CVE-2026-40069

ARC broadcaster treats failure statuses as successful broadcasts

Summary

BSV::Network::ARC's failure detection only recognises REJECTED and DOUBLESPENDATTEMPTED. ARC responses with txStatus values of INVALID, MALFORMED, MINEDINSTALE_BLOCK, or any ORPHAN-containing extraInfo / txStatus are silently treated as successful broadcasts. Applications that gate actions on broadcaster success are tricked into trusting transactions that were never accepted by the network.

Details

lib/bsv/network/arc.rb (lines ~74-100 in the affected code) uses a narrow failure predicate compared to the TypeScript reference SDK. The TS broadcaster additionally recognises:

• INVALID
• MALFORMED
• MINEDINSTALE_BLOCK
• Any response containing ORPHAN in extraInfo or txStatus

The Ruby implementation omits all of these, so ARC responses carrying any of these statuses are returned to the caller as successful broadcasts.

Additional divergences in the same module compound the risk:

• Content-Type is sent as application/octet-stream; the TS reference sends application/json with a { rawTx: <hex> } body (EF form where source transactions are available).
• The headers XDeployment-ID, X-CallbackUrl, and X-CallbackToken are not sent.

The immediate security-relevant defect is the missing failure statuses; the other divergences are fixed in the same patch for protocol compliance.

Impact

Integrity: callers receive a success response for broadcasts that were actually rejected by the ARC endpoint. Applications and downstream gems that gate actions on broadcaster success — releasing goods, marking invoices paid, treating a token as minted, progressing a workflow — are tricked into trusting transactions that were never broadcast.

This is an integrity bug with security consequences. It does not disclose information (confidentiality unaffected) and does not affect availability.

CVSS rationale

AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N → 7.5 (High)

• AV:N — network-reachable.
• AC:L — no specialised access conditions are required. Triggering any of the unhandled failure statuses is not meaningfully harder than broadcasting a transaction at all: a malformed or invalid transaction, an orphan condition from a transient fork, or a hostile/misbehaving ARC endpoint returning one of these statuses is sufficient. The attacker does not need to defeat any mitigation or race a specific window — the bug is that the code path doesn't exist at all.
• PR:N — no privileges required.
• UI:N — no user interaction.
• C:N — no confidentiality impact.
• I:H — downstream integrity decisions are taken on non-broadcast transactions.
• A:N — no availability impact.

Affected versions

The ARC broadcaster was introduced in commit a1f2e62 ("feat(network): add ARC broadcaster with injectable HTTP client") on 2026-02-08 and first released in v0.1.0. The narrow failure predicate has been present since introduction. Every release up to and including v0.8.1 is affected.

Affected range: >= 0.1.0, < 0.8.2.

Patches

Upgrade to bsv-sdk >= 0.8.2. The fix:

• Expands the failure predicate (REJECTED_STATUSES + ORPHAN substring check on both txStatus and extraInfo) to include INVALID, MALFORMED, MINEDINSTALE_BLOCK, and any orphan-containing response, matching the TypeScript reference.
• Switches Content-Type to application/json with a { rawTx: <hex> } body, preferring Extended Format (BRC-30) hex when every input has source_satoshis and sourcelockingscript populated and falling back to plain raw-tx hex otherwise.
• Adds support for the XDeployment-ID (default: random bsv-ruby-sdk-<hex>), X-CallbackUrl, and X-CallbackToken headers via new constructor keyword arguments.

Fixed in sgbett/bsv-ruby-sdk#306.

Note for bsv-wallet consumers

The sibling gem bsv-wallet (published from the same repository) is not independently vulnerable — lib/bsv/network/arc.rb is not bundled into the wallet gem's files list. However, bsv-wallet runtime-depends on bsv-sdk, so a consumer of bsv-wallet that also invokes the ARC broadcaster is transitively exposed whenever Gemfile.lock resolves to a vulnerable bsv-sdk version. bsv-wallet >= 0.3.4 tightens its bsv-sdk constraint to >= 0.8.2, < 1.0, so upgrading either gem is sufficient to pull in the fix.

Workarounds

If upgrading is not immediately possible:

• Verify broadcast results out-of-band (e.g. query a block explorer or WhatsOnChain) before treating a transaction as broadcast.
• Do not gate integrity-critical actions solely on the ARC broadcaster's success response.

Credit

Identified during the 2026-04-08 cross-SDK compliance review, tracked as finding F5.13.

References

• HLR: sgbett/bsv-ruby-sdk#305
• Fix PR: sgbett/bsv-ruby-sdk#306
• Compliance review: .architecture/reviews/20260408-cross-sdk-compliance-review.md
• TypeScript reference: ARC class in @bsv/sdk