera-geth/.github/workflows/docker.yml@.+" \
  ghcr.io/berachain/bera-geth@$(docker buildx imagetools inspect ghcr.io/berachain/bera-geth:v1.011607.0 | awk '/^Digest:/ {print $2; exit}')

To verify the latest unstable image instead (not recommended; tags can move):

cosign verify \
  --certificate-oidc-issuer "https://token.actions.githubusercontent.com" \
  --certificate-identity-regexp "^https://github.com/berachain/bera-geth/.github/workflows/docker.yml@.+" \
  ghcr.io/berachain/bera-geth@$(docker buildx imagetools inspect ghcr.io/berachain/bera-geth:latest | awk '/^Digest:/ {print $2; exit}')

Installation

The archives contain the geth binary and license file. Extract and run:

tar -xzf bera-geth-linux-amd64-v1.011607.0-c1dbdabd.tar.gz
./geth

The alltools archives additionally contain:

• abigen - Source code generator for Ethereum contracts
• evm - Developer utility for the Ethereum Virtual Machine
• rlpdump - Developer utility for RLP data
• clef - Ethereum account management tool

Bera Geth v1.011602.7

Summary

This binary update fixes a bug where block builders are unable to propose blocks which include transactions that are invalid according to Prague3 rules.

Update Priority

This table provides priorities for which classes of users should update particular components.

User Class	Mainnet
Payload Builders	Required
Non-Payload Builders	Recommended

All Changes

• core,miner: clean prague3 code flow to fix linter and UTs (#21)
• miner,core: update gas used pointer correctly (#20)
• miner,core: update prague3 state processing (#18)
• miner/worker: return error to avoid prague3 reverting again (#17)
• miner/worker: revert gas and state if prague3 processing fails (#15)

Binaries

System	Architecture	Binary	PGP Signature	Notes
	amd64	bera-geth-linux-amd64-v1.011602.7-628ecc13.tar.gz	Signature	Most Linux systems
	arm64	bera-geth-linux-arm64-v1.011602.7-628ecc13.tar.gz	Signature	64-bit ARM systems
	amd64	bera-geth-alltools-linux-amd64-v1.011602.7-628ecc13.tar.gz	Signature	All tools bundle (amd64)
	arm64	bera-geth-alltools-linux-arm64-v1.011602.7-628ecc13.tar.gz	Signature	All tools bundle (arm64)
System	Option	-	Resource
	Docker		ghcr.io/berachain/bera-geth

Verifying Binary Signatures

All release binaries are signed with PGP. To verify:

1. Download the public key
2. Import the key: gpg --import release.asc
3. Verify the signature: gpg --verify <filename>.asc <filename>

Docker Images

Docker images are available at ghcr.io/berachain/bera-geth and are signed with Cosign using keyless signing from GitHub Actions OIDC.

To verify a specific release image (recommended: by digest):

cosign verify \
  --certificate-oidc-issuer "https://token.actions.githubusercontent.com" \
  --certificate-identity-regexp "^https://github.com/berachain/bera-geth/.github/workflows/docker.yml@.+" \
  ghcr.io/berachain/bera-geth@$(docker buildx imagetools inspect ghcr.io/berachain/bera-geth:v1.011602.7 | awk '/^Digest:/ {print $2; exit}')

To verify the latest unstable image instead (not recommended; tags can move):

cosign verify \
  --certificate-oidc-issuer "https://token.actions.githubusercontent.com" \
  --certificate-identity-regexp "^https://github.com/berachain/bera-geth/.github/workflows/docker.yml@.+" \
  ghcr.io/berachain/bera-geth@$(docker buildx imagetools inspect ghcr.io/berachain/bera-geth:latest | awk '/^Digest:/ {print $2; exit}')

Installation

The archives contain the geth binary and license file. Extract and run:

tar -xzf bera-geth-linux-amd64-v1.011602.7-628ecc13.tar.gz
./geth

The alltools archives additionally contain:

• abigen - Source code generator for Ethereum contracts
• evm - Developer utility for the Ethereum Virtual Machine
• rlpdump - Developer utility for RLP data
• clef - Ethereum account management tool

Bera Geth v1.011602.6

Summary

Critical hard fork for all Berachain mainnet operators. Prague3 prevents the Balancer exploiter of Nov 3 2025 from stealing user funds and freezes use of BEX vaults.

Update Priority

This table provides priorities for which classes of users should update particular components.

User Class	Mainnet
Payload Builders	Required
Non-Payload Builders	Required

All Changes

• chore: nit fixes around prague3 docs
• prague3 (#10)

Binaries

System	Architecture	Binary	PGP Signature	Notes
	amd64	bera-geth-linux-amd64-v1.011602.6-212ab4aa.tar.gz	Signature	Most Linux systems
	arm64	bera-geth-linux-arm64-v1.011602.6-212ab4aa.tar.gz	Signature	64-bit ARM systems
	amd64	bera-geth-alltools-linux-amd64-v1.011602.6-212ab4aa.tar.gz	Signature	All tools bundle (amd64)
	arm64	bera-geth-alltools-linux-arm64-v1.011602.6-212ab4aa.tar.gz	Signature	All tools bundle (arm64)
System	Option	-	Resource
	Docker		ghcr.io/berachain/bera-geth

Verifying Binary Signatures

All release binaries are signed with PGP. To verify:

1. Download the public key
2. Import the key: gpg --import release.asc
3. Verify the signature: gpg --verify <filename>.asc <filename>

Docker Images

Docker images are available at ghcr.io/berachain/bera-geth and are signed with Cosign using keyless signing from GitHub Actions OIDC.

To verify a specific release image (recommended: by digest):

cosign verify \
  --certificate-oidc-issuer "https://token.actions.githubusercontent.com" \
  --certificate-identity-regexp "^https://github.com/berachain/bera-geth/.github/workflows/docker.yml@.+" \
  ghcr.io/berachain/bera-geth@$(docker buildx imagetools inspect ghcr.io/berachain/bera-geth:v1.011602.6 | awk '/^Digest:/ {print $2; exit}')

To verify the latest unstable image instead (not recommended; tags can move):

cosign verify \
  --certificate-oidc-issuer "https://token.actions.githubusercontent.com" \
  --certificate-identity-regexp "^https://github.com/berachain/bera-geth/.github/workflows/docker.yml@.+" \
  ghcr.io/berachain/bera-geth@$(docker buildx imagetools inspect ghcr.io/berachain/bera-geth:latest | awk '/^Digest:/ {print $2; exit}')

Installation

The archives contain the geth binary and license file. Extract and run:

tar -xzf bera-geth-linux-amd64-v1.011602.6-212ab4aa.tar.gz
./geth

The alltools archives additionally contain:

• abigen - Source code generator for Ethereum contracts
• evm - Developer utility for the Ethereum Virtual Machine
• rlpdump - Developer utility for RLP data
• clef - Ethereum account management tool

Bera Geth v1.011602.5

Summary

This patch update includes a fix for payload builders. Previously geth block builders might return early with an empty and invalid payload. Now a default config has been changed (miner recommit interval is now 1s) to allow quicker payload updates, reducing the likelihood of an empty payload. As a default the empty payload now includes the PoL tx to avoid causing validation errors after the Prague1 hard fork.

Update Priority

This table provides priorities for which classes of users should update particular components.

User Class	Mainnet	Bepolia	General
Payload Builders	Recommended	Recommended	Recommended
Non-Payload Builders	Not Required	Not Required	Not Required

All Changes

• fix(payload-builder): include PoL tx in empty payload (#94) (#98)
• Update forkid_test.go (#95) (#97)

Binaries

System	Architecture	Binary	PGP Signature	Notes
	amd64	bera-geth-linux-amd64-v1.011602.5-3158c688.tar.gz	Signature	Most Linux systems
	arm64	bera-geth-linux-arm64-v1.011602.5-3158c688.tar.gz	Signature	64-bit ARM systems
	amd64	bera-geth-alltools-linux-amd64-v1.011602.5-3158c688.tar.gz	Signature	All tools bundle (amd64)
	arm64	bera-geth-alltools-linux-arm64-v1.011602.5-3158c688.tar.gz	Signature	All tools bundle (arm64)
System	Option	-	Resource
	Docker		ghcr.io/berachain/bera-geth

Verifying Binary Signatures

All release binaries are signed with PGP. To verify:

1. Download the public key
2. Import the key: gpg --import release.asc
3. Verify the signature: gpg --verify <filename>.asc <filename>

Docker Images

Docker images are available at ghcr.io/berachain/bera-geth and are signed with Cosign using keyless signing from GitHub Actions OIDC.

To verify a specific release image (recommended: by digest):

cosign verify \
  --certificate-oidc-issuer "https://token.actions.githubusercontent.com" \
  --certificate-identity-regexp "^https://github.com/berachain/bera-geth/.github/workflows/docker.yml@.+" \
  ghcr.io/berachain/bera-geth@$(docker buildx imagetools inspect ghcr.io/berachain/bera-geth:v1.011602.5 | awk '/^Digest:/ {print $2; exit}')

To verify the latest unstable image instead (not recommended; tags can move):

cosign verify \
  --certificate-oidc-issuer "https://token.actions.githubusercontent.com" \
  --certificate-identity-regexp "^https://github.com/berachain/bera-geth/.github/workflows/docker.yml@.+" \
  ghcr.io/berachain/bera-geth@$(docker buildx imagetools inspect ghcr.io/berachain/bera-geth:latest | awk '/^Digest:/ {print $2; exit}')

Installation

The archives contain the geth binary and license file. Extract and run:

tar -xzf bera-geth-linux-amd64-v1.011602.5-3158c688.tar.gz
./geth

The alltools archives additionally contain:

• abigen - Source code generator for Ethereum contracts
• evm - Developer utility for the Ethereum Virtual Machine
• rlpdump - Developer utility for RLP data
• clef - Ethereum account management tool

Bera Geth v1.011602.4

Summary

This release introduces the Prague2 Hardfork which sets the minimum base fee to 0, and as such, requires binary updates for node operators on Berachain mainnet and bepolia.

Update Priority

This table provides priorities for which classes of users should update particular components.

User Class	Mainnet	Bepolia	General
Payload Builders	Required	Required	Not Required
Non-Payload Builders	Required	Required	Not Required

All Changes

• params: set prague2 fork times (#92) (#93)
• fix(config): Use *big.Int for MinBaseFee config (#90) (#91)
• Merge pull request #89 from berachain/prague2-fork
• Merge pull request #88 from berachain/backport-87-to-release/v1.16.2
• chore(ci): run CI workflows on PRs to release branches
• chore(pol): Set the gas tip cap to zero when marshalling pol tx (#84) (#85)
• Update chain_makers.go (#81) (#82)
• fix(version): report correct bera-geth version when building from detached HEAD (#77) (#78)

Binaries

System	Architecture	Binary	PGP Signature	Notes
	amd64	bera-geth-linux-amd64-v1.011602.4-11cf1ff7.tar.gz	Signature	Most Linux systems
	arm64	bera-geth-linux-arm64-v1.011602.4-11cf1ff7.tar.gz	Signature	64-bit ARM systems
	amd64	bera-geth-alltools-linux-amd64-v1.011602.4-11cf1ff7.tar.gz	Signature	All tools bundle (amd64)
	arm64	bera-geth-alltools-linux-arm64-v1.011602.4-11cf1ff7.tar.gz	Signature	All tools bundle (arm64)
System	Option	-	Resource
	Docker		ghcr.io/berachain/bera-geth

Verifying Binary Signatures

All release binaries are signed with PGP. To verify:

1. Download the public key
2. Import the key: gpg --import release.asc
3. Verify the signature: gpg --verify <filename>.asc <filename>

Docker Images

Docker images are available at ghcr.io/berachain/bera-geth and are signed with Cosign using keyless signing from GitHub Actions OIDC.

To verify a specific release image (recommended: by digest):

cosign verify \
  --certificate-oidc-issuer "https://token.actions.githubusercontent.com" \
  --certificate-identity-regexp "^https://github.com/berachain/bera-geth/.github/workflows/docker.yml@.+" \
  ghcr.io/berachain/bera-geth@$(docker buildx imagetools inspect ghcr.io/berachain/bera-geth:v1.011602.4 | awk '/^Digest:/ {print $2; exit}')

To verify the latest unstable image instead (not recommended; tags can move):

cosign verify \
  --certificate-oidc-issuer "https://token.actions.githubusercontent.com" \
  --certificate-identity-regexp "^https://github.com/berachain/bera-geth/.github/workflows/docker.yml@.+" \
  ghcr.io/berachain/bera-geth@$(docker buildx imagetools inspect ghcr.io/berachain/bera-geth:latest | awk '/^Digest:/ {print $2; exit}')

Installation

The archives contain the geth binary and license file. Extract and run:

tar -xzf bera-geth-linux-amd64-v1.011602.4-11cf1ff7.tar.gz
./geth

The alltools archives additionally contain:

• abigen - Source code generator for Ethereum contracts
• evm - Developer utility for the Ethereum Virtual Machine
• rlpdump - Developer utility for RLP data
• clef - Ethereum account management tool

Bera Geth v1.011602.3

Summary

This release introduces support for BRIPs 0001, 0002, and 0004.

For the Pectra11 hardfork:

• on the CL, full compatibility for BRIP-0004 in the Electra1 fork version is expected.
• on the EL, full compatibility for BRIP-0002 and BRIP-0004 in the Prague1 fork version.

Node operators currently running geth must upgrade this to this version. For the CL, beacon-kit v1.3.1 must be used.

On Berachain mainnet, the deadline to upgrade to this version is Sept 3rd, 2025 @ 16:00:00 GMT+0000, when the beacon version will fork to Electra1 and the ELs are configured to fork to Prague1.

Update Priority

This table provides priorities for which classes of users should update particular components.

User Class	Bepolia	Mainnet	General
Payload Builders	Recommended	Required	Recommended
Non-Payload Builders	Recommended	Required	Recommended

All Changes from geth v1.16.2

• chore(actions): improve backport PRs for readability
• BRG4-20.3: pass current block number in to NewPoLTx for more clarity
• BRG4-15: error out early if nil pubkey provided when creating PoL tx
• BRG4-14: remove unneeded value check when unmarshalling PoL tx
• BRG4-11: return 0 for PoLTx gas tip cap
• BRG4-10: preserve returned error via wrapping
• fix(actions): resolve backport warning (#66)
• chore(configs): Update Prague1 hardfork time on Berachain mainnet
• chore(actions): Automated backport to release branches (#65)
• chore(configs): Update Prague1 chain config for Berachain mainnet (#61)
• chore(config): add more verbose Prague1 logigng (#60)
• fix(docker): use correct digest for signing images (#57)
• chore(docker): login to ghcr before cosigning (#56)
• fix(pbss): idempotent init cmd if stored db (#54)
• fix(forkid): Make compatible with prague1 fork
• chore(version): Use git tag for version reporting (#51)
• chore(API): enforce from address when checking pol tx (#52)
• fix unit tests
• add validation and logs around prague1 checks
• use correct default chain configs
• chore: miscellaneous nits
• Merge branch 'master' into release/v1.16.2
• Merge pull request #44 from berachain/migrate-dbdir
• Merge branch 'ethereum:master' into main
• chore(p2p): add default bootnodes for mainnet and bepolia
• chore(configs): update default configs with correct prague1 timestamps
• chore(docker): improve workflow for version retrieval
• Update with latest main (#42)
• Merge branch 'master' into update-main
• chore(binary): update executable name to bera-geth (#41)
• fix(validation): enforce at least one tx post-prague1 (#40)
• fix: cleanup audit fixes (#39)
• fix docker cosign action (#38)
• chore(audit): address some minor nits (#37)
• fix(actions): docker signed release workflow (#36)
• chore(release): signed releases for binaries and docker (#35)
• test: add Docker build test workflow for PR validation (#33)
• fix version naming (#20)
• Update default miner gas configs (#32)
• Merge pull request #31 from berachain/update-main
• Merge branch 'main' of github.com:berachain/bera-geth into update-main
• feat: BRIP-0004 implementation (#21)
• Merge pull request #25 from berachain/sync-master-to-main
• Merge remote-tracking branch 'origin/master' into sync-master-to-main
• Merge pull request #24 from berachain/update-main
• Merge branch 'main' of github.com:berachain/bera-geth into update-main
• Add CLAUDE.md file for Claude Code development guidance (#19)
• fix(build): internal env fetching of github actions
• chore(CI): isolate docker workflow to run independently
• Merge branch 'master' of github.com:berachain/bera-geth
• run release workflow on correct triggers
• fix(CI): Use correct download links (#17)
• chore(CI): Fix download links in draft releases (#16)
• chore(ci): release workflow patches (#15)
• chore(CI): Setup release workflow (#13)
• Merge pull request #11 from berachain/fetch-upstream
• Merge branch 'master' of github.com:berachain/bera-geth into fetch-upstream
• Merge branch 'master' of github.com:berachain/bera-geth into fetch-upstream
• Merge branch 'main' of github.com:berachain/bera-geth into fetch-upstream
• Set GH actions against default branch - main (#12)
• Merge remote-tracking branch 'upstream/master' into fetch-upstream
• Merge branch 'master' of github.com:berachain/bera-geth
• feat(BRIP-2): Gas Fee Modifications (#2)
• feat(BRIP-1): Prepare fork for Berachain (#3)

Full code diff can be seen https://github.com/ethereum/go-ethereum/compare/v1.16.2...berachain:bera-geth:v1.011602.2?expand=1

Binaries

System	Architecture	Binary	PGP Signature	Notes
	amd64	bera-geth-linux-amd64-v1.011602.3-d2eb3b37.tar.gz	Signature	Most Linux systems
	arm64	bera-geth-linux-arm64-v1.011602.3-d2eb3b37.tar.gz	Signature	64-bit ARM systems
	amd64	bera-geth-alltools-linux-amd64-v1.011602.3-d2eb3b37.tar.gz	Signature	All tools bundle (amd64)
	arm64	bera-geth-alltools-linux-arm64-v1.011602.3-d2eb3b37.tar.gz	Signature	All tools bundle (arm64)
System	Option	-	Resource
	Docker		ghcr.io/berachain/bera-geth

Verifying Binary Signatures

All release binaries are signed with PGP. To verify:

1. Download the public key
2. Import the key: gpg --import release.asc
3. Verify the signature: gpg --verify <filename>.asc <filename>

Docker Images

Docker images are available at ghcr.io/berachain/bera-geth and are signed with Cosign using keyless signing from GitHub Actions OIDC.

To verify a specific release image (recommended: by digest):

cosign verify \
  --certificate-oidc-issuer "https://token.actions.githubusercontent.com" \
  --certificate-identity-regexp "^https://github.com/berachain/bera-geth/.github/workflows/docker.yml@.+" \
  ghcr.io/berachain/bera-geth@$(docker buildx imagetools inspect ghcr.io/berachain/bera-geth:v1.011602.3 | awk '/^Digest:/ {print $2; exit}')

To verify the latest unstable image instead (not recommended; tags can move):

cosign verify \
  --certificate-oidc-issuer "https://token.actions.githubusercontent.com" \
  --certificate-identity-regexp "^https://github.com/berachain/bera-geth/.github/workflows/docker.yml@.+" \
  ghcr.io/berachain/bera-geth@$(docker buildx imagetools inspect ghcr.io/berachain/bera-geth:latest | awk '/^Digest:/ {print $2; exit}')

Installation

The archives contain the geth binary and license file. Extract and run:

tar -xzf bera-geth-linux-amd64-v1.011602.3-d2eb3b37.tar.gz
./geth

The alltools archives additionally contain:

• abigen - Source code generator for Ethereum contracts
• evm - Developer utility for the Ethereum Virtual Machine
• rlpdump - Developer utility for RLP data
• clef - Ethereum account management tool