Summary

Whitelist the authorize_upgrade preimage on the Nexus runtime so it can be dispatched via the Whitelisted Caller track, applying runtime upgrade nexus-v7100.

Whitelist call

• Preimage (encoded System.authorizeUpgrade): 0x000952a5b89bb0806d105888e5c50cae02eb3deae6f853446320dfe5b49777608ff6
• Preimage call hash (keccak-256, value passed to Whitelist.whitelist_call): 0xbe651618fb545affac3b6852100ed3864dd51b57976fd5f37ea4fd84dafe04fb
• Decoded call: System.authorizeUpgrade(codeHash = 0x52a5b89bb0806d105888e5c50cae02eb3deae6f853446320dfe5b49777608ff6)

Runtime info

• Release: nexus-v7100 (published 2026-05-22)
• Spec: nexus-7100 (nexus-0.tx1.au1), Metadata V14
• WASM: nexus_runtime-v7100.compact.compressed.wasm — 2,009,656 bytes (1.92 MiB)
• WASM Keccak-256: 0x52a5b89bb0806d105888e5c50cae02eb3deae6f853446320dfe5b49777608ff6
• Toolchain: rustc 1.91.1 (ed61e7d7e 2025-11-07)

Changes in this release

• #895 [runtime] Harden consensus clients
• #900 [runtime] Restrict Nexus BEEFY consensus proofs to SP1

Motivation

Security hardening release targeting the consensus layer. Hardens consensus client validation logic and restricts Nexus BEEFY consensus proof verification exclusively to SP1, reducing the attack surface on proof authenticity.

Reproducibility

git checkout nexus-v7100
./scripts/build_release_runtime.sh nexus-runtime
# verify keccak-256 of the produced .compact.compressed.wasm matches
# 0x52a5b89bb0806d105888e5c50cae02eb3deae6f853446320dfe5b49777608ff6

Enactment plan

1. Submit this preimage and Whitelist.whitelist_call(0xbe651618…e04fb) via the Fellowship / Whitelisted Caller track.
2. Once whitelisted, dispatch via the companion referendum below.
3. Submit System.applyAuthorizedUpgrade(code) with the released WASM blob to enact.