Changelog

Security Upgrade

We’re rolling out breaking changes as part of a security upgrade to the deployed Confidential Wrapper contracts.

If you don’t directly interact with these contracts, no action is required.

Which contracts

All wrappers registered in the onchain registries (testnet address and mainnet address). All addresses can be found in our documentation.

When

• Testnet: Tuesday, May 4, 2026 - 2:00 PM UTC (16:00 PM CET)

• Mainnet: Tuesday, May 11, 2026 - 2:00 PM UTC (16:00 PM CET)

Why

These changes are needed to align the system with updated FHEVM security recommendations to maintain the protocol’s 128-bit security guarantees.

Action required

If you use the Zama SDK: Upgrade to the latest SDK version — install from the alpha channel ahead of the testnet upgrade, and from the latest (stable) channel ahead of the mainnet upgrade. The SDK will be updated to accommodate these changes.

If you interact with the contracts directly, we recommend:

• Before the upgrade dates: Update your ABIs, subgraphs, indexers, and any event filtering logic to support both old and new event signatures. For any code checking supportsInterface(0xd04584ba), also accept supportsInterface(0x1f1c62b2), treating either returning true as a match.

• After upgrade day: Update any code directly calling totalSupply() to use inferredTotalSupply(), and remove support for old interface ID 0xd04584ba .

Refer to the updated documentation, implementation on GitHub (commit b06eb263d64c788a27b6bc1baf46b7547f7ec594) and the summary below. Make sure to test these changes on testnet ahead of the mainnet deployment.

What's changing:

1. Event signature changes: The UnwrapRequested and UnwrapFinalized events will include a new bytes32 indexed unwrapRequestId parameter (event signatures):

   • UnwrapRequested event becomes UnwrapRequested(address indexed receiver, bytes32 indexed unwrapRequestId, euint64 amount)

   • UnwrapFinalized event becomes UnwrapFinalized(address indexed receiver, bytes32 indexed unwrapRequestId, euint64 encryptedAmount, uint64 cleartextAmount)

   • unwrapRequestId should now be considered for finalizeUnwrap ’s first input instead of amount. This change is backward compatible: amount values from old unwrap requests can still be used as input.

2. Function rename: totalSupply() will be renamed to inferredTotalSupply() to better reflect its semantics and align with OpenZeppelin's v0.3.1 contract version (function signature)

3. Wrapper interfaceId changes: supportInterface will return true for 0x1f1c62b2 instead of previous 0xd04584ba for identifying IERC7984ERC20Wrapper (interface file)

Impact

Any integration relying on the current event signatures, the totalSupply() function or supportInterface(0xd04584ba) calls will need to be updated. This includes subgraph indexers, frontend activity parsing, and any direct contract interactions.

The Zama Team

FHEVM v0.11

This release brings major performance and security improvements to the Zama Protocol.

Highlights

• tfhe-rs v1.5.0 upgrade across Coprocessor and KMS for improved FHE performance

• ACL checks on host chain for direct access control enforcement through the relayer and KMS connector

• Delegated decryption with a complete end-to-end flow

• FHE statistics for TFHE-rs for better observability into Coprocessor FHE operations

New features

• GPU acceleration: Optional GPU backends for ZK proof verification, Switch-and-Squash (SnS), and re-randomization. CPU-only deployments remain fully supported.

• Delegated decryption: Complete end-to-end support for delegated user decryption, allowing authorized addresses to decrypt on behalf of users.

• Operator staking system: New ERC-4626-based staking contracts with UUPS upgradeability, permit support, and Operator Rewarder contracts for fee management.

• Confidential Tokens Registry: Added a Confidential Tokens Registry and ERC-7984 upgradeable wrapper contracts for encrypted token assets.

• CLI tool: Added a new command-line tool for common FHEVM workflows.

• BNB chain support: Added configurations for BNB chain deployments.

Improvements

• tfhe-rs upgrade to v1.5.0: Updated across the Coprocessor and KMS, while FHE keys and serialized ciphertexts remain generally compatible.

• ACL checks on host chain: Decryption ACL checks now run directly on the host chain through the relayer and KMS connector, reducing trust assumptions.

• FHE statistics: Added FHE operation statistics and decryption performance metrics in the Coprocessor.

• Dependence-chain processing: Improved the Coprocessor scheduler for better parallelism.

• Host-listener poller mode: Added an alternative polling mode that replaces WebSocket-based event listening.

• KMS garbage collection: Added garbage collection for KMS operations.

• Database optimizations: Improved indexing for the ciphertext_digest table.

Fixes

• Overflow prevention in the ProtocolStaking cooldown mechanism

• ERC-4626 inflation attack mitigation using decimal offset

• Better handling of cyclic dependence errors in the Coprocessor

• Improved eth_getLogs timeout management in the host-listener

Resources

• GitHub release

• Documentation

FHEVM v0.10

This preview introduces a dedicated payment contract in the Gateway and flexible delegation of decryption rights through smart contracts.

These changes improve fee management, access control, and the usability of encrypted operations.

Preview

• Gateway payment contract for Coprocessor and KMS fee management

• Delegation through smart contracts for controlled decryption access

• Time-scoped permissions for temporary or session-based access

• Contract-scoped permissions for stricter access control

New features

• Gateway payment contract: Adds a dedicated payment contract within the Gateway to manage fees for Coprocessor and KMS operations, including input and decryption flows.

• Delegation via smart contracts: Users can delegate decryption rights to other addresses with fine-grained control over scope and duration:

  • Explicit authorization for another address to generate EIP-712 signatures and run userDecrypt operations

  • Delegation validity defined by timestamp for temporary or session-based access

  • Delegation scoped to specific contract addresses for context-aware access control

Improvements

• More flexible encrypted data access through delegation

• More transparent fee management with a dedicated Gateway payment flow

Resources

• GitHub release

• Documentation

FHEVM v0.9

This release adds new key generation capabilities, dynamic coprocessor management, and a redesigned decryption event flow.

These changes improve flexibility, scalability, and consensus handling while deprecating older event formats.

Highlights

• On-chain FHE key and CRS generation

• Dynamic pauser management

• Transaction input re-randomization

• Redesigned user decryption events

• Gateway API cleanup and renaming

New features

• Support generation of FHE key and CRS on-chain:

  • Request FHE key and CRS generation directly through the Gateway.

  • New environment variables for gateway contracts:

    • KMS_GENERATION_THRESHOLD — threshold used to validate consensus on FHE key or CRS generation

    • KMS_NODE_STORAGE_URL_[0-N] — storage base URL for public materials for each KMS node

  • New environment variable for the coprocessor (gw-listener):

    • KMS_GENERATION_ADDRESS — address of the KMSGeneration gateway contract

  • New environment variable for the connector:

    • KMS_GENERATION_ADDRESS — address of the KMSGeneration gateway contract

• New PauserSet immutable contract:

  • Host and Gateway contracts can now be paused by any address added in PauserSet.

  • New environment variables for gateway contracts:

    • NUM_PAUSERS — number of pauser addresses to add. Set this to n_kms + n_copro.

    • PAUSER_ADDRESS_[0-N] — pauser addresses

  • New environment variables for host contracts:

    • NUM_PAUSERS — number of pauser addresses to add. Set this to n_kms + n_copro.

    • PAUSER_ADDRESS_[0-N] — pauser addresses

• Re-randomization of transaction inputs:

  • All transaction inputs, including state inputs, are re-encrypted before FHE evaluation.

  • This provides sIND-CPAD security.

  • This feature is transparent to users.

Improvements

• User decryption response:

  • Encrypted shares and signatures are no longer aggregated on-chain in the Gateway.

  • Each KMS response now emits its own event.

  • New events in the Decryption contract:

    • UserDecryptionResponse(uint256 indexed decryptionId, uint256 indexShare, bytes userDecryptedShare, bytes signature, bytes extraData);

    • UserDecryptionResponseThresholdReached(uint256 indexed decryptionId);

• User decryption request:

  • User EIP-712 signature verification is simplified in the Gateway Decryption contract.

• Gateway contract renaming:

  • MultichainAcl is renamed to MultichainACL.

  • KmsManagement is renamed to KMSGeneration.

• Gateway check functions replaced:

  • All external check... view functions are removed from the Gateway contracts.

  • Associated errors are moved to other contracts or removed.

  • Equivalent is... view functions now return a boolean instead of reverting.

Resources

• GitHub release

• Documentation

FHEVM v0.8

This release makes FHEVM more scalable, secure, and developer-friendly.

Highlights

• New KMS connector for modular integration

• Compressed ciphertexts for lighter payloads

• Flexible extraData field for richer apps

• Post-quantum ML-KEM512 for faster, smaller decrypts

• Stronger chain resilience and ERC-7995 compliance

New features

• New KMS connector: Added a new Key Management System connector to improve modularity and integration.

• Compressed ciphertext support: Added support for compressed ciphertexts in both the SnS worker and KMS, reducing payload sizes.

• Generic extraData field: Gateway functions, events, and signed structs now include a generic extraData field for extensibility and custom data support.

• SepoliaConfig update: Added the protocolId() function to support protocol identification.

Improvements

• ERC-7995 compatibility: Updated the Oracle callback interface for compliance, following ERC-7995.

• Reduced user decrypt payload size: Migrated to ML-KEM512 for 128-bit equivalent post-quantum security. This reduces decrypt response sizes and allows more responses per block.

• Host listener: Added reorganization handling in the host listener for stronger chain resilience.

• Library storage layout: Adjusted the storage layout to align with the standard guidelines.

function callbackExample(
  uint256 requestID,
  bytes memory cleartexts,
  bytes memory decryptionProof
) external;

Resources

• GitHub release

• Documentation

FHEVM v0.7

This release introduces the first iteration of the Zama Protocol.

Highlights

• Gateway is now a core component for protocol orchestration.

• Coprocessor input verification is now enforced on the coprocessor side.

• Decryption pipeline now prepares ciphertexts for decryption on coprocessors.

• Solidity library is restructured to match the new protocol architecture.

Resources

• GitHub release

• Documentation