bsv-sdk/wallet fixes: missing cert signature verification and VarInt encoding error

Vulnerability Overview This issue documents two critical security patches (Hotfixes) for and , addressing three high-severity vulnerabilities identified during a compliance audit: 1. F8.15 - Unverified Certificate Signature (bsv-wallet): The 'direct' path of the method fails to verify the certificate issuer's signature before persisting the certificate. An attacker can supply arbitrary signatures, causing invalid certificates to be accepted as valid. 2. F1.3 - VarInt Encoding Error (bsv-sdk): accepts negative numbers and silently encodes them incorrectly (e.g., -1 is encoded as 0xFF), leading to silent protocol corruption. 3. F5.13 - Missing ARC Broadcaster Status (bsv-sdk): The ARC broadcaster lacks failure statuses (such as , ), uses incorrect content types, and omits required headers (e.g., ). This causes applications to misinterpret transaction statuses, treating failures as successes. Scope of Impact Affected Gems: and . Target Versions: : 0.8.1 -> 0.8.2 : 0.3.3 -> 0.3.4 Dependency Warning: Both gems must be upgraded simultaneously. If a user upgrades only to 0.3.4 without upgrading to 0.8.2, the security fixes for F1.3 and F5.13 will be missed. Remediation Plan 1. For F8.15 (bsv-wallet): Execute BRC-52 certificate signature verification prior to persistence. Reject certificates where the claimed public key does not match. Cease persisting certificates that have not been verified. 2. For F1.3 (bsv-sdk): Add an check within . Raise an exception if is true (e.g., ). 3. For F5.13 (bsv-sdk): Add ARC broadcaster failure statuses ( , , ) to and . Switch the Content-Type to . Add support for and headers. Related Code/File Paths F8.15: (Lines 880-836) F1.3: (Lines 17-27) F5.13: (Lines 35-45; 74-100) Key Logic Description (Code Snippets):

Goal Reached Thanks to every supporter — we hit 100%!

bsv-sdk/wallet fixes: missing cert signature verification and VarInt encoding error

More from this source