BSV Ruby SDK ARC Broadcaster Failure Status Mismanagement Vulnerability

A vulnerability exists in the BSV Ruby SDK's ARC broadcaster implementation, specifically in versions 0.1.0 prior to 0.8.2. The issue arises because the broadcaster fails to properly recognize and handle certain transaction rejection statuses. While it acknowledges 'REJECTED' and 'DOUBLE_SPEND_ATTEMPTED', it mistakenly treats 'INVALID', 'MALFORMED', 'MINED_IN_STALE_BLOCK', and any 'ORPHAN'-related statuses as successful broadcasts. This mismanagement can deceive applications into trusting transactions that were never accepted by the network, particularly those that rely on the broadcaster's success to validate actions or progress workflows.

Impact

This vulnerability creates a silent failure where rejected transactions are falsely reported as successfully broadcasted. Applications that depend on the broadcast status to manage critical processes, such as payment confirmations or workflow advancements, may be misled into believing that transactions were accepted when they were not.

Reproduction

To reproduce this vulnerability, use the BSV Ruby SDK version 0.1.0 to prior 0.8.2 and broadcast a transaction through the ARC broadcaster. The response can be manipulated to include 'INVALID', 'MALFORMED', 'MINED_IN_STALE_BLOCK', or 'ORPHAN' statuses, which will be incorrectly processed as successful broadcasts. This can be done by sending a malformed transaction or by using an ARC endpoint that returns one of these statuses.

Remediation

Upgrade to BSV Ruby SDK version 0.8.2 or later. This version expands the failure detection to include all necessary rejection statuses and aligns the response handling with the TypeScript reference SDK. After upgrading, verify that the application correctly handles ARC responses and does not mistakenly trust transactions that were rejected.