From d101a0973bc19ac1b64809c0d9f0cd3516e263d8 Mon Sep 17 00:00:00 2001 From: Elias Rohrer Date: Thu, 23 Apr 2026 18:54:52 +0200 Subject: [PATCH] fix(electrum): verify txid of server-returned transactions An Electrum server could return an arbitrary transaction when `fetch_tx()` requests a specific txid. The returned transaction was cached and used without verifying that its computed txid matches the requested one. Add a verification check that `tx.compute_txid() == txid` after fetching from the server, returning an error on mismatch. Signed-off-by: Elias Rohrer --- crates/electrum/src/bdk_electrum_client.rs | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/crates/electrum/src/bdk_electrum_client.rs b/crates/electrum/src/bdk_electrum_client.rs index 25da3998a..689b20849 100644 --- a/crates/electrum/src/bdk_electrum_client.rs +++ b/crates/electrum/src/bdk_electrum_client.rs @@ -78,6 +78,12 @@ impl BdkElectrumClient { drop(tx_cache); let tx = Arc::new(self.inner.transaction_get(&txid)?); + let returned_txid = tx.compute_txid(); + if returned_txid != txid { + return Err(Error::Message(format!( + "electrum server returned transaction with unexpected txid: expected {txid}, got {returned_txid}" + ))); + } self.tx_cache.lock().unwrap().insert(txid, Arc::clone(&tx));