bsv-sdk 0.8.2 → 0.9.0

data/lib/bsv/primitives/secp256k1.rb

@@ -253,19 +253,29 @@ module BSV
       end
 
       # -------------------------------------------------------------------
-      # Windowed-NAF scalar multiplication
+      # Windowed-NAF scalar multiplication (variable-time, public scalars)
       # -------------------------------------------------------------------
 
+      # @!visibility private
+      # Maximum number of entries kept in the wNAF precomputation cache.
+      # Bounds memory usage for long-running processes (e.g. servers).
+      WNAF_CACHE_MAX = 512
+
       # @!visibility private
       # Cache for precomputed wNAF tables, keyed by "window:x:y".
+      # Evicts oldest entry when the LRU limit is reached.
       WNAF_TABLE_CACHE = {} # rubocop:disable Style/MutableConstant
 
       # @!visibility private
       # Multiply a point by a scalar using windowed-NAF.
       #
-      # Internal method — use {Point#mul} instead. Exposed as a module
-      # function only so the nested Point class can call it; not part of
-      # the public API.
+      # Variable-time algorithm — suitable only for public scalars (e.g.
+      # signature verification). Secret-scalar paths MUST use
+      # {scalar_multiply_ct} instead.
+      #
+      # Internal method — use {Point#mul} or {Point#mul_ct} instead.
+      # Exposed as a module function only so the nested Point class can
+      # call it; not part of the public API.
       #
       # @param k [Integer] the scalar (must be in [1, N))
       # @param px [Integer] affine x-coordinate of the base point
@@ -279,6 +289,9 @@ module BSV
         tbl = WNAF_TABLE_CACHE[cache_key]
 
         if tbl.nil?
+          # Evict the oldest entry when the cache is full (simple LRU).
+          WNAF_TABLE_CACHE.delete(WNAF_TABLE_CACHE.keys.first) if WNAF_TABLE_CACHE.size >= WNAF_CACHE_MAX
+
           tbl_size = 1 << (window - 1) # e.g. w=5 -> 16 entries
           tbl = Array.new(tbl_size)
           tbl[0] = [px, py, 1]
@@ -320,6 +333,57 @@ module BSV
         q
       end
 
+      # -------------------------------------------------------------------
+      # Montgomery ladder scalar multiplication (constant-time, secret scalars)
+      # -------------------------------------------------------------------
+
+      # @!visibility private
+      # Multiply a point by a scalar using the Montgomery ladder.
+      #
+      # Executes a fixed number of iterations (256) with one +jp_double+
+      # and one +jp_add+ per iteration regardless of the scalar value.
+      # Use this for ALL secret-scalar paths (key generation, signing,
+      # ECDH, BIP-32 derivation).
+      #
+      # *Best-effort constant-time in interpreted Ruby.* The branch on
+      # +bit+ selects which register receives each operation, and both
+      # operations always execute. However, Ruby's interpreter, GC, and
+      # the early-return branches in +jp_add+/+jp_double+ (for infinity
+      # edge cases) mean true constant-time execution is not achievable
+      # without native code. This matches the ts-sdk's TypeScript
+      # implementation, which has the same structural properties. For
+      # production deployments requiring side-channel resistance beyond
+      # what an interpreted language can offer, use a native secp256k1
+      # library (e.g. libsecp256k1 via FFI).
+      #
+      # Internal method — use {Point#mul_ct} instead. Not part of the
+      # public API.
+      #
+      # @param k [Integer] secret scalar (must be in [1, N))
+      # @param px [Integer] affine x-coordinate of the base point
+      # @param py [Integer] affine y-coordinate of the base point
+      # @return [Array(Integer, Integer, Integer)] result as Jacobian point
+      def scalar_multiply_ct(k, px, py)
+        return JP_INFINITY if k.zero?
+
+        # r0 accumulates the result; r1 = r0 + base_point at all times.
+        r0 = JP_INFINITY
+        r1 = [px, py, 1]
+
+        256.times do |i|
+          bit = (k >> (255 - i)) & 1
+          if bit.zero?
+            r1 = jp_add(r0, r1)
+            r0 = jp_double(r0)
+          else
+            r0 = jp_add(r0, r1)
+            r1 = jp_double(r1)
+          end
+        end
+
+        r0
+      end
+
       # Negate a Jacobian point.
       def jp_neg(p)
         return p if p[2].zero?
@@ -444,7 +508,10 @@ module BSV
           end
         end
 
-        # Scalar multiplication: self * scalar.
+        # Scalar multiplication: self * scalar (variable-time, wNAF).
+        #
+        # Suitable for public scalars only (e.g. signature verification).
+        # For secret-scalar paths use {#mul_ct}.
         #
         # @param scalar [Integer] the scalar multiplier
         # @return [Point] the resulting point
@@ -461,6 +528,27 @@ module BSV
           self.class.new(affine[0], affine[1])
         end
 
+        # Constant-time scalar multiplication: self * scalar (Montgomery ladder).
+        #
+        # Processes all 256 bits unconditionally so execution time does not
+        # depend on the scalar value. Use this for secret-scalar paths:
+        # key generation, signing, and ECDH shared-secret derivation.
+        #
+        # @param scalar [Integer] the secret scalar multiplier
+        # @return [Point] the resulting point
+        def mul_ct(scalar)
+          return self.class.infinity if scalar.zero? || infinity?
+
+          scalar %= N
+          return self.class.infinity if scalar.zero?
+
+          jp = Secp256k1.scalar_multiply_ct(scalar, @x, @y)
+          affine = Secp256k1.jp_to_affine(jp)
+          return self.class.infinity if affine.nil?
+
+          self.class.new(affine[0], affine[1])
+        end
+
         # Point addition: self + other.
         #
         # @param other [Point]

data/lib/bsv/primitives/signature.rb

@@ -38,6 +38,11 @@ module BSV
         raise ArgumentError, 'signature too short' if bytes.length < 8
         raise ArgumentError, 'invalid sequence tag' unless bytes[0] == 0x30
 
+        # BIP-66 strict DER: length must be a single byte (0x00–0x7F).
+        # Multi-byte length encoding (where the high bit of bytes[1] is set,
+        # e.g. 0x81, 0x82 …) is not permitted in ECDSA signatures.
+        raise ArgumentError, 'non-canonical DER length (multi-byte encoding not allowed)' if bytes[1] & 0x80 != 0
+
         total_len = bytes[1]
         raise ArgumentError, 'length mismatch' unless total_len == bytes.length - 2
 
@@ -89,7 +94,7 @@ module BSV
       # @param hex [String] hex-encoded DER signature
       # @return [Signature]
       def self.from_hex(hex)
-        from_der([hex].pack('H*'))
+        from_der(Hex.decode(hex, name: 'signature hex'))
       end
 
       # Serialise the signature as a hex-encoded DER string.

data/lib/bsv/primitives.rb

@@ -7,6 +7,8 @@ module BSV
   # HD key derivation (BIP-32), and mnemonic phrase generation (BIP-39).
   # All cryptography uses Ruby's stdlib +openssl+ — no external gems.
   module Primitives
+    autoload :Hex,          'bsv/primitives/hex'
+    autoload :Ripemd160,    'bsv/primitives/ripemd160'
     autoload :Secp256k1,    'bsv/primitives/secp256k1'
     autoload :Curve,        'bsv/primitives/curve'
     autoload :Digest,       'bsv/primitives/digest'

data/lib/bsv/script/builder.rb

@@ -45,7 +45,7 @@ module BSV
       # @param hex [String] hex-encoded data to push
       # @return [self] for chaining
       def push_hex(hex)
-        push_data([hex].pack('H*'))
+        push_data(BSV::Primitives::Hex.decode(hex, name: 'hex data'))
       end
 
       # Finalise and return the constructed {Script}.

data/lib/bsv/script/chunk.rb

@@ -53,13 +53,32 @@ module BSV
       # Render this chunk as human-readable ASM.
       #
       # Data pushes are shown as hex strings; opcodes are shown by name.
+      # Opcodes with no defined name are rendered as +OP_UNKNOWN<n>+ (e.g.
+      # +OP_UNKNOWN186+) so that the output is unambiguous and round-trippable
+      # via +from_asm+.
+      #
+      # The OP_RETURN opcode is special: it carries the raw tail bytes as its
+      # data payload (absorbed during parsing). To preserve round-trip fidelity
+      # with +from_asm+, the tail is re-parsed into individual push items and
+      # each is rendered as a hex token after +OP_RETURN+.
       #
       # @return [String] ASM representation
       def to_asm
-        if @data
+        if @opcode == Opcodes::OP_RETURN && @data
+          return 'OP_RETURN' if @data.empty?
+
+          # Re-parse the tail bytes into individual chunks (without OP_RETURN
+          # termination) so each push renders as a separate hex token.
+          tail_script = BSV::Script::Script.new(@data)
+          tail_chunks = tail_script.send(:parse_chunks, terminate_on_op_return: false)
+          parts = ['OP_RETURN'] + tail_chunks.map do |ch|
+            ch.data? ? ch.data.unpack1('H*') : (Opcodes.name_for(ch.opcode) || "OP_UNKNOWN#{ch.opcode}")
+          end
+          parts.join(' ')
+        elsif @data
           @data.unpack1('H*')
         else
-          Opcodes.name_for(@opcode) || @opcode.to_s
+          Opcodes.name_for(@opcode) || "OP_UNKNOWN#{@opcode}"
         end
       end
 

data/lib/bsv/script/interpreter/error.rb

@@ -49,6 +49,8 @@ module BSV
       IMPOSSIBLE_ENCODING = :impossible_encoding
       INVALID_OPCODE = :invalid_opcode
       MINIMAL_DATA = :minimal_data
+      STACK_MEMORY_EXCEEDED = :stack_memory_exceeded
+      UNIMPLEMENTED_OPCODE = :unimplemented_opcode
     end
   end
 end

data/lib/bsv/script/interpreter/interpreter.rb

@@ -42,10 +42,13 @@ module BSV
       # Conditional opcodes must be processed even in non-executing branches
       # to maintain correct nesting depth.
       CONDITIONAL_OPCODES = [
-        Opcodes::OP_IF, Opcodes::OP_NOTIF, Opcodes::OP_ELSE, Opcodes::OP_ENDIF,
-        Opcodes::OP_VERIF, Opcodes::OP_VERNOTIF
+        Opcodes::OP_IF, Opcodes::OP_NOTIF, Opcodes::OP_ELSE, Opcodes::OP_ENDIF
       ].freeze
 
+      # Maximum nesting depth for OP_IF / OP_NOTIF blocks. Prevents interpreter
+      # stack overflow from deeply nested conditionals.
+      MAX_CONDITIONAL_DEPTH = 256
+
       # Evaluate unlock + lock scripts without transaction context.
       #
       # Signature operations will always fail (no sighash available).
@@ -166,9 +169,7 @@ module BSV
 
         # --- Flow control ---
         when Opcodes::OP_NOP, Opcodes::OP_NOP1, Opcodes::OP_CHECKLOCKTIMEVERIFY,
-             Opcodes::OP_CHECKSEQUENCEVERIFY, Opcodes::OP_NOP4, Opcodes::OP_NOP5,
-             Opcodes::OP_NOP6, Opcodes::OP_NOP7, Opcodes::OP_NOP8, Opcodes::OP_NOP9,
-             Opcodes::OP_NOP10
+             Opcodes::OP_CHECKSEQUENCEVERIFY, Opcodes::OP_NOP9, Opcodes::OP_NOP10
           op_nop
         when Opcodes::OP_IF then op_if
         when Opcodes::OP_NOTIF then op_notif
@@ -176,10 +177,15 @@ module BSV
         when Opcodes::OP_ENDIF then op_endif
         when Opcodes::OP_VERIFY then op_verify
         when Opcodes::OP_RETURN then op_return
-        when Opcodes::OP_VER, Opcodes::OP_RESERVED, Opcodes::OP_RESERVED1, Opcodes::OP_RESERVED2
+        when Opcodes::OP_RESERVED, Opcodes::OP_RESERVED1, Opcodes::OP_RESERVED2
           op_reserved(opcode)
-        when Opcodes::OP_VERIF, Opcodes::OP_VERNOTIF
-          op_ver_conditional(opcode)
+        # Chronicle fail-safe: OP_VER, OP_VERIF, OP_VERNOTIF, and the Chronicle
+        # string/shift slots raise UnimplementedOpcode. Full semantics are
+        # deferred to SDK v0.10.
+        when Opcodes::OP_VER, Opcodes::OP_VERIF, Opcodes::OP_VERNOTIF,
+             Opcodes::OP_SUBSTR, Opcodes::OP_LEFT, Opcodes::OP_RIGHT,
+             Opcodes::OP_LSHIFTNUM, Opcodes::OP_RSHIFTNUM
+          op_unimplemented(opcode)
 
         # --- Stack manipulation ---
         when Opcodes::OP_TOALTSTACK then op_toaltstack

data/lib/bsv/script/interpreter/operations/arithmetic.rb

@@ -59,7 +59,12 @@ module BSV
             @dstack.push_int(a - b)
           end
 
-          # OP_MUL: a * b (re-enabled after genesis)
+          # OP_MUL: a * b (re-enabled after genesis).
+          #
+          # The O(n²) memory growth of large-operand multiplication is bounded
+          # by the 32 MB stack memory cap enforced by Stack#push_int, which calls
+          # Stack#push_bytes and raises ScriptErrorCode::STACK_MEMORY_EXCEEDED
+          # before the result can be pushed.
           def op_mul
             b = @dstack.pop_int
             a = @dstack.pop_int

data/lib/bsv/script/interpreter/operations/crypto.rb

@@ -51,10 +51,13 @@ module BSV
 
             result = verify_checksig(full_sig, pubkey_bytes)
 
-            # NULLFAIL: non-empty signature that failed verification
-            raise ScriptError.new(ScriptErrorCode::SIG_NULLFAIL, 'non-empty signature failed verification') unless result
+            # NULLFAIL: a non-empty signature that failed actual verification must be
+            # rejected. When there is no transaction context the signature cannot be
+            # verified at all — in that case we push false rather than raising, because
+            # no real verification failure occurred.
+            raise ScriptError.new(ScriptErrorCode::SIG_NULLFAIL, 'non-empty signature failed verification') if !result && @tx
 
-            @dstack.push_bool(true)
+            @dstack.push_bool(result)
           end
 
           # OP_CHECKSIGVERIFY: OP_CHECKSIG then OP_VERIFY
@@ -65,12 +68,13 @@ module BSV
             raise ScriptError.new(ScriptErrorCode::CHECKSIGVERIFY_FAILED, 'OP_CHECKSIGVERIFY failed')
           end
 
-          # OP_CHECKMULTISIG: verify M-of-N signatures
+          # OP_CHECKMULTISIG: verify M-of-N signatures.
+          #
+          # Post-Genesis BSV removes the 20-key limit. The stack memory cap
+          # (Stack::MAX_MEMORY_BYTES) is the practical upper bound on key count.
           def op_checkmultisig
             num_pubkeys = @dstack.pop_int.to_i32
-            if num_pubkeys.negative? || num_pubkeys > 20
-              raise ScriptError.new(ScriptErrorCode::INVALID_PUBKEY_COUNT, "invalid pubkey count: #{num_pubkeys}")
-            end
+            raise ScriptError.new(ScriptErrorCode::INVALID_PUBKEY_COUNT, "invalid pubkey count: #{num_pubkeys}") if num_pubkeys.negative?
 
             pubkeys = Array.new(num_pubkeys) { @dstack.pop_bytes }
 
@@ -87,8 +91,10 @@ module BSV
 
             success = multisig_match?(signatures, pubkeys)
 
-            # NULLFAIL: if failed, all signatures must be empty
-            unless success
+            # NULLFAIL: if failed and a transaction context is present, all non-empty
+            # signatures represent real verification failures and must be rejected.
+            # Without a tx context no verification occurred, so we push false instead.
+            if !success && @tx
               signatures.each do |sig|
                 raise ScriptError.new(ScriptErrorCode::SIG_NULLFAIL, 'non-empty signature failed verification') unless sig.empty?
               end
@@ -183,7 +189,15 @@ module BSV
             raise ScriptError.new(ScriptErrorCode::SIG_DER, "invalid DER signature: #{e.message}")
           end
 
-          # Validate public key encoding (compressed or uncompressed).
+          # Validate public key encoding.
+          #
+          # Accepted:
+          #   0x02, 0x03 — compressed (33 bytes)
+          #   0x04       — uncompressed (65 bytes)
+          #
+          # Rejected:
+          #   0x06, 0x07 — hybrid encoding (not valid in BSV scripts)
+          #   anything else
           def validate_pubkey_encoding!(bytes)
             return if bytes.bytesize == 33 && [0x02, 0x03].include?(bytes.getbyte(0))
             return if bytes.bytesize == 65 && bytes.getbyte(0) == 0x04

data/lib/bsv/script/interpreter/operations/flow_control.rb

@@ -10,6 +10,13 @@ module BSV
 
           # OP_IF: conditional execution
           def op_if
+            if @cond_stack.length >= MAX_CONDITIONAL_DEPTH
+              raise ScriptError.new(
+                ScriptErrorCode::UNBALANCED_CONDITIONAL,
+                "conditional depth exceeded #{MAX_CONDITIONAL_DEPTH}"
+              )
+            end
+
             if branch_executing?
               @cond_stack.push(@dstack.pop_bool ? :true : :false)
             else
@@ -20,6 +27,13 @@ module BSV
 
           # OP_NOTIF: inverse conditional execution
           def op_notif
+            if @cond_stack.length >= MAX_CONDITIONAL_DEPTH
+              raise ScriptError.new(
+                ScriptErrorCode::UNBALANCED_CONDITIONAL,
+                "conditional depth exceeded #{MAX_CONDITIONAL_DEPTH}"
+              )
+            end
+
             if branch_executing?
               @cond_stack.push(@dstack.pop_bool ? :false : :true)
             else
@@ -73,7 +87,7 @@ module BSV
           # OP_NOP and OP_NOP1..OP_NOP10 (including CLTV/CSV treated as NOP)
           def op_nop; end
 
-          # OP_RESERVED, OP_RESERVED1, OP_RESERVED2, OP_VER: fail when executing
+          # OP_RESERVED, OP_RESERVED1, OP_RESERVED2: fail when executing
           def op_reserved(opcode)
             raise ScriptError.new(
               ScriptErrorCode::RESERVED_OPCODE,
@@ -81,13 +95,15 @@ module BSV
             )
           end
 
-          # OP_VERIF, OP_VERNOTIF: always-illegal after genesis — fail only when executing
-          def op_ver_conditional(opcode)
-            return unless branch_executing?
-
+          # Chronicle fail-safe: OP_VER, OP_VERIF, OP_VERNOTIF and the Chronicle
+          # string/shift slots (OP_SUBSTR, OP_LEFT, OP_RIGHT, OP_LSHIFTNUM,
+          # OP_RSHIFTNUM). Full semantics are deferred to SDK v0.10. Any script
+          # that reaches one of these opcodes will fail loudly rather than
+          # silently succeeding.
+          def op_unimplemented(opcode)
             raise ScriptError.new(
-              ScriptErrorCode::RESERVED_OPCODE,
-              "attempt to execute reserved opcode: 0x#{opcode.to_s(16).rjust(2, '0')}"
+              ScriptErrorCode::UNIMPLEMENTED_OPCODE,
+              "unimplemented opcode: 0x#{opcode.to_s(16).rjust(2, '0')}"
             )
           end
         end

data/lib/bsv/script/interpreter/stack.rb

@@ -11,23 +11,34 @@ module BSV
     # Implements Forth-like stack manipulation operations (dup, drop, swap,
     # rot, over, pick, roll, tuck) parameterised by count for the multi-element
     # opcodes (OP_2DUP, OP_2SWAP, etc.).
+    #
+    # A 32 MB aggregate memory cap is enforced on every push, matching the
+    # ts-sdk behaviour. This provides a natural bound for O(n²) opcodes such
+    # as OP_MUL operating on large script numbers.
     class Stack
+      # Maximum total bytes held across all stack items (32 MB).
+      MAX_MEMORY_BYTES = 32 * 1024 * 1024
+
       def initialize
         @items = []
+        @memory_usage = 0
       end
 
       # --- Push ---
 
       def push_bytes(data)
-        @items.push(data.b)
+        check_memory!(data.bytesize)
+        bytes = data.b
+        @memory_usage += bytes.bytesize
+        @items.push(bytes)
       end
 
       def push_int(script_number)
-        @items.push(script_number.to_bytes)
+        push_bytes(script_number.to_bytes)
       end
 
       def push_bool(val)
-        @items.push(val ? "\x01".b : ''.b)
+        push_bytes(val ? "\x01".b : ''.b)
       end
 
       # --- Pop ---
@@ -35,10 +46,21 @@ module BSV
       def pop_bytes
         stack_error!('stack empty') if @items.empty?
 
-        @items.pop
+        item = @items.pop
+        @memory_usage -= item.bytesize
+        item
       end
 
-      def pop_int(max_length: ScriptNumber::MAX_BYTE_LENGTH, require_minimal: false)
+      # Decode the top stack item as a {ScriptNumber}.
+      #
+      # @param max_length [Integer] maximum allowed byte length. Defaults to
+      #   {ScriptNumber::MAX_BYTE_LENGTH} (750,000 bytes), matching Bitcoin's
+      #   +nMaxNumSize+ constant. Post-Genesis BSV makes this configurable at
+      #   the node level; the SDK uses the standard default.
+      # @param require_minimal [Boolean] whether to enforce minimal encoding.
+      #   Defaults to +true+ — post-Genesis BSV requires minimal encoding for
+      #   script numbers.
+      def pop_int(max_length: ScriptNumber::MAX_BYTE_LENGTH, require_minimal: true)
         ScriptNumber.from_bytes(pop_bytes, max_length: max_length, require_minimal: require_minimal)
       end
 
@@ -54,7 +76,15 @@ module BSV
         @items[@items.length - 1 - idx]
       end
 
-      def peek_int(idx = 0, max_length: ScriptNumber::MAX_BYTE_LENGTH, require_minimal: false)
+      # Decode a stack item as a {ScriptNumber} without removing it.
+      #
+      # @param idx [Integer] depth from the top (0 = top).
+      # @param max_length [Integer] maximum allowed byte length. Defaults to
+      #   {ScriptNumber::MAX_BYTE_LENGTH} (750,000 bytes), matching Bitcoin's
+      #   +nMaxNumSize+ constant.
+      # @param require_minimal [Boolean] whether to enforce minimal encoding.
+      #   Defaults to +true+ — post-Genesis BSV requires minimal encoding.
+      def peek_int(idx = 0, max_length: ScriptNumber::MAX_BYTE_LENGTH, require_minimal: true)
         ScriptNumber.from_bytes(peek_bytes(idx), max_length: max_length, require_minimal: require_minimal)
       end
 
@@ -74,6 +104,7 @@ module BSV
 
       def clear
         @items.clear
+        @memory_usage = 0
       end
 
       def to_a
@@ -88,7 +119,11 @@ module BSV
         stack_error!("stack too small for dup_n(#{count})") if @items.length < count
 
         start = @items.length - count
-        count.times { |i| @items.push(@items[start + i].dup) }
+        added = @items[start..].sum(&:bytesize)
+        check_memory!(added)
+        copies = Array.new(count) { |i| @items[start + i].dup }
+        @memory_usage += added
+        @items.concat(copies)
       end
 
       # Remove the top N items.
@@ -96,7 +131,8 @@ module BSV
         check_count!(count, 'drop_n')
         stack_error!("stack too small for drop_n(#{count})") if @items.length < count
 
-        @items.pop(count)
+        removed = @items.pop(count)
+        @memory_usage -= removed.sum(&:bytesize)
         nil
       end
 
@@ -104,7 +140,9 @@ module BSV
       def nip_n(idx)
         check_index!(idx)
 
-        @items.delete_at(@items.length - 1 - idx)
+        removed = @items.delete_at(@items.length - 1 - idx)
+        @memory_usage -= removed.bytesize
+        removed
       end
 
       # Rotate: move the bottom N of the top 3N items to the top.
@@ -140,17 +178,24 @@ module BSV
         stack_error!("stack too small for over_n(#{count})") if @items.length < (2 * count)
 
         start = @items.length - (2 * count)
-        count.times { |i| @items.push(@items[start + i].dup) }
+        added = @items[start, count].sum(&:bytesize)
+        check_memory!(added)
+        copies = Array.new(count) { |i| @items[start + i].dup }
+        @memory_usage += added
+        @items.concat(copies)
       end
 
       # Copy item at index n to top (0 = top).
       def pick_n(idx)
         check_index!(idx)
 
-        @items.push(@items[@items.length - 1 - idx].dup)
+        copy = @items[@items.length - 1 - idx].dup
+        check_memory!(copy.bytesize)
+        @memory_usage += copy.bytesize
+        @items.push(copy)
       end
 
-      # Move item at index n to top (0 = top).
+      # Move item at index n to top (0 = top). Memory usage is unchanged.
       def roll_n(idx)
         check_index!(idx)
 
@@ -162,7 +207,10 @@ module BSV
       def tuck
         stack_error!('stack too small for tuck') if @items.length < 2
 
-        @items.insert(@items.length - 2, @items.last.dup)
+        copy = @items.last.dup
+        check_memory!(copy.bytesize)
+        @memory_usage += copy.bytesize
+        @items.insert(@items.length - 2, copy)
       end
 
       # --- Boolean conversion ---
@@ -187,6 +235,15 @@ module BSV
         raise ScriptError.new(ScriptErrorCode::INVALID_STACK_OPERATION, message)
       end
 
+      def check_memory!(additional_bytes)
+        return unless @memory_usage + additional_bytes > MAX_MEMORY_BYTES
+
+        raise ScriptError.new(
+          ScriptErrorCode::STACK_MEMORY_EXCEEDED,
+          "stack memory limit of #{MAX_MEMORY_BYTES} bytes exceeded"
+        )
+      end
+
       def check_index!(idx)
         return if idx >= 0 && idx < @items.length