From: Elias Rohrer <dev@tnull.de>
Date: Thu, 23 Apr 2026 16:54:52 +0000 (+0200)
Subject: fix(electrum): verify txid of server-returned transactions
X-Git-Url: http://internal-gitweb-vhost/?a=commitdiff_plain;h=d101a0973bc19ac1b64809c0d9f0cd3516e263d8;p=bdk

fix(electrum): verify txid of server-returned transactions

An Electrum server could return an arbitrary transaction when
`fetch_tx()` requests a specific txid. The returned transaction was
cached and used without verifying that its computed txid matches the
requested one.

Add a verification check that `tx.compute_txid() == txid` after
fetching from the server, returning an error on mismatch.

Signed-off-by: Elias Rohrer <dev@tnull.de>
---

diff --git a/crates/electrum/src/bdk_electrum_client.rs b/crates/electrum/src/bdk_electrum_client.rs
index 25da3998..689b2084 100644
--- a/crates/electrum/src/bdk_electrum_client.rs
+++ b/crates/electrum/src/bdk_electrum_client.rs
@@ -78,6 +78,12 @@ impl<E: ElectrumApi> BdkElectrumClient<E> {
         drop(tx_cache);
 
         let tx = Arc::new(self.inner.transaction_get(&txid)?);
+        let returned_txid = tx.compute_txid();
+        if returned_txid != txid {
+            return Err(Error::Message(format!(
+                "electrum server returned transaction with unexpected txid: expected {txid}, got {returned_txid}"
+            )));
+        }
 
         self.tx_cache.lock().unwrap().insert(txid, Arc::clone(&tx));