@arkade-os/sdk 0.4.23 → 0.4.24

package/dist/esm/script/tapscript.js

@@ -1,6 +1,6 @@
-import * as bip68 from "bip68";
 import { Script, ScriptNum, p2tr_ms } from "@scure/btc-signer";
 import { hex } from "@scure/base";
+import { sequenceToTimelock, timelockToSequence } from '../utils/timelock.js';
 const MinimalScriptNum = ScriptNum(undefined, true);
 export var TapscriptType;
 (function (TapscriptType) {
@@ -234,9 +234,7 @@ export var CSVMultisigTapscript;
                 throw new Error(`Invalid pubkey length: expected 32, got ${pubkey.length}`);
             }
         }
-        const sequence = MinimalScriptNum.encode(BigInt(bip68.encode(params.timelock.type === "blocks"
-            ? { blocks: Number(params.timelock.value) }
-            : { seconds: Number(params.timelock.value) })));
+        const sequence = MinimalScriptNum.encode(BigInt(timelockToSequence(params.timelock)));
         const asm = [
             sequence.length === 1 ? sequence[0] : sequence,
             "CHECKSEQUENCEVERIFY",
@@ -259,17 +257,12 @@ export var CSVMultisigTapscript;
         if (script.length === 0) {
             throw new Error("Failed to decode: script is empty");
         }
-        const asm = Script.decode(script);
-        if (asm.length < 3) {
-            throw new Error(`Invalid script: too short (expected at least 3)`);
+        const isValid = isScriptValid(script);
+        if (isValid instanceof Error) {
+            throw isValid;
         }
+        const asm = Script.decode(script);
         const sequence = asm[0];
-        if (typeof sequence === "string") {
-            throw new Error("Invalid script: expected sequence number");
-        }
-        if (asm[1] !== "CHECKSEQUENCEVERIFY" || asm[2] !== "DROP") {
-            throw new Error("Invalid script: expected CHECKSEQUENCEVERIFY DROP");
-        }
         const multisigScript = new Uint8Array(Script.encode(asm.slice(3)));
         let multisig;
         try {
@@ -285,10 +278,7 @@ export var CSVMultisigTapscript;
         else {
             sequenceNum = Number(MinimalScriptNum.decode(sequence));
         }
-        const decodedTimelock = bip68.decode(sequenceNum);
-        const timelock = decodedTimelock.blocks !== undefined
-            ? { type: "blocks", value: BigInt(decodedTimelock.blocks) }
-            : { type: "seconds", value: BigInt(decodedTimelock.seconds) };
+        const timelock = sequenceToTimelock(sequenceNum);
         const reconstructed = encode({
             timelock,
             ...multisig.params,
@@ -311,6 +301,21 @@ export var CSVMultisigTapscript;
         return tapscript.type === TapscriptType.CSVMultisig;
     }
     CSVMultisigTapscript.is = is;
+    function isScriptValid(script) {
+        const asm = Script.decode(script);
+        if (asm.length < 3) {
+            return new Error(`Invalid script: too short (expected at least 3)`);
+        }
+        const sequence = asm[0];
+        if (typeof sequence === "string") {
+            return new Error("Invalid script: expected sequence number");
+        }
+        if (asm[1] !== "CHECKSEQUENCEVERIFY" || asm[2] !== "DROP") {
+            return new Error("Invalid script: expected CHECKSEQUENCEVERIFY DROP");
+        }
+        return true;
+    }
+    CSVMultisigTapscript.isScriptValid = isScriptValid;
 })(CSVMultisigTapscript || (CSVMultisigTapscript = {}));
 /**
  * Combines a condition script with an exit closure. The resulting script requires
@@ -345,18 +350,14 @@ export var ConditionCSVMultisigTapscript;
         if (script.length === 0) {
             throw new Error("Failed to decode: script is empty");
         }
-        const asm = Script.decode(script);
-        if (asm.length < 1) {
-            throw new Error(`Invalid script: too short (expected at least 1)`);
-        }
-        let verifyIndex = -1;
-        for (let i = asm.length - 1; i >= 0; i--) {
-            if (asm[i] === "VERIFY") {
-                verifyIndex = i;
-            }
+        const isValid = isScriptValid(script);
+        if (isValid instanceof Error) {
+            throw isValid;
         }
+        const asm = Script.decode(script);
+        let verifyIndex = getVerifyIndex(asm);
         if (verifyIndex === -1) {
-            throw new Error("Invalid script: missing VERIFY operation");
+            throw Error("Invalid script: missing VERIFY operation");
         }
         const conditionScript = new Uint8Array(Script.encode(asm.slice(0, verifyIndex)));
         const csvMultisigScript = new Uint8Array(Script.encode(asm.slice(verifyIndex + 1)));
@@ -389,6 +390,28 @@ export var ConditionCSVMultisigTapscript;
         return tapscript.type === TapscriptType.ConditionCSVMultisig;
     }
     ConditionCSVMultisigTapscript.is = is;
+    function getVerifyIndex(asm) {
+        let verifyIndex = -1;
+        for (let i = asm.length - 1; i >= 0; i--) {
+            if (asm[i] === "VERIFY") {
+                verifyIndex = i;
+                return verifyIndex;
+            }
+        }
+        return verifyIndex;
+    }
+    function isScriptValid(script) {
+        const asm = Script.decode(script);
+        if (asm.length < 1) {
+            return new Error(`Invalid script: too short (expected at least 1)`);
+        }
+        let verifyIndex = getVerifyIndex(asm);
+        if (verifyIndex === -1) {
+            return new Error("Invalid script: missing VERIFY operation");
+        }
+        return true;
+    }
+    ConditionCSVMultisigTapscript.isScriptValid = isScriptValid;
 })(ConditionCSVMultisigTapscript || (ConditionCSVMultisigTapscript = {}));
 /**
  * Combines a condition script with a forfeit closure. The resulting script requires
@@ -423,18 +446,14 @@ export var ConditionMultisigTapscript;
         if (script.length === 0) {
             throw new Error("Failed to decode: script is empty");
         }
-        const asm = Script.decode(script);
-        if (asm.length < 1) {
-            throw new Error(`Invalid script: too short (expected at least 1)`);
-        }
-        let verifyIndex = -1;
-        for (let i = asm.length - 1; i >= 0; i--) {
-            if (asm[i] === "VERIFY") {
-                verifyIndex = i;
-            }
+        const isValid = isScriptValid(script);
+        if (isValid instanceof Error) {
+            throw isValid;
         }
+        const asm = Script.decode(script);
+        let verifyIndex = getVerifyIndex(asm);
         if (verifyIndex === -1) {
-            throw new Error("Invalid script: missing VERIFY operation");
+            throw Error("Invalid script: missing VERIFY operation");
         }
         const conditionScript = new Uint8Array(Script.encode(asm.slice(0, verifyIndex)));
         const multisigScript = new Uint8Array(Script.encode(asm.slice(verifyIndex + 1)));
@@ -467,6 +486,28 @@ export var ConditionMultisigTapscript;
         return tapscript.type === TapscriptType.ConditionMultisig;
     }
     ConditionMultisigTapscript.is = is;
+    function getVerifyIndex(asm) {
+        let verifyIndex = -1;
+        for (let i = asm.length - 1; i >= 0; i--) {
+            if (asm[i] === "VERIFY") {
+                verifyIndex = i;
+                return verifyIndex;
+            }
+        }
+        return verifyIndex;
+    }
+    function isScriptValid(script) {
+        const asm = Script.decode(script);
+        if (asm.length < 1) {
+            return new Error(`Invalid script: too short (expected at least 1)`);
+        }
+        let verifyIndex = getVerifyIndex(asm);
+        if (verifyIndex === -1) {
+            return new Error("Invalid script: missing VERIFY operation");
+        }
+        return true;
+    }
+    ConditionMultisigTapscript.isScriptValid = isScriptValid;
 })(ConditionMultisigTapscript || (ConditionMultisigTapscript = {}));
 /**
  * Implements an absolute timelock (CLTV) script combined with a forfeit closure.
@@ -507,10 +548,11 @@ export var CLTVMultisigTapscript;
         if (script.length === 0) {
             throw new Error("Failed to decode: script is empty");
         }
-        const asm = Script.decode(script);
-        if (asm.length < 3) {
-            throw new Error(`Invalid script: too short (expected at least 3)`);
+        const isValid = isScriptValid(script);
+        if (isValid instanceof Error) {
+            throw isValid;
         }
+        const asm = Script.decode(script);
         const locktime = asm[0];
         if (typeof locktime === "string") {
             throw new Error("Invalid script: expected locktime number");
@@ -555,4 +597,19 @@ export var CLTVMultisigTapscript;
         return tapscript.type === TapscriptType.CLTVMultisig;
     }
     CLTVMultisigTapscript.is = is;
+    function isScriptValid(script) {
+        const asm = Script.decode(script);
+        if (asm.length < 3) {
+            return new Error(`Invalid script: too short (expected at least 3)`);
+        }
+        const locktime = asm[0];
+        if (typeof locktime === "string") {
+            return new Error("Invalid script: expected locktime as number or bytes");
+        }
+        if (asm[1] !== "CHECKLOCKTIMEVERIFY" || asm[2] !== "DROP") {
+            return new Error("Invalid script: expected CHECKLOCKTIMEVERIFY DROP");
+        }
+        return true;
+    }
+    CLTVMultisigTapscript.isScriptValid = isScriptValid;
 })(CLTVMultisigTapscript || (CLTVMultisigTapscript = {}));

package/dist/esm/utils/timelock.js

@@ -0,0 +1,22 @@
+import * as bip68 from "bip68";
+/**
+ * Convert RelativeTimelock to BIP68 sequence number.
+ */
+export function timelockToSequence(timelock) {
+    return bip68.encode(timelock.type === "blocks"
+        ? { blocks: Number(timelock.value) }
+        : { seconds: Number(timelock.value) });
+}
+/**
+ * Convert BIP68 sequence number back to RelativeTimelock.
+ */
+export function sequenceToTimelock(sequence) {
+    const decoded = bip68.decode(sequence);
+    if ("blocks" in decoded && decoded.blocks !== undefined) {
+        return { type: "blocks", value: BigInt(decoded.blocks) };
+    }
+    if ("seconds" in decoded && decoded.seconds !== undefined) {
+        return { type: "seconds", value: BigInt(decoded.seconds) };
+    }
+    throw new Error(`Invalid BIP68 sequence: ${sequence}`);
+}

package/dist/esm/utils/unknownFields.js

@@ -1,6 +1,6 @@
-import * as bip68 from "bip68";
 import { RawWitness, ScriptNum } from "@scure/btc-signer";
 import { hex } from "@scure/base";
+import { sequenceToTimelock } from './timelock.js';
 /**
  * ArkPsbtFieldKey are the available key names for the Arkade PSBT custom fields.
  */
@@ -146,11 +146,7 @@ export const VtxoTreeExpiry = {
         const v = ScriptNum(6, true).decode(unknown[1]);
         if (!v)
             return null;
-        const { blocks, seconds } = bip68.decode(Number(v));
-        return {
-            type: blocks ? "blocks" : "seconds",
-            value: BigInt(blocks ?? seconds ?? 0),
-        };
+        return sequenceToTimelock(Number(v));
     }),
 };
 const encodedPsbtFieldKey = Object.fromEntries(Object.values(ArkPsbtFieldKey).map((key) => [

package/dist/esm/wallet/serviceWorker/wallet-message-handler.js

@@ -2,6 +2,8 @@ import { RestIndexerProvider } from '../../providers/indexer.js';
 import { isExpired, isRecoverable, isSpendable, isSubdust, } from '../index.js';
 import { extendCoin } from '../utils.js';
 import { buildTransactionHistory } from '../../utils/transactionHistory.js';
+import { filterVtxosForScript, warnAndFilterVtxosForScript, } from '../../contracts/vtxoOwnership.js';
+import { scriptFromArkAddress } from '../../repositories/scriptFromAddress.js';
 export class WalletNotInitializedError extends Error {
     constructor() {
         super("Wallet handler not initialized");
@@ -581,11 +583,45 @@ export class WalletMessageHandler {
                     const { newVtxos, spentVtxos } = funds;
                     if (newVtxos.length + spentVtxos.length === 0)
                         return;
-                    // save virtual outputs using unified repository
-                    await this.walletRepository?.saveVtxos(address, [
-                        ...newVtxos,
-                        ...spentVtxos,
-                    ]);
+                    // Save virtual outputs using unified repository. The
+                    // event may carry rows for several scripts (other
+                    // contracts the wallet watches), so split by script and
+                    // save each bucket under its own contract address rather
+                    // than saving a mixed-script array under one address.
+                    const byScript = new Map();
+                    for (const v of [...newVtxos, ...spentVtxos]) {
+                        if (!v.script) {
+                            // Without a script we can't route the row to the
+                            // right contract bucket; surface the drop instead
+                            // of silently losing the VTXO.
+                            console.warn(`WalletMessageHandler.notifyIncomingFunds: dropping VTXO without script ${v.txid}:${v.vout}`);
+                            continue;
+                        }
+                        const arr = byScript.get(v.script) ?? [];
+                        arr.push(v);
+                        byScript.set(v.script, arr);
+                    }
+                    let walletScript;
+                    try {
+                        walletScript = scriptFromArkAddress(address);
+                    }
+                    catch {
+                        walletScript = undefined;
+                    }
+                    const cm = await this.readonlyWallet.getContractManager();
+                    const contracts = await cm.getContracts();
+                    const addrByScript = new Map(contracts.map((c) => [c.script, c.address]));
+                    for (const [script, vtxos] of byScript) {
+                        const filtered = warnAndFilterVtxosForScript(vtxos, script, "WalletMessageHandler.notifyIncomingFunds");
+                        if (filtered.length === 0)
+                            continue;
+                        const targetAddress = script === walletScript
+                            ? address
+                            : addrByScript.get(script);
+                        if (!targetAddress)
+                            continue;
+                        await this.walletRepository?.saveVtxos(targetAddress, filtered);
+                    }
                     // notify all clients about the virtual output state update
                     this.scheduleForNextTick(() => this.tagged({
                         type: "VTXO_UPDATE",
@@ -797,17 +833,31 @@ export class WalletMessageHandler {
                 }
             }
         };
-        // Aggregate virtual outputs from all contract addresses
+        // Aggregate virtual outputs from all contract addresses. Address
+        // buckets may carry legacy duplicate rows from other contracts; gate
+        // each bucket by its owning contract script before deduplication so a
+        // wrong-script row never wins the txid:vout race.
         const manager = await this.readonlyWallet.getContractManager();
         const contracts = await manager.getContracts();
         for (const contract of contracts) {
             const vtxos = await this.walletRepository.getVtxos(contract.address);
-            addVtxos(vtxos);
+            addVtxos(filterVtxosForScript(vtxos, contract.script));
         }
-        // Also check the wallet's primary address
+        // Also check the wallet's primary address. Decode it to its script
+        // and apply the same script gate. Failing to decode the wallet's own
+        // address is a structural bug — surfacing the error is safer than
+        // silently dropping the primary bucket and zeroing the user's
+        // visible balance.
         const walletAddress = await this.readonlyWallet.getAddress();
+        let walletScript;
+        try {
+            walletScript = scriptFromArkAddress(walletAddress);
+        }
+        catch (e) {
+            throw new Error(`WalletMessageHandler.getVtxosFromRepo: failed to derive script from wallet address ${walletAddress}: ${e instanceof Error ? e.message : String(e)}`);
+        }
         const walletVtxos = await this.walletRepository.getVtxos(walletAddress);
-        addVtxos(walletVtxos);
+        addVtxos(filterVtxosForScript(walletVtxos, walletScript));
         return allVtxos;
     }
     /**

package/dist/esm/wallet/unroll.js

@@ -1,6 +1,6 @@
 import { base64, hex } from "@scure/base";
 import { SigHash, TaprootControlBlock } from "@scure/btc-signer";
-import { timelockToSequence } from '../contracts/handlers/helpers.js';
+import { timelockToSequence } from '../utils/timelock.js';
 import { ChainTxType } from '../providers/indexer.js';
 import { VtxoScript } from '../script/base.js';
 import { TxWeightEstimator } from '../utils/txSizeEstimator.js';
@@ -126,10 +126,12 @@ export var Unroll;
                 // finalize Arkade transaction
                 tx.finalize();
             }
+            const pkg = await this.bumper.bumpP2A(tx);
             return {
                 type: StepType.UNROLL,
                 tx,
-                do: doUnroll(this.bumper, this.explorer, tx),
+                pkg,
+                do: doUnroll(this.explorer, pkg),
             };
         }
         /**
@@ -161,79 +163,88 @@ export var Unroll;
      * @returns the txid of the transaction spending the unrolled funds
      */
     async function completeUnroll(wallet, vtxoTxids, outputAddress) {
-        const chainTip = await wallet.onchainProvider.getChainTip();
-        let vtxos = await wallet.getVtxos({ withUnrolled: true });
-        vtxos = vtxos.filter((vtxo) => vtxoTxids.includes(vtxo.txid));
-        if (vtxos.length === 0) {
-            throw new Error("No vtxos to complete unroll");
-        }
-        const inputs = [];
-        let totalAmount = 0n;
-        const txWeightEstimator = TxWeightEstimator.create();
-        for (const vtxo of vtxos) {
-            if (!vtxo.isUnrolled) {
-                throw new Error(`Vtxo ${vtxo.txid}:${vtxo.vout} is not fully unrolled, use unroll first`);
-            }
-            const txStatus = await wallet.onchainProvider.getTxStatus(vtxo.txid);
-            if (!txStatus.confirmed) {
-                throw new Error(`tx ${vtxo.txid} is not confirmed`);
-            }
-            const exit = availableExitPath({ height: txStatus.blockHeight, time: txStatus.blockTime }, chainTip, vtxo);
-            if (!exit) {
-                throw new Error(`no available exit path found for vtxo ${vtxo.txid}:${vtxo.vout}`);
-            }
-            const spendingLeaf = VtxoScript.decode(vtxo.tapTree).findLeaf(hex.encode(exit.script));
-            if (!spendingLeaf) {
-                throw new Error(`spending leaf not found for vtxo ${vtxo.txid}:${vtxo.vout}`);
-            }
-            totalAmount += BigInt(vtxo.value);
-            const sequence = timelockToSequence(exit.params.timelock);
-            inputs.push({
-                txid: vtxo.txid,
-                index: vtxo.vout,
-                tapLeafScript: [spendingLeaf],
-                sequence,
-                witnessUtxo: {
-                    amount: BigInt(vtxo.value),
-                    script: VtxoScript.decode(vtxo.tapTree).pkScript,
-                },
-                sighashType: SigHash.DEFAULT,
-            });
-            txWeightEstimator.addTapscriptInput(64, spendingLeaf[1].length, TaprootControlBlock.encode(spendingLeaf[0]).length);
-        }
-        const tx = new Transaction({ version: 2 });
-        for (const input of inputs) {
-            tx.addInput(input);
-        }
-        txWeightEstimator.addOutputAddress(outputAddress, wallet.network);
-        let feeRate = await wallet.onchainProvider.getFeeRate();
-        if (!feeRate || feeRate < Wallet.MIN_FEE_RATE) {
-            feeRate = Wallet.MIN_FEE_RATE;
-        }
-        const feeAmount = txWeightEstimator.vsize().fee(BigInt(feeRate));
-        if (feeAmount > totalAmount) {
-            throw new Error("fee amount is greater than the total amount");
-        }
-        const sendAmount = totalAmount - feeAmount;
-        if (sendAmount < BigInt(DUST_AMOUNT)) {
-            throw new Error("send amount is less than dust amount");
-        }
-        tx.addOutputAddress(outputAddress, sendAmount);
-        const signedTx = await wallet.identity.sign(tx);
-        signedTx.finalize();
+        const signedTx = await prepareUnrollTransaction(wallet, vtxoTxids, outputAddress);
         await wallet.onchainProvider.broadcastTransaction(signedTx.hex);
         return signedTx.id;
     }
     Unroll.completeUnroll = completeUnroll;
 })(Unroll || (Unroll = {}));
+/**
+ * Prepares the transaction that spends the CSV path to complete unrolling a VTXO.
+ * @param wallet the wallet owning the VTXO(s)
+ * @param vtxoTxIds the txids of the VTXO(s) to complete unroll
+ * @param outputAddress the address to send the unrolled funds to
+ * @throws if the VTXO(s) are not fully unrolled, if the txids are not found, if the tx is not confirmed, if no exit path is found or not available
+ * @returns the transaction spending the unrolled funds
+ */
+export async function prepareUnrollTransaction(wallet, vtxoTxIds, outputAddress) {
+    const chainTip = await wallet.onchainProvider.getChainTip();
+    let vtxos = await wallet.getVtxos({ withUnrolled: true });
+    vtxos = vtxos.filter((vtxo) => vtxoTxIds.includes(vtxo.txid));
+    if (vtxos.length === 0) {
+        throw new Error("No vtxos to complete unroll");
+    }
+    const inputs = [];
+    let totalAmount = 0n;
+    const txWeightEstimator = TxWeightEstimator.create();
+    for (const vtxo of vtxos) {
+        if (!vtxo.isUnrolled) {
+            throw new Error(`Vtxo ${vtxo.txid}:${vtxo.vout} is not fully unrolled, use unroll first`);
+        }
+        const txStatus = await wallet.onchainProvider.getTxStatus(vtxo.txid);
+        if (!txStatus.confirmed) {
+            throw new Error(`tx ${vtxo.txid} is not confirmed`);
+        }
+        const exit = availableExitPath({ height: txStatus.blockHeight, time: txStatus.blockTime }, chainTip, vtxo);
+        if (!exit) {
+            throw new Error(`no available exit path found for vtxo ${vtxo.txid}:${vtxo.vout}`);
+        }
+        const spendingLeaf = VtxoScript.decode(vtxo.tapTree).findLeaf(hex.encode(exit.script));
+        if (!spendingLeaf) {
+            throw new Error(`spending leaf not found for vtxo ${vtxo.txid}:${vtxo.vout}`);
+        }
+        totalAmount += BigInt(vtxo.value);
+        const sequence = timelockToSequence(exit.params.timelock);
+        inputs.push({
+            txid: vtxo.txid,
+            index: vtxo.vout,
+            tapLeafScript: [spendingLeaf],
+            sequence,
+            witnessUtxo: {
+                amount: BigInt(vtxo.value),
+                script: VtxoScript.decode(vtxo.tapTree).pkScript,
+            },
+            sighashType: SigHash.DEFAULT,
+        });
+        txWeightEstimator.addTapscriptInput(64, spendingLeaf[1].length, TaprootControlBlock.encode(spendingLeaf[0]).length);
+    }
+    const tx = new Transaction({ version: 2 });
+    for (const input of inputs) {
+        tx.addInput(input);
+    }
+    txWeightEstimator.addOutputAddress(outputAddress, wallet.network);
+    let feeRate = await wallet.onchainProvider.getFeeRate();
+    if (!feeRate || feeRate < Wallet.MIN_FEE_RATE) {
+        feeRate = Wallet.MIN_FEE_RATE;
+    }
+    const feeAmount = txWeightEstimator.vsize().fee(BigInt(feeRate));
+    if (feeAmount > totalAmount) {
+        throw new Error("fee amount is greater than the total amount");
+    }
+    const sendAmount = totalAmount - feeAmount;
+    if (sendAmount < BigInt(DUST_AMOUNT)) {
+        throw new Error("send amount is less than dust amount");
+    }
+    tx.addOutputAddress(outputAddress, sendAmount, wallet.network);
+    const signedTx = await wallet.identity.sign(tx);
+    signedTx.finalize();
+    return signedTx;
+}
 function sleep(ms) {
     return new Promise((resolve) => setTimeout(resolve, ms));
 }
-function doUnroll(bumper, onchainProvider, tx) {
-    return async () => {
-        const [parent, child] = await bumper.bumpP2A(tx);
-        await onchainProvider.broadcastTransaction(parent, child);
-    };
+function doUnroll(onchainProvider, pkg) {
+    return () => onchainProvider.broadcastTransaction(...pkg).then(() => undefined);
 }
 function doWait(onchainProvider, txid) {
     return () => {

package/dist/esm/wallet/wallet.js

@@ -32,8 +32,9 @@ import { DelegatorManagerImpl, findDestinationOutputIndex, } from './delegator.j
 import { IndexedDBContractRepository, IndexedDBWalletRepository, } from '../repositories/index.js';
 import { ContractManager } from '../contracts/contractManager.js';
 import { contractHandlers } from '../contracts/handlers/index.js';
-import { timelockToSequence } from '../contracts/handlers/helpers.js';
+import { timelockToSequence } from '../utils/timelock.js';
 import { clearSyncCursor, updateWalletState } from '../utils/syncCursors.js';
+import { validateVtxosForScript } from '../contracts/vtxoOwnership.js';
 export const getArkadeServerUrl = ({ arkServerUrl, }) => arkServerUrl || DEFAULT_ARKADE_SERVER_URL;
 // Historical unilateral exit delay for mainnet (~7 days in seconds).
 // Kept so existing wallets can still discover and spend VTXOs sent to the
@@ -1823,7 +1824,7 @@ export class Wallet extends ReadonlyWallet {
                 }
             }
             const createdAt = Date.now();
-            const addr = this.arkAddress.encode();
+            const primaryAddr = this.arkAddress.encode();
             // Only save a change virtual output for preconfirmed coins (those with a batchExpiry).
             // Inputs without a batchExpiry are already settled/unrolled and don't need tracking.
             let changeVtxo;
@@ -1850,8 +1851,45 @@ export class Wallet extends ReadonlyWallet {
                     script: hex.encode(this.offchainTapscript.pkScript),
                 };
             }
-            await this.walletRepository.saveVtxos(addr, changeVtxo ? [...spentVtxos, changeVtxo] : spentVtxos);
-            await this.walletRepository.saveTransactions(addr, [
+            // Route spent rows to their owning contract bucket. The wallet's
+            // primary contract is registered with the manager at boot, so
+            // `addrByScript` already includes it; in a multi-contract spend
+            // each input may belong to a different contract.
+            const contracts = await cm.getContracts();
+            const addrByScript = new Map(contracts.map((c) => [c.script, c.address]));
+            const spentByScript = new Map();
+            for (const v of spentVtxos) {
+                if (!v.script) {
+                    throw new Error(`Wallet.updateDbAfterOffchainTx: spent VTXO ${v.txid}:${v.vout} has no script`);
+                }
+                const arr = spentByScript.get(v.script) ?? [];
+                arr.push(v);
+                spentByScript.set(v.script, arr);
+            }
+            const byAddress = new Map();
+            for (const [script, vtxos] of spentByScript) {
+                // User-initiated send path: a wrong-script row here means the
+                // wallet is about to record ownership against the wrong
+                // contract — fail loudly rather than persist inconsistent state.
+                validateVtxosForScript(vtxos, script, "Wallet.updateDbAfterOffchainTx");
+                const targetAddr = addrByScript.get(script);
+                if (!targetAddr) {
+                    throw new Error(`Wallet.updateDbAfterOffchainTx: no contract owns script ${script}`);
+                }
+                const bucket = byAddress.get(targetAddr) ?? [];
+                bucket.push(...vtxos);
+                byAddress.set(targetAddr, bucket);
+            }
+            // Change is always primary-script by construction.
+            if (changeVtxo) {
+                const bucket = byAddress.get(primaryAddr) ?? [];
+                bucket.push(changeVtxo);
+                byAddress.set(primaryAddr, bucket);
+            }
+            for (const [addr, vtxos] of byAddress) {
+                await this.walletRepository.saveVtxos(addr, vtxos);
+            }
+            await this.walletRepository.saveTransactions(primaryAddr, [
                 {
                     key: {
                         boardingTxid: "",
@@ -1867,12 +1905,12 @@ export class Wallet extends ReadonlyWallet {
         }
         catch (e) {
             console.warn("error saving offchain tx to repository", e);
+            throw e;
         }
     }
     // mark virtual outputs as spent/settled, remove boarding inputs
     async updateDbAfterSettle(inputs, commitmentTxid) {
         try {
-            const addr = this.arkAddress.encode();
             const boardingAddress = await this.getBoardingAddress();
             const spentVtxos = [];
             const inputArkTxIds = new Set();
@@ -1905,7 +1943,38 @@ export class Wallet extends ReadonlyWallet {
                 }
             }
             if (spentVtxos.length > 0) {
-                await this.walletRepository.saveVtxos(addr, spentVtxos);
+                // Route settled rows to their owning contract bucket. In a
+                // multi-contract settle the inputs may belong to several
+                // contracts; the wallet's primary contract is registered with
+                // the manager at boot, so its address is in `addrByScript`
+                // alongside the rest.
+                const contracts = await cm.getContracts();
+                const addrByScript = new Map(contracts.map((c) => [c.script, c.address]));
+                const byAddress = new Map();
+                const byScript = new Map();
+                for (const v of spentVtxos) {
+                    if (!v.script) {
+                        throw new Error(`Wallet.updateDbAfterSettle: spent VTXO ${v.txid}:${v.vout} has no script`);
+                    }
+                    const arr = byScript.get(v.script) ?? [];
+                    arr.push(v);
+                    byScript.set(v.script, arr);
+                }
+                for (const [script, vtxos] of byScript) {
+                    // User-initiated settle path: refuse to record a settle
+                    // against the wrong script.
+                    validateVtxosForScript(vtxos, script, "Wallet.updateDbAfterSettle");
+                    const targetAddr = addrByScript.get(script);
+                    if (!targetAddr) {
+                        throw new Error(`Wallet.updateDbAfterSettle: no contract owns script ${script}`);
+                    }
+                    const bucket = byAddress.get(targetAddr) ?? [];
+                    bucket.push(...vtxos);
+                    byAddress.set(targetAddr, bucket);
+                }
+                for (const [bucketAddr, vtxos] of byAddress) {
+                    await this.walletRepository.saveVtxos(bucketAddr, vtxos);
+                }
             }
             if (boardingUtxoToRemove.size > 0) {
                 const currentUtxos = await this.walletRepository.getUtxos(boardingAddress);
@@ -1919,6 +1988,7 @@ export class Wallet extends ReadonlyWallet {
         }
         catch (e) {
             console.warn("error updating repository after settle", e);
+            throw e;
         }
     }
 }