Canton fixes a sequencer fork risk

Canton released version 3.5.5 of its software on June 17, with a direct recommendation for operators: upgrade to this version to fix an exceptional but severe bug around logical synchronizer upgrades. In Canton, a synchronizer coordinates event ordering between participants in a Daml network, the smart contract technology used by Digital Asset for permissioned financial infrastructure. The reported risk is specific: under some restart conditions after an upgrade, a sequencer node could create a sequencer fork, meaning participants no longer agree on the expected state of the event stream.

The release note describes the failure mode in operational terms. If a sequencer is not processing blocks, then restarts after the upgrade time and before it has processed any block, crash recovery can delete traffic data entries. The impact is not cosmetic. Participants may be unable to connect because they cannot get consensus on traffic, or they may disconnect with a SEQUENCER_FORK_DETECTED error. The workaround listed by the project is heavy: restore from backup. The official recommendation is therefore to upgrade to Canton 3.5.5.

The point matters beyond a routine patch. Canton is positioned as infrastructure for shared ledgers between institutions, with deployments that emphasize privacy, permissions and interoperability across financial systems. In that environment, coordination failures are a first-order operational risk. A sequencer bug does not merely affect a user interface or a single application. It can interrupt the ability of participants to agree on the same history, which is the basic promise of a distributed ledger. The release states that all versions before 3.5.5 are affected and that sequencer nodes are the impacted deployment type. For operators, that turns an obscure edge case into a maintenance decision with a clear deadline: update before the failure condition appears in production.

Version 3.5.5 also includes smaller improvements, such as lower memory usage when streaming large gRPC responses and a configuration option to disable automatic connection to synchronizers at startup. But the main signal is the hardening of financial blockchain infrastructure. Permissioned ledgers rarely move the market through flashy announcements. Their progress is often visible in release notes that name failure modes, define affected deployments and give operators clear remediation steps. That is less spectacular than a token launch or a new partnership, but it is arguably closer to what institutional adoption requires: predictable upgrades, documented recovery paths and less ambiguity around the operational behavior of critical nodes.