ARC broadcaster treats failure statuses as successful broadcasts
Summary
BSV::Network::ARC's failure detection only recognises REJECTED and DOUBLE_SPEND_ATTEMPTED. ARC responses with txStatus values of INVALID, MALFORMED, MINED_IN_STALE_BLOCK, or any ORPHAN-containing extraInfo / txStatus are silently treated as successful broadcasts. Applications that gate actions on broadcaster success are tricked into trusting transactions that were never accepted by the network.
Details
lib/bsv/network/arc.rb (lines ~74-100 in the affected code) uses a narrow failure predicate compared to the TypeScript reference SDK. The TS broadcaster additionally recognises:
INVALIDMALFORMEDMINED_IN_STALE_BLOCK- Any response containing
ORPHAN in extraInfo or txStatus
The Ruby implementation omits all of these, so ARC responses carrying any of these statuses are returned to the caller as successful broadcasts.
Additional divergences in the same module compound the risk:
Content-Type is sent as application/octet-stream; the TS reference sends application/json with a { rawTx: <hex> } body (EF form where source transactions are available).- The headers
XDeployment-ID, X-CallbackUrl, and X-CallbackToken are not sent.
The immediate security-relevant defect is the missing failure statuses; the other divergences are fixed in the same patch for protocol compliance.
Impact
Integrity: callers receive a success response for broadcasts that were actually rejected by the ARC endpoint. Applications and downstream gems that gate actions on broadcaster success — releasing goods, marking invoices paid, treating a token as minted, progressing a workflow — are tricked into trusting transactions that were never broadcast.
This is an integrity bug with security consequences. It does not disclose information (confidentiality unaffected) and does not affect availability.
CVSS rationale
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N → 7.5 (High)
- AV:N — network-reachable.
- AC:L — no specialised access conditions are required. Triggering any of the unhandled failure statuses is not meaningfully harder than broadcasting a transaction at all: a malformed or invalid transaction, an orphan condition from a transient fork, or a hostile/misbehaving ARC endpoint returning one of these statuses is sufficient. The attacker does not need to defeat any mitigation or race a specific window — the bug is that the code path doesn't exist at all.
- PR:N — no privileges required.
- UI:N — no user interaction.
- C:N — no confidentiality impact.
- I:H — downstream integrity decisions are taken on non-broadcast transactions.
- A:N — no availability impact.
Affected versions
The ARC broadcaster was introduced in commit a1f2e62 ("feat(network): add ARC broadcaster with injectable HTTP client") on 2026-02-08 and first released in v0.1.0. The narrow failure predicate has been present since introduction. Every release up to and including v0.8.1 is affected.
Affected range: >= 0.1.0, < 0.8.2.
Patches
Upgrade to bsv-sdk >= 0.8.2. The fix:
- Expands the failure predicate (
REJECTED_STATUSES + ORPHAN substring check on both txStatus and extraInfo) to include INVALID, MALFORMED, MINED_IN_STALE_BLOCK, and any orphan-containing response, matching the TypeScript reference.
- Switches
Content-Type to application/json with a { rawTx: <hex> } body, preferring Extended Format (BRC-30) hex when every input has source_satoshis and source_locking_script populated and falling back to plain raw-tx hex otherwise.
- Adds support for the
XDeployment-ID (default: random bsv-ruby-sdk-<hex>), X-CallbackUrl, and X-CallbackToken headers via new constructor keyword arguments.
Fixed in sgbett/bsv-ruby-sdk#306.
Note for bsv-wallet consumers
The sibling gem bsv-wallet (published from the same repository) is not independently vulnerable — lib/bsv/network/arc.rb is not bundled into the wallet gem's files list. However, bsv-wallet runtime-depends on bsv-sdk, so a consumer of bsv-wallet that also invokes the ARC broadcaster is transitively exposed whenever Gemfile.lock resolves to a vulnerable bsv-sdk version. bsv-wallet >= 0.3.4 tightens its bsv-sdk constraint to >= 0.8.2, < 1.0, so upgrading either gem is sufficient to pull in the fix.
Workarounds
If upgrading is not immediately possible:
- Verify broadcast results out-of-band (e.g. query a block explorer or WhatsOnChain) before treating a transaction as broadcast.
- Do not gate integrity-critical actions solely on the ARC broadcaster's success response.
Credit
Identified during the 2026-04-08 cross-SDK compliance review, tracked as finding F5.13.
References
References
sgbett Finder
ARC broadcaster treats failure statuses as successful broadcasts
Summary
BSV::Network::ARC's failure detection only recognisesREJECTEDandDOUBLE_SPEND_ATTEMPTED. ARC responses withtxStatusvalues ofINVALID,MALFORMED,MINED_IN_STALE_BLOCK, or anyORPHAN-containingextraInfo/txStatusare silently treated as successful broadcasts. Applications that gate actions on broadcaster success are tricked into trusting transactions that were never accepted by the network.Details
lib/bsv/network/arc.rb(lines ~74-100 in the affected code) uses a narrow failure predicate compared to the TypeScript reference SDK. The TS broadcaster additionally recognises:INVALIDMALFORMEDMINED_IN_STALE_BLOCKORPHANinextraInfoortxStatusThe Ruby implementation omits all of these, so ARC responses carrying any of these statuses are returned to the caller as successful broadcasts.
Additional divergences in the same module compound the risk:
Content-Typeis sent asapplication/octet-stream; the TS reference sendsapplication/jsonwith a{ rawTx: <hex> }body (EF form where source transactions are available).XDeployment-ID,X-CallbackUrl, andX-CallbackTokenare not sent.The immediate security-relevant defect is the missing failure statuses; the other divergences are fixed in the same patch for protocol compliance.
Impact
Integrity: callers receive a success response for broadcasts that were actually rejected by the ARC endpoint. Applications and downstream gems that gate actions on broadcaster success — releasing goods, marking invoices paid, treating a token as minted, progressing a workflow — are tricked into trusting transactions that were never broadcast.
This is an integrity bug with security consequences. It does not disclose information (confidentiality unaffected) and does not affect availability.
CVSS rationale
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N→ 7.5 (High)Affected versions
The ARC broadcaster was introduced in commit
a1f2e62("feat(network): add ARC broadcaster with injectable HTTP client") on 2026-02-08 and first released in v0.1.0. The narrow failure predicate has been present since introduction. Every release up to and including v0.8.1 is affected.Affected range:
>= 0.1.0, < 0.8.2.Patches
Upgrade to
bsv-sdk >= 0.8.2. The fix:REJECTED_STATUSES+ORPHANsubstring check on bothtxStatusandextraInfo) to includeINVALID,MALFORMED,MINED_IN_STALE_BLOCK, and any orphan-containing response, matching the TypeScript reference.Content-Typetoapplication/jsonwith a{ rawTx: <hex> }body, preferring Extended Format (BRC-30) hex when every input hassource_satoshisandsource_locking_scriptpopulated and falling back to plain raw-tx hex otherwise.XDeployment-ID(default: randombsv-ruby-sdk-<hex>),X-CallbackUrl, andX-CallbackTokenheaders via new constructor keyword arguments.Fixed in sgbett/bsv-ruby-sdk#306.
Note for
bsv-walletconsumersThe sibling gem
bsv-wallet(published from the same repository) is not independently vulnerable —lib/bsv/network/arc.rbis not bundled into the wallet gem'sfileslist. However,bsv-walletruntime-depends onbsv-sdk, so a consumer ofbsv-walletthat also invokes the ARC broadcaster is transitively exposed wheneverGemfile.lockresolves to a vulnerablebsv-sdkversion.bsv-wallet >= 0.3.4tightens itsbsv-sdkconstraint to>= 0.8.2, < 1.0, so upgrading either gem is sufficient to pull in the fix.Workarounds
If upgrading is not immediately possible:
Credit
Identified during the 2026-04-08 cross-SDK compliance review, tracked as finding F5.13.
References
.architecture/reviews/20260408-cross-sdk-compliance-review.mdARCclass in@bsv/sdkReferences