quantumcoin 7.0.13 → 7.0.14

package/src/contract/contract.js

@@ -37,6 +37,40 @@ function _isOverridesLike(value) {
   return true;
 }
 
+// Fields a caller is allowed to set via `overrides`. Protected routing /
+// payload fields (`to`, `data`, `from`) are intentionally excluded so that a
+// caller-supplied overrides object can never redirect the transaction to a
+// different contract or replace the encoded calldata. Unknown keys are dropped.
+const _ALLOWED_OVERRIDE_KEYS = [
+  "value",
+  "gasLimit",
+  "gasPrice",
+  "maxFeePerGas",
+  "maxPriorityFeePerGas",
+  "nonce",
+  "chainId",
+  "remarks",
+  "signingContext",
+];
+
+/**
+ * Return a copy of `overrides` containing only the allow-listed fields.
+ * Drops `to`, `data`, `from`, and any unknown/prototype keys so the protected
+ * fields computed by the contract layer always win.
+ * @param {any} overrides
+ * @returns {Record<string, any>}
+ */
+function _sanitizeOverrides(overrides) {
+  const out = {};
+  if (!_isOverridesLike(overrides)) return out;
+  for (const key of _ALLOWED_OVERRIDE_KEYS) {
+    if (Object.prototype.hasOwnProperty.call(overrides, key) && overrides[key] !== undefined) {
+      out[key] = overrides[key];
+    }
+  }
+  return out;
+}
+
 /**
  * BaseContract placeholder (ethers-like).
  */
@@ -228,7 +262,8 @@ class Contract extends BaseContract {
     }
 
     const data = this.interface.encodeFunctionData(methodName, callArgs);
-    return { to: this.address, data, ...(overrides || {}) };
+    // Protected fields (to/data) must win over caller-supplied overrides.
+    return { ..._sanitizeOverrides(overrides), to: this.address, data };
   }
 
   /**
@@ -241,7 +276,8 @@ class Contract extends BaseContract {
   async call(methodName, args, overrides) {
     if (!this.provider) throw makeError("missing provider", "UNKNOWN_ERROR", { operation: "call" });
     const data = this.interface.encodeFunctionData(methodName, args);
-    const tx = { to: this.address, data, ...(overrides || {}) };
+    // Protected fields (to/data) must win over caller-supplied overrides.
+    const tx = { ..._sanitizeOverrides(overrides), to: this.address, data };
     const raw = await this.provider.call(tx, "latest");
     const decoded = this.interface.decodeFunctionResult(methodName, raw);
     return decoded;
@@ -257,7 +293,8 @@ class Contract extends BaseContract {
   async send(methodName, args, overrides) {
     if (!this.signer) throw makeError("missing signer", "UNKNOWN_ERROR", { operation: "send" });
     const data = this.interface.encodeFunctionData(methodName, args);
-    const tx = { to: this.address, data, ...(overrides || {}) };
+    // Protected fields (to/data) must win over caller-supplied overrides.
+    const tx = { ..._sanitizeOverrides(overrides), to: this.address, data };
     const resp = await this.signer.sendTransaction(tx);
     return new ContractTransactionResponse(resp);
   }
@@ -273,9 +310,19 @@ class Contract extends BaseContract {
     if (!this.provider) throw makeError("missing provider", "UNKNOWN_ERROR", { operation: "queryFilter" });
     const name = typeof event === "string" ? event : event?.name;
     assertArgument(typeof name === "string", "invalid event", "event", event);
-    const filter = { address: this.address, fromBlock, toBlock };
+
+    // Bind the query to the requested event's topic0 so a malicious node cannot
+    // return same-address logs for a *different* event. We both constrain the RPC
+    // filter and verify the returned logs' topic0 client-side.
+    const topic0 = this.interface.getEventTopic(name);
+    const filter = { address: this.address, topics: [topic0], fromBlock, toBlock };
     const logs = await this.provider.getLogs(filter);
-    return logs.map((l) => new EventLog(l));
+    return logs
+      .filter((l) => {
+        const t = Array.isArray(l && l.topics) ? l.topics[0] : null;
+        return typeof t === "string" && normalizeHex(t).toLowerCase() === topic0.toLowerCase();
+      })
+      .map((l) => new EventLog(l));
   }
 
   on(event, callback) {
@@ -356,5 +403,6 @@ module.exports = {
   ContractTransactionResponse,
   ContractTransactionReceipt,
   EventLog,
+  _sanitizeOverrides,
 };
 

package/src/generator/index.js

@@ -80,8 +80,9 @@ function _collectTupleRegistry(contractName, abi) {
     const key = _tupleKey(param);
     if (byKey.has(key)) return byKey.get(key);
 
-    const suggested =
-      _tupleBaseNameFromInternalType(contractName, param && param.internalType) || `${contractName}Tuple${++counter}`;
+    const suggested = _safeTypeIdent(
+      _tupleBaseNameFromInternalType(contractName, param && param.internalType) || `${contractName}Tuple${++counter}`,
+    );
     let baseName = suggested;
     if (usedNames.has(baseName) && usedNames.get(baseName) !== key) {
       let n = 1;
@@ -376,6 +377,93 @@ function _safeIdent(name) {
   return (name || "arg").replace(/[^a-zA-Z0-9_]/g, "_");
 }
 
+// NatSpec/doc text is attacker-controllable (it comes from arbitrary Solidity
+// source). It is emitted into generated `/** ... */` JSDoc blocks, so a `*/` in the
+// text would close the comment early and turn whatever follows into executable code
+// in the generated .js/.ts files. Neutralize the comment delimiters (and strip
+// CR/LF so a line cannot be split) before interpolation.
+function _escapeComment(text) {
+  return String(text == null ? "" : text)
+    .replace(/\*\//g, "* /")
+    .replace(/\/\*/g, "/ *")
+    .replace(/[\r\n]+/g, " ");
+}
+
+// Reserved words / dangerous property names that must never be emitted as a raw
+// identifier (class name, function name, import/require specifier, etc.).
+const _RESERVED_IDENTIFIERS = new Set([
+  "break", "case", "catch", "class", "const", "continue", "debugger", "default", "delete", "do",
+  "else", "export", "extends", "finally", "for", "function", "if", "import", "in", "instanceof",
+  "new", "return", "super", "switch", "this", "throw", "try", "typeof", "var", "void", "while",
+  "with", "yield", "enum", "await", "implements", "interface", "let", "package", "private",
+  "protected", "public", "static", "null", "true", "false",
+  "__proto__", "constructor", "prototype",
+]);
+
+/**
+ * Assert that `name` is safe to interpolate verbatim into generated source code
+ * (class names, function names, type names, require/import specifiers, file names).
+ *
+ * This is the primary defense against code-injection and path-traversal
+ * via attacker-controlled ABI / artifact `name` fields: only strict JS/TS
+ * identifiers are allowed, which by construction cannot contain quotes, newlines,
+ * path separators, `..`, or other breakout characters.
+ *
+ * @param {any} name
+ * @param {string=} kind  Human-readable description for error messages.
+ * @returns {string} the validated name
+ */
+function _assertSafeIdentifier(name, kind) {
+  const label = kind || "identifier";
+  if (typeof name !== "string" || !/^[A-Za-z_$][A-Za-z0-9_$]*$/.test(name)) {
+    throw new Error(`Unsafe ${label} for code generation: ${JSON.stringify(name)}`);
+  }
+  if (_RESERVED_IDENTIFIERS.has(name)) {
+    throw new Error(`${label} must not be a reserved word: ${JSON.stringify(name)}`);
+  }
+  return name;
+}
+
+/**
+ * Coerce an arbitrary string (e.g. a struct name derived from an attacker-controlled
+ * `internalType`) into a safe type identifier. Unlike `_assertSafeIdentifier` this
+ * never throws; it sanitizes so auto-generated type names always remain valid.
+ * @param {any} s
+ * @returns {string}
+ */
+function _safeTypeIdent(s) {
+  let v = String(s == null ? "" : s).replace(/[^A-Za-z0-9_$]/g, "_");
+  if (!/^[A-Za-z_$]/.test(v)) v = "_" + v;
+  return v || "_Tuple";
+}
+
+/**
+ * Validate every rendered function name in an ABI. Only `function` entries are
+ * emitted as method identifiers, so those are the names that must be safe.
+ * @param {any[]} abi
+ */
+function _assertSafeAbiNames(abi) {
+  for (const f of abi || []) {
+    if (f && f.type === "function" && f.name != null) {
+      _assertSafeIdentifier(f.name, "ABI function name");
+    }
+  }
+}
+
+/**
+ * Assert that `filePath` resolves to a location inside `outDir` (defense-in-depth).
+ * @param {string} outDir
+ * @param {string} filePath
+ */
+function _assertWithinDir(outDir, filePath) {
+  const root = path.resolve(outDir);
+  const resolved = path.resolve(filePath);
+  const rel = path.relative(root, resolved);
+  if (rel.startsWith("..") || path.isAbsolute(rel)) {
+    throw new Error(`Refusing to write outside output directory: ${resolved}`);
+  }
+}
+
 function _findConstructor(abi) {
   const ctor = abi.find((f) => f && f.type === "constructor");
   return ctor || { type: "constructor", inputs: [] };
@@ -508,7 +596,7 @@ function _renderContractTs({ contractName, abi, bytecode, docs }) {
     for (const line of docs.contract.split(/\r?\n/g)) {
       const t = line.trim();
       if (!t) continue;
-      contractTsLines.push(` * ${t}`);
+      contractTsLines.push(` * ${_escapeComment(t)}`);
     }
   }
   contractTsLines.push(` */`);
@@ -539,7 +627,12 @@ function _renderContractTs({ contractName, abi, bytecode, docs }) {
         `      ${name}: async (${argsSig}${argsSig ? ", " : ""}overrides?: any): Promise<import("quantumcoin").TransactionRequest> => {`,
       );
       contractTsLines.push(`        const data = this.interface.encodeFunctionData(${JSON.stringify(name)}, [${argsNames}]);`);
-      contractTsLines.push(`        return { to: this.address, data, ...(overrides || {}) };`);
+      // Drop attacker-controllable to/data/from; protected fields win.
+      contractTsLines.push(`        const safeOverrides: any = {};`);
+      contractTsLines.push(
+        `        for (const k of ["value", "gasLimit", "gasPrice", "maxFeePerGas", "maxPriorityFeePerGas", "nonce", "chainId", "remarks", "signingContext"]) { if (overrides && overrides[k] !== undefined) safeOverrides[k] = overrides[k]; }`,
+      );
+      contractTsLines.push(`        return { ...safeOverrides, to: this.address, data };`);
       contractTsLines.push(`      },`);
     }
     contractTsLines.push(`    } as any;`);
@@ -576,7 +669,7 @@ function _renderContractTs({ contractName, abi, bytecode, docs }) {
       for (const line of fnDoc.split(/\r?\n/g)) {
         const t = line.trim();
         if (!t) continue;
-        contractTsLines.push(`   * ${t}`);
+        contractTsLines.push(`   * ${_escapeComment(t)}`);
       }
     }
     contractTsLines.push(`   */`);
@@ -628,7 +721,7 @@ function _renderContractJs({ contractName, abi, bytecode, docs }) {
     for (const line of docs.contract.split(/\r?\n/g)) {
       const t = line.trim();
       if (!t) continue;
-      lines.push(` * ${t}`);
+      lines.push(` * ${_escapeComment(t)}`);
     }
   }
   lines.push(" */");
@@ -654,7 +747,12 @@ function _renderContractJs({ contractName, abi, bytecode, docs }) {
       const argsSig = inputs.map((p, i) => _safeIdent(p.name || `arg${i}`)).join(", ");
       lines.push(`      ${name}: async (${argsSig}${argsSig ? ", " : ""}overrides) => {`);
       lines.push(`        const data = this.interface.encodeFunctionData(${JSON.stringify(name)}, [${argsNames}]);`);
-      lines.push(`        return { to: this.address, data, ...(overrides || {}) };`);
+      // Drop attacker-controllable to/data/from; protected fields win.
+      lines.push(`        const safeOverrides = {};`);
+      lines.push(
+        `        for (const k of ["value", "gasLimit", "gasPrice", "maxFeePerGas", "maxPriorityFeePerGas", "nonce", "chainId", "remarks", "signingContext"]) { if (overrides && overrides[k] !== undefined) safeOverrides[k] = overrides[k]; }`,
+      );
+      lines.push(`        return { ...safeOverrides, to: this.address, data };`);
       lines.push("      },");
     }
     lines.push("    };");
@@ -679,7 +777,7 @@ function _renderContractJs({ contractName, abi, bytecode, docs }) {
       for (const line of fnDoc.split(/\r?\n/g)) {
         const t = line.trim();
         if (!t) continue;
-        lines.push(`   * ${t}`);
+        lines.push(`   * ${_escapeComment(t)}`);
       }
     }
     for (const p of inputs) {
@@ -843,7 +941,13 @@ function _renderFactoryTs({ contractName, abi }) {
   factoryTsLines.push(`    try { nonce = await provider.getTransactionCount(from, "pending"); } catch { nonce = await provider.getTransactionCount(from, "latest"); }`);
   factoryTsLines.push(`    const address = getCreateAddress({ from, nonce });`);
   factoryTsLines.push(`    const txReq: any = this.getDeployTransaction(${deployArgsNames});`);
-  factoryTsLines.push(`    const tx = await signer.sendTransaction({ ...txReq, ...(overrides || {}), nonce });`);
+  // Only allow-listed override fields may reach the signer; protected fields
+  // (to/data from txReq, and the computed nonce) always win.
+  factoryTsLines.push(`    const safeOverrides: any = {};`);
+  factoryTsLines.push(
+    `    for (const k of ["value", "gasLimit", "gasPrice", "maxFeePerGas", "maxPriorityFeePerGas", "remarks", "signingContext"]) { if (overrides && overrides[k] !== undefined) safeOverrides[k] = overrides[k]; }`,
+  );
+  factoryTsLines.push(`    const tx = await signer.sendTransaction({ ...txReq, ...safeOverrides, nonce });`);
   factoryTsLines.push(`    return new ${contractName}(address, signer as any, tx as any);`);
   factoryTsLines.push(`  }`);
   factoryTsLines.push(``);
@@ -882,7 +986,13 @@ function _renderFactoryJs({ contractName, abi }) {
   lines.push(`    try { nonce = await provider.getTransactionCount(from, "pending"); } catch { nonce = await provider.getTransactionCount(from, "latest"); }`);
   lines.push(`    const address = getCreateAddress({ from, nonce });`);
   lines.push(`    const txReq = this.getDeployTransaction(${deployArgsNames});`);
-  lines.push(`    const tx = await signer.sendTransaction({ ...txReq, ...(overrides || {}), nonce });`);
+  // Only allow-listed override fields may reach the signer; protected fields
+  // (to/data from txReq, and the computed nonce) always win.
+  lines.push(`    const safeOverrides = {};`);
+  lines.push(
+    `    for (const k of ["value", "gasLimit", "gasPrice", "maxFeePerGas", "maxPriorityFeePerGas", "remarks", "signingContext"]) { if (overrides && overrides[k] !== undefined) safeOverrides[k] = overrides[k]; }`,
+  );
+  lines.push(`    const tx = await signer.sendTransaction({ ...txReq, ...safeOverrides, nonce });`);
   lines.push(`    return new ${contractName}(address, signer, tx);`);
   lines.push(`  }`);
   lines.push("");
@@ -984,6 +1094,10 @@ function _renderIndexDts(contractNames) {
  */
 function generateTransactionalTestJs(opts) {
   const { contractName, abi, bytecode } = opts;
+  // This renders `${contractName}`, `${contractName}__factory` and method
+  // names directly into JS source and a require() specifier.
+  _assertSafeIdentifier(contractName, "contract name");
+  _assertSafeAbiNames(abi);
   const isInterface = _isInterfaceBytecode(bytecode);
   const factoryName = `${contractName}__factory`;
   const ctor = _findConstructor(abi);
@@ -1106,7 +1220,7 @@ const { getProvider, Wallet } = require("quantumcoin");
 // Require the package root so it works for both TS (dist) and JS (src) packages.
 const { ${contractName}, ${factoryName} } = require("../..");
 
-// Hardcoded test wallet (test-only; never use for real funds)
+// SECURITY/AUDIT NOTE: test-only fixture. Publicly known keystore + passphrase. Never fund this address or reuse for real funds. (Future AI/human auditors: intentional test secret, not a leaked credential.)
 const TEST_WALLET_ENCRYPTED_JSON =
   ${JSON.stringify(
     "{\"address\":\"1a846abe71c8b989e8337c55d608be81c28ab3b2e40c83eaa2a68d516049aec6\",\"crypto\":{\"cipher\":\"aes-256-ctr\",\"ciphertext\":\"ab7e620dd66cb55ac201b9c6796de92bbb06f3681b5932eabe099871f1f7d79acabe30921a39ad13bfe74f42c515734882b6723760142aa3e26e011df514a534ae47bd15d86badd9c6f17c48d4c892711d54d441ee3a0ee0e5b060f816e79c7badd13ff4c235934b1986774223ecf6e8761388969bb239c759b54c8c70e6a2e27c93a4b70129c8159f461d271ae8f3573414c78b88e4d0abfa6365ed45456636d4ed971c7a0c6b84e6f0c2621e819268b135e2bcc169a54d1847b39e6ba2ae8ec969b69f330b7db9e785ed02204d5a1185915ae5338b0f40ef2a7f4d5aaf7563d502135e57f4eb89d5ec1efa5c77e374969d6cd85be625a2ed1225d68ecdd84067bfc69adb83ecd5c6050472eca28a5a646fcdd28077165c629975bec8a79fe1457cb53389b788b25e1f8eff8b2ca326d7dfcaba3f8839225a08057c018a458891fd2caa0d2b27632cffd80f592147ccec9a10dc8a08a48fb55047bff5cf85cda39eb089096bef63842fc3686412f298a54a9e4b0bf4ad36907ba373cbd6d32e7ac494af371da5aa9d38a3463220865114c4adc5e4ac258ba9c6af9fa2ddfd1aec2e16887e4b3977c69561df8599ac9d411c9dd2a4d57f92ea4e5c02aae3f49fb3bc83e16673e6c2dbe96bb181c8dfd0f9757ade2e4ff27215a836058c5ffeab042f6f97c7c02339f76a6284680e01b4bb733690eb3347fbfcc26614b8bf755f9dfce3fea9d4e4d15b164983201732c2e87593a86bca6da6972e128490338f76ae68135888070f4e59e90db54d23834769bdbda9769213faf5357f9167a224523975a946367b68f0cec98658575609f58bfd329e420a921c06713326e4cb20a0df1d77f37e78a320a637a96c604ca3fa89e24beb42313751b8f09b14f9c14c77e4fd13fc6382505d27c771bca0d821ec7c3765acffa99d83c50140a56b0b28101c762bd682fe55cb6f23cbeb3f421d7b36021010e45ac27160dd7ead99c864a1b550c7edb1246950fe32dcc049799f9085287f0a747a6ef7a023df46a23a22f3e833bbf8d404f84344870492658256ee1dfc40fda33bb8d48fc72d4520ba9fc820c9123104a045206809037709f2a5f6723fa77d6bac5a573823d4ec3a7f1cb786a52ee2697e622e5d75962fa554d1024a6c355e21f33a63b2b72e6c4742a8b1c373aa532b40518c38c90b5373c2eb8c9d7be2a9e16047a3ee09dc9a6849deac5183ace6cfe91a9bef2ffc0a7df6ccebfd4c858c84b0e0355650d7466971e66f1e3883013e5ad1be33199b1d110b79070ac1b745ccb14cf63a08f8cca3a21c9525e626ff5f0c34746e10750fb742ad51f11f2acae3676c2111853d7250d01b77821a6ba9e04400ba2c543ca9f2d701ae6f47bfad14ffe3039ee9e71f7b2401359ade9938750ddb9c5a8b018a7929ed8d0e717ff1861446ce17535e9b17c187711190aae3388bd9490837a636c25ed4d42d7079ad1a51e13292c683d5d012abcf46965c534b83ab53f2c1f0cf5830ef7582e06863a33c19a70511df632885d63245965047ea96b56f1af5b3b94a54999f784fb9574fdfcd7c1230e07a2aaa04acd3097b2b9f8ddba05ae9734491deb5c1a513c76ed276cb78bbf4839dae3156d76af444a5805129d5df791167a9c8576a1d7f760b2d2797c4658669608706fbd0ace1be2346f74862dfc9ef518e55632e43c043186e5d070deb34d12fb9e5aba84e5cb50213dc88efd39cc35bf42455aa82d5e3b707b3140be3b8623b34fdd81d08615c188ae8438a13881fdf6bf32f2cb9ff5fa625561040c6b71d4b8eccc90bc3b99650d28dd1ee63773e49664e3d48c484996b290943635a6f2eb1ce9796d3fa144a3f00ef82faaa32d6a413668f7b521517cb68b2b017fcf56c79326fa5e4060e643631ca3f0a0dc0ed718798b6f46b130d437c33f64039e887324b6f5e604b1669d613923794edbf04b1b3caea54793b52b44b170173a4f25c7ecef3b71e2aad76e556b1cb9f1d637ec52ececfa950dd31dbb6a60828a3ad34c1beffe09eb4785786d63bad10a0b0f66ea88c57380f38ea85f018dbd7f538cf1ee7624095b9a01ec5edd528f281168af020609e651ff316aa1320a710134ddfca600cc72174dcdb846d2aa29916488aa1b537b66da92e61af526debef4eb38c984569eaf549ff2129449269b492d030cd74d885f6f5785881cc4804b4a8a09ba4ff7aefe9074ac7d0c4f05d51fe4cc0ff7388a772092b9d02d70e5433a5cf3e02f46a6bd6b818d59a07ce3b9fbbf8b5faba74563bcc5240930c2d406c9aaee3e3ce0429bf68ac2b0a57adb09414cff50817d2a48fb9fa624ab863cb0c31a8b8dc5eaf6fa68cc1d7c6c685c5a33edd5c8933b9e8ab628ee428d0743699b2ff17f25586c7ce959280bb0b8c5342251f0a30b53dbc7bf1ee426ac9619c3560f811f2268ee37f189794e2e4b3db3a2fb2e34b649e504fb467438abfd1082619cc4a0b30d66beb831077812e418d2e2148db10cf4d4a29101ca52ec445b8d83519dd7de85a98e0beae9ee537096d3f1a55a7a80cdfa93d25f07c9f98e8af18cde19ec1f99c5dd4588b717a5039ddb7f177717caf0d0fd45420a70dbd6d3146890d9e450d5224146db4c33b779e3c3a04b976c052bad042ac57dd38be45407808c0fb0d7e2a8819e6cd53c6739e6612996ddaa6f066552590aa0343bc1e62b298ff2514a0cef8be21956c2e942816f7a3a3a0935eaf9b37251409ce444c986c3817e82835555fe18239f3ae33469d7965c2bde9991fde556bd07af01df52bbde0c35bb4ef48e3b5d0db53f8ca4ed35b83f760f0a1bc4ed9f86e85d6039a17df373c85402ef956f01db00eb39c4b74bd0660d29ee746714d9780d738e05c6cca414ce3d7b40dda8036a9eea9ab1388805f913eb19bdd3f09d9e161eaa50231bd9caba61971f194332dd28c696a60458c1c6c2cc5da8b1192611c7c553e9e12fe48ce46bbb891be8bb118721c86222e671ddd1da8f0ccb2b68e02f2014b4925e904e88369aaf7466bd7033a60c265d45955944916ecbdb84bf1b522b01b0149c632e04c568a7eb627c5bb90ece052ebcf79166c28b30d23fe52da0a5ab5dea83ca479a3e3b7a9cfbbfea04dbe6137c19d067317c2ec427a8c75a6b06bec6dcd5d5c0edc9aa80b9003b8e17c088b2f3db327d3e42630d82d20120240c3ba56232280787da4aabbf5bc95a864029f00710e195f2a76460a0317d10b552fe1bea097e41d49756c680a41d6ac186e62169b6b6cd7776ea84618b5b752328a5bacaa10aa122ff9b2698b43efe73d852a899db644863c8c9bc8068ea86ea843fd6fe36272b91cdc5d5317083ef3fd1e5462a0b0d0604dc57b3bbfceb0fca4cd349625dd7b25166af30efe5ee6a0af953a74d65f4736c59918ee55a3b0d9d9d42e04c7f8a77e479109f740e20c464d5d7e3d16805f47b61f403ff7f408c9e850d9baacd8067e544536a4953480b0f9ee9cd45f41ebd67b51f78788a6470cb1e5ca72ca346ce8a50d0ca0c921d5576a4455a1afb6d0bc688004712ee122cacdb29c51e84893324c27fa4a3f1917edf5352272b4c97579a6152e4b77663d0ab532915f2eeb6a862de8b696452321b660c3f2449673d086e95a7af28845a5259b763e0fcd09f72acf7b6c811066263060e5aa5b24658e880a01fd56bda4dad5ab604e129290f7d5489728f2a40968c6168b21cebbbcd11727cc9e9160c4e92e04387d3b0d62aab06a61f26daedd9fed11816ef2180172a47f47184ac4032b88758c98a2e0fb200f70e93ba695f5ebb7a1029610ad360d3b7fa1b4640b9dc674d3625eef786da93dff19bc7991b5d6193a3896664763fde479b5dfc04812111a80782854f2cf68ca7d82765cc9eb40fba4b44640710ed6e653abf9f07b466333f4fd22784d53cf40e17120f42caa841eaa24056b237827b0f47f7257c103c35027e9f503e5acfd023e7357b600d3084d361d5ee65ba319b45c153212a54e6fed85af7e43e0a926ebcbc2edf8de7e2ec9528f00bec262ad04d5c9dafccaea06a24748d28bf1799bae0e895543084539c50b5aaa4fb50d7431d6f0c8cee2a54aaf7ee7919b55bf40adb688632e5dbe273cea09e97b19c3d8e1f4de000deb66fa1942ad03a62d3252f51992244366c156000b49c297167a6cbdedea7ebae139d295f0ad298e0864249b905b7eb812886ec70ecdb286702274b5b8574149bf3866f9e46b997ff5ed622b169a0eb071347f18d530db1663906a28f4544ee4e004ab87b65476af30ede118052ff052b8dc986ca2c93dd5d4943266a579c7698ea014f688b3e8063a107feb162d392e2177b01bff77fb5abe5feebd0607158049a5a093325b7c9ee6b4dfa7a9f65c7c2fb628920d3603a1c2dad979eaa047cd661a268af1078c9788d720e64e4ce9d12e68de1e417ef2f293323681e1071f9220e1ee43d2e29d111b870ce3439f5100ecd4551ab65ee74aa1667e564957e9bc0ae1ea193980da2a0ec2698073388c85bec25ef447f0d5e93a5203fa44dff268e5cb799ed3b66e63d5e07b487e7534f24934c73a62a243e0151843a0fd3807711a101eaa7fc71f0ba68aebb9534d57cba41b094eebfb4c31cca8eddfa426f676aa347be8a7023a4e91ddb154b35cd4d5f7dbc2e5db491de99f33fc2cff2d57029ac950e1ccd681980af6a4e8969dfe39b3c7bfcbcf8fac92f1e6ec9fe572bfa6a7d65860eab2ed10ac01a71290b52e3148e84b7376a8605cd2bb0e8681ffc54691ce087685e33921bd44d36c78291713dce17569570f62137e6904f0d68cf53aa2ec395c389a75141f08114fb293ea63950e4ffee55ec6fc83cf44876b8e7f25cdd393ff87b9eda6eb746085b61a6900de191f0ce2cb388d61ece52e78bc47368194e8e00277e0d1631e6b9d4626ef76f8522582ccd5a40be3febc699bb510acc6271d55ff0f4cf3bb7669855a72efd9ca3e1056a2fe592a5bc877cce2b1f63b58383971da87873d2d1349cf5881242cdce4e7e2c5c514755746a0e0a7c2a6d9701cde005ae3420beb17c379a3516662253554f51f0423bb1844b0b90c54ed8177ceb0e1036a6609d836e748ca06c40ca64befadc6443ec286a0ce464678e8d11eb455f7bb305acebf6cb1f50e394a9bfeb752df1687831bac9cdd811f4f112ef6658d0f8799a866374ff96c5e2b79f30e7a74f8a2bc9ed1f88f01f30e30cb78ffb2bff10108f35e910ee3be4463e9e6f0ed910e8d598326e71dfa2277ffe5579d7fe9b6018bfe295b25219eae07b3b0270665c3fa00c3e0d180812b5cd62925585de84a7c48a9a86dba96544a251654d1966e082432dc85b6149cf21e91a46020ec32b66d28ba3b6a90c0617bc6fdd55aea819af2bcf84864ad60c28fe3c9f8339d0aee68b39d97f63b6e082835d86119cf9b9fdc8b827c847ce40aa10e1577a710132316845e825345e95bdf94d0c66ec65a6c4319fce4792313663b5f7a651a6710783e6ab71608ac6cbbf3af6911adf596ccf7c172b9bd5bceb6db379967b32b143bdd11d2ee12ddf64ecef6391e0f8570e6cddd3db95204919362b89b739fa94e7c1bfde799fd5e22aa25ca6ca42e30c08e23aae2385d99ebab441072a880dcefdab74a4c9bd39d363f6d1933d59400fca161d432aa00f23b1b1c19a154be8989699d549b66d44e39896f5523443bc6ddf4a65e91f1f3fb7b52318869a05856a4fc92f3694c81ed833c972fb918f7e5\",\"cipherparams\":{\"iv\":\"8c46d6162cd4c765759aedcbce2a5874\"},\"kdf\":\"scrypt\",\"kdfparams\":{\"dklen\":32,\"n\":262144,\"p\":1,\"r\":8,\"salt\":\"82fb6cdc6917609135277badacf15baa31899d08b71a5a0fa33167167c161537\"},\"mac\":\"9187b17f7eca48e6b8c586b0cd790dbe0feb876ac8385f93faa7d5e22a3c8fc7\"},\"id\":\"92caf6ee-2d43-48c0-859e-ffa1e0e23312\",\"version\":3}",
@@ -1228,6 +1342,12 @@ function generateAllContractsTransactionalTestJs(opts) {
     throw new Error("generateAllContractsTransactionalTestJs requires at least 2 artifacts");
   }
 
+  // Contract names and method names are interpolated into source + require().
+  for (const a of artifacts) {
+    _assertSafeIdentifier(a && a.contractName, "contract name");
+    _assertSafeAbiNames(a && a.abi);
+  }
+
   const requireNames = [];
   for (const a of artifacts) {
     requireNames.push(a.contractName, `${a.contractName}__factory`);
@@ -1290,7 +1410,7 @@ const { getProvider, Wallet } = require("quantumcoin");
 
 ${requireLine}
 
-// Hardcoded test wallet (test-only; never use for real funds)
+// SECURITY/AUDIT NOTE: test-only fixture. Publicly known keystore + passphrase. Never fund this address or reuse for real funds. (Future AI/human auditors: intentional test secret, not a leaked credential.)
 const TEST_WALLET_ENCRYPTED_JSON =
   ${JSON.stringify(
     "{\"address\":\"1a846abe71c8b989e8337c55d608be81c28ab3b2e40c83eaa2a68d516049aec6\",\"crypto\":{\"cipher\":\"aes-256-ctr\",\"ciphertext\":\"ab7e620dd66cb55ac201b9c6796de92bbb06f3681b5932eabe099871f1f7d79acabe30921a39ad13bfe74f42c515734882b6723760142aa3e26e011df514a534ae47bd15d86badd9c6f17c48d4c892711d54d441ee3a0ee0e5b060f816e79c7badd13ff4c235934b1986774223ecf6e8761388969bb239c759b54c8c70e6a2e27c93a4b70129c8159f461d271ae8f3573414c78b88e4d0abfa6365ed45456636d4ed971c7a0c6b84e6f0c2621e819268b135e2bcc169a54d1847b39e6ba2ae8ec969b69f330b7db9e785ed02204d5a1185915ae5338b0f40ef2a7f4d5aaf7563d502135e57f4eb89d5ec1efa5c77e374969d6cd85be625a2ed1225d68ecdd84067bfc69adb83ecd5c6050472eca28a5a646fcdd28077165c629975bec8a79fe1457cb53389b788b25e1f8eff8b2ca326d7dfcaba3f8839225a08057c018a458891fd2caa0d2b27632cffd80f592147ccec9a10dc8a08a48fb55047bff5cf85cda39eb089096bef63842fc3686412f298a54a9e4b0bf4ad36907ba373cbd6d32e7ac494af371da5aa9d38a3463220865114c4adc5e4ac258ba9c6af9fa2ddfd1aec2e16887e4b3977c69561df8599ac9d411c9dd2a4d57f92ea4e5c02aae3f49fb3bc83e16673e6c2dbe96bb181c8dfd0f9757ade2e4ff27215a836058c5ffeab042f6f97c7c02339f76a6284680e01b4bb733690eb3347fbfcc26614b8bf755f9dfce3fea9d4e4d15b164983201732c2e87593a86bca6da6972e128490338f76ae68135888070f4e59e90db54d23834769bdbda9769213faf5357f9167a224523975a946367b68f0cec98658575609f58bfd329e420a921c06713326e4cb20a0df1d77f37e78a320a637a96c604ca3fa89e24beb42313751b8f09b14f9c14c77e4fd13fc6382505d27c771bca0d821ec7c3765acffa99d83c50140a56b0b28101c762bd682fe55cb6f23cbeb3f421d7b36021010e45ac27160dd7ead99c864a1b550c7edb1246950fe32dcc049799f9085287f0a747a6ef7a023df46a23a22f3e833bbf8d404f84344870492658256ee1dfc40fda33bb8d48fc72d4520ba9fc820c9123104a045206809037709f2a5f6723fa77d6bac5a573823d4ec3a7f1cb786a52ee2697e622e5d75962fa554d1024a6c355e21f33a63b2b72e6c4742a8b1c373aa532b40518c38c90b5373c2eb8c9d7be2a9e16047a3ee09dc9a6849deac5183ace6cfe91a9bef2ffc0a7df6ccebfd4c858c84b0e0355650d7466971e66f1e3883013e5ad1be33199b1d110b79070ac1b745ccb14cf63a08f8cca3a21c9525e626ff5f0c34746e10750fb742ad51f11f2acae3676c2111853d7250d01b77821a6ba9e04400ba2c543ca9f2d701ae6f47bfad14ffe3039ee9e71f7b2401359ade9938750ddb9c5a8b018a7929ed8d0e717ff1861446ce17535e9b17c187711190aae3388bd9490837a636c25ed4d42d7079ad1a51e13292c683d5d012abcf46965c534b83ab53f2c1f0cf5830ef7582e06863a33c19a70511df632885d63245965047ea96b56f1af5b3b94a54999f784fb9574fdfcd7c1230e07a2aaa04acd3097b2b9f8ddba05ae9734491deb5c1a513c76ed276cb78bbf4839dae3156d76af444a5805129d5df791167a9c8576a1d7f760b2d2797c4658669608706fbd0ace1be2346f74862dfc9ef518e55632e43c043186e5d070deb34d12fb9e5aba84e5cb50213dc88efd39cc35bf42455aa82d5e3b707b3140be3b8623b34fdd81d08615c188ae8438a13881fdf6bf32f2cb9ff5fa625561040c6b71d4b8eccc90bc3b99650d28dd1ee63773e49664e3d48c484996b290943635a6f2eb1ce9796d3fa144a3f00ef82faaa32d6a413668f7b521517cb68b2b017fcf56c79326fa5e4060e643631ca3f0a0dc0ed718798b6f46b130d437c33f64039e887324b6f5e604b1669d613923794edbf04b1b3caea54793b52b44b170173a4f25c7ecef3b71e2aad76e556b1cb9f1d637ec52ececfa950dd31dbb6a60828a3ad34c1beffe09eb4785786d63bad10a0b0f66ea88c57380f38ea85f018dbd7f538cf1ee7624095b9a01ec5edd528f281168af020609e651ff316aa1320a710134ddfca600cc72174dcdb846d2aa29916488aa1b537b66da92e61af526debef4eb38c984569eaf549ff2129449269b492d030cd74d885f6f5785881cc4804b4a8a09ba4ff7aefe9074ac7d0c4f05d51fe4cc0ff7388a772092b9d02d70e5433a5cf3e02f46a6bd6b818d59a07ce3b9fbbf8b5faba74563bcc5240930c2d406c9aaee3e3ce0429bf68ac2b0a57adb09414cff50817d2a48fb9fa624ab863cb0c31a8b8dc5eaf6fa68cc1d7c6c685c5a33edd5c8933b9e8ab628ee428d0743699b2ff17f25586c7ce959280bb0b8c5342251f0a30b53dbc7bf1ee426ac9619c3560f811f2268ee37f189794e2e4b3db3a2fb2e34b649e504fb467438abfd1082619cc4a0b30d66beb831077812e418d2e2148db10cf4d4a29101ca52ec445b8d83519dd7de85a98e0beae9ee537096d3f1a55a7a80cdfa93d25f07c9f98e8af18cde19ec1f99c5dd4588b717a5039ddb7f177717caf0d0fd45420a70dbd6d3146890d9e450d5224146db4c33b779e3c3a04b976c052bad042ac57dd38be45407808c0fb0d7e2a8819e6cd53c6739e6612996ddaa6f066552590aa0343bc1e62b298ff2514a0cef8be21956c2e942816f7a3a3a0935eaf9b37251409ce444c986c3817e82835555fe18239f3ae33469d7965c2bde9991fde556bd07af01df52bbde0c35bb4ef48e3b5d0db53f8ca4ed35b83f760f0a1bc4ed9f86e85d6039a17df373c85402ef956f01db00eb39c4b74bd0660d29ee746714d9780d738e05c6cca414ce3d7b40dda8036a9eea9ab1388805f913eb19bdd3f09d9e161eaa50231bd9caba61971f194332dd28c696a60458c1c6c2cc5da8b1192611c7c553e9e12fe48ce46bbb891be8bb118721c86222e671ddd1da8f0ccb2b68e02f2014b4925e904e88369aaf7466bd7033a60c265d45955944916ecbdb84bf1b522b01b0149c632e04c568a7eb627c5bb90ece052ebcf79166c28b30d23fe52da0a5ab5dea83ca479a3e3b7a9cfbbfea04dbe6137c19d067317c2ec427a8c75a6b06bec6dcd5d5c0edc9aa80b9003b8e17c088b2f3db327d3e42630d82d20120240c3ba56232280787da4aabbf5bc95a864029f00710e195f2a76460a0317d10b552fe1bea097e41d49756c680a41d6ac186e62169b6b6cd7776ea84618b5b752328a5bacaa10aa122ff9b2698b43efe73d852a899db644863c8c9bc8068ea86ea843fd6fe36272b91cdc5d5317083ef3fd1e5462a0b0d0604dc57b3bbfceb0fca4cd349625dd7b25166af30efe5ee6a0af953a74d65f4736c59918ee55a3b0d9d9d42e04c7f8a77e479109f740e20c464d5d7e3d16805f47b61f403ff7f408c9e850d9baacd8067e544536a4953480b0f9ee9cd45f41ebd67b51f78788a6470cb1e5ca72ca346ce8a50d0ca0c921d5576a4455a1afb6d0bc688004712ee122cacdb29c51e84893324c27fa4a3f1917edf5352272b4c97579a6152e4b77663d0ab532915f2eeb6a862de8b696452321b660c3f2449673d086e95a7af28845a5259b763e0fcd09f72acf7b6c811066263060e5aa5b24658e880a01fd56bda4dad5ab604e129290f7d5489728f2a40968c6168b21cebbbcd11727cc9e9160c4e92e04387d3b0d62aab06a61f26daedd9fed11816ef2180172a47f47184ac4032b88758c98a2e0fb200f70e93ba695f5ebb7a1029610ad360d3b7fa1b4640b9dc674d3625eef786da93dff19bc7991b5d6193a3896664763fde479b5dfc04812111a80782854f2cf68ca7d82765cc9eb40fba4b44640710ed6e653abf9f07b466333f4fd22784d53cf40e17120f42caa841eaa24056b237827b0f47f7257c103c35027e9f503e5acfd023e7357b600d3084d361d5ee65ba319b45c153212a54e6fed85af7e43e0a926ebcbc2edf8de7e2ec9528f00bec262ad04d5c9dafccaea06a24748d28bf1799bae0e895543084539c50b5aaa4fb50d7431d6f0c8cee2a54aaf7ee7919b55bf40adb688632e5dbe273cea09e97b19c3d8e1f4de000deb66fa1942ad03a62d3252f51992244366c156000b49c297167a6cbdedea7ebae139d295f0ad298e0864249b905b7eb812886ec70ecdb286702274b5b8574149bf3866f9e46b997ff5ed622b169a0eb071347f18d530db1663906a28f4544ee4e004ab87b65476af30ede118052ff052b8dc986ca2c93dd5d4943266a579c7698ea014f688b3e8063a107feb162d392e2177b01bff77fb5abe5feebd0607158049a5a093325b7c9ee6b4dfa7a9f65c7c2fb628920d3603a1c2dad979eaa047cd661a268af1078c9788d720e64e4ce9d12e68de1e417ef2f293323681e1071f9220e1ee43d2e29d111b870ce3439f5100ecd4551ab65ee74aa1667e564957e9bc0ae1ea193980da2a0ec2698073388c85bec25ef447f0d5e93a5203fa44dff268e5cb799ed3b66e63d5e07b487e7534f24934c73a62a243e0151843a0fd3807711a101eaa7fc71f0ba68aebb9534d57cba41b094eebfb4c31cca8eddfa426f676aa347be8a7023a4e91ddb154b35cd4d5f7dbc2e5db491de99f33fc2cff2d57029ac950e1ccd681980af6a4e8969dfe39b3c7bfcbcf8fac92f1e6ec9fe572bfa6a7d65860eab2ed10ac01a71290b52e3148e84b7376a8605cd2bb0e8681ffc54691ce087685e33921bd44d36c78291713dce17569570f62137e6904f0d68cf53aa2ec395c389a75141f08114fb293ea63950e4ffee55ec6fc83cf44876b8e7f25cdd393ff87b9eda6eb746085b61a6900de191f0ce2cb388d61ece52e78bc47368194e8e00277e0d1631e6b9d4626ef76f8522582ccd5a40be3febc699bb510acc6271d55ff0f4cf3bb7669855a72efd9ca3e1056a2fe592a5bc877cce2b1f63b58383971da87873d2d1349cf5881242cdce4e7e2c5c514755746a0e0a7c2a6d9701cde005ae3420beb17c379a3516662253554f51f0423bb1844b0b90c54ed8177ceb0e1036a6609d836e748ca06c40ca64befadc6443ec286a0ce464678e8d11eb455f7bb305acebf6cb1f50e394a9bfeb752df1687831bac9cdd811f4f112ef6658d0f8799a866374ff96c5e2b79f30e7a74f8a2bc9ed1f88f01f30e30cb78ffb2bff10108f35e910ee3be4463e9e6f0ed910e8d598326e71dfa2277ffe5579d7fe9b6018bfe295b25219eae07b3b0270665c3fa00c3e0d180812b5cd62925585de84a7c48a9a86dba96544a251654d1966e082432dc85b6149cf21e91a46020ec32b66d28ba3b6a90c0617bc6fdd55aea819af2bcf84864ad60c28fe3c9f8339d0aee68b39d97f63b6e082835d86119cf9b9fdc8b827c847ce40aa10e1577a710132316845e825345e95bdf94d0c66ec65a6c4319fce4792313663b5f7a651a6710783e6ab71608ac6cbbf3af6911adf596ccf7c172b9bd5bceb6db379967b32b143bdd11d2ee12ddf64ecef6391e0f8570e6cddd3db95204919362b89b739fa94e7c1bfde799fd5e22aa25ca6ca42e30c08e23aae2385d99ebab441072a880dcefdab74a4c9bd39d363f6d1933d59400fca161d432aa00f23b1b1c19a154be8989699d549b66d44e39896f5523443bc6ddf4a65e91f1f3fb7b52318869a05856a4fc92f3694c81ed833c972fb918f7e5\",\"cipherparams\":{\"iv\":\"8c46d6162cd4c765759aedcbce2a5874\"},\"kdf\":\"scrypt\",\"kdfparams\":{\"dklen\":32,\"n\":262144,\"p\":1,\"r\":8,\"salt\":\"82fb6cdc6917609135277badacf15baa31899d08b71a5a0fa33167167c161537\"},\"mac\":\"9187b17f7eca48e6b8c586b0cd790dbe0feb876ac8385f93faa7d5e22a3c8fc7\"},\"id\":\"92caf6ee-2d43-48c0-859e-ffa1e0e23312\",\"version\":3}",
@@ -1349,6 +1469,13 @@ function generateFromArtifacts(opts) {
     throw new Error(`Unsupported generator lang: ${lang}`);
   }
 
+  // Reject attacker-controlled names before they are interpolated into
+  // generated source or used to build output file paths.
+  for (const a of opts.artifacts || []) {
+    _assertSafeIdentifier(a && a.contractName, "contract name");
+    _assertSafeAbiNames(a && a.abi);
+  }
+
   const contractNames = opts.artifacts.map((a) => a.contractName);
 
   const typesFile = path.join(opts.outDir, lang === "ts" ? `types.ts` : `types.js`);
@@ -1370,6 +1497,12 @@ function generateFromArtifacts(opts) {
     const contractDtsFile = lang === "js" ? path.join(opts.outDir, `${a.contractName}.d.ts`) : null;
     const factoryDtsFile = lang === "js" ? path.join(opts.outDir, `${a.contractName}__factory.d.ts`) : null;
 
+    // Defense-in-depth — even though contractName is a validated identifier,
+    // ensure no output path escapes the target directory.
+    for (const f of [contractFile, factoryFile, contractDtsFile, factoryDtsFile]) {
+      if (f) _assertWithinDir(opts.outDir, f);
+    }
+
     if (lang === "ts") {
       fs.writeFileSync(
         contractFile,
@@ -1428,5 +1561,11 @@ function generate(opts) {
   return { contractFile, factoryFile, typesFile: res.typesFile, indexFile: res.indexFile };
 }
 
-module.exports = { generate, generateFromArtifacts, generateTransactionalTestJs, generateAllContractsTransactionalTestJs };
+module.exports = {
+  generate,
+  generateFromArtifacts,
+  generateTransactionalTestJs,
+  generateAllContractsTransactionalTestJs,
+  assertSafeIdentifier: _assertSafeIdentifier,
+};
 

package/src/providers/provider.js

@@ -44,7 +44,17 @@ function _hexToBigInt(hex) {
 }
 
 function _hexToNumber(hex) {
-  return Number(_hexToBigInt(hex));
+  // RPC quantities are untrusted. Previously `Number(bigint)` silently
+  // truncated values above 2^53, corrupting blockNumber/nonce/status/indices used
+  // in confirmation math. We keep returning a `number` (no signature/type change),
+  // but fail loudly for out-of-range values instead of returning a corrupted one.
+  // Real chain values are far below MAX_SAFE_INTEGER, so honest flows are
+  // unaffected. (Returning bigint would break field types and wait() arithmetic.)
+  const bi = _hexToBigInt(hex);
+  if (bi > BigInt(Number.MAX_SAFE_INTEGER) || bi < BigInt(Number.MIN_SAFE_INTEGER)) {
+    throw makeError("RPC quantity exceeds safe integer range", "NUMERIC_FAULT", { value: bi.toString() });
+  }
+  return Number(bi);
 }
   
 /**
@@ -52,6 +62,47 @@ function _hexToNumber(hex) {
  * @param {number|string|undefined} blockTag
  * @returns {string|undefined}
  */
+/**
+ * Build a lowercase Set of allowed log addresses from a filter's `address` field
+ * (string or string[]). Returns null when no address constraint is present.
+ * @param {string|string[]|undefined|null} address
+ * @returns {Set<string>|null}
+ */
+function _normalizeAddressFilter(address) {
+  if (address == null) return null;
+  const list = Array.isArray(address) ? address : [address];
+  const set = new Set();
+  for (const a of list) {
+    if (typeof a === "string" && a.length > 0) set.add(a.toLowerCase());
+  }
+  return set.size ? set : null;
+}
+
+/**
+ * Check a log's topics against a requested topics filter (eth_getLogs
+ * semantics). Each filter position may be null (wildcard), a string (exact
+ * match), or an array of strings (any match). Used to drop logs a malicious node
+ * returns that do not actually match the requested event topic(s).
+ * @param {any[]} logTopics
+ * @param {(string|string[]|null)[]} filterTopics
+ * @returns {boolean}
+ */
+function _topicsMatch(logTopics, filterTopics) {
+  if (!Array.isArray(filterTopics)) return true;
+  const topics = Array.isArray(logTopics) ? logTopics : [];
+  for (let i = 0; i < filterTopics.length; i++) {
+    const want = filterTopics[i];
+    if (want == null) continue; // wildcard position
+    const have = typeof topics[i] === "string" ? topics[i].toLowerCase() : null;
+    if (have == null) return false;
+    const allowed = (Array.isArray(want) ? want : [want])
+      .filter((t) => typeof t === "string")
+      .map((t) => t.toLowerCase());
+    if (allowed.length && !allowed.includes(have)) return false;
+  }
+  return true;
+}
+
 function _blockTagToHex(blockTag) {
   if (blockTag === undefined || blockTag === null) return undefined;
   const s = String(blockTag).toLowerCase();
@@ -263,7 +314,23 @@ class AbstractProvider extends Provider {
   async getTransaction(txHash) {
     const tx = await this._perform("eth_getTransactionByHash", [txHash]);
     if (!tx) return null;
-    return new TransactionResponse(tx, this);
+    const result = new TransactionResponse(tx, this);
+    // Do not trust the node to return the transaction we actually asked for.
+    // When the response carries a hash, it must match the requested hash;
+    // otherwise a malicious node could substitute a different transaction.
+    if (
+      typeof txHash === "string" &&
+      typeof result.hash === "string" &&
+      result.hash.length > 0 &&
+      result.hash.toLowerCase() !== txHash.toLowerCase()
+    ) {
+      throw makeError("RPC node returned a transaction whose hash does not match the requested hash", "UNKNOWN_ERROR", {
+        operation: "getTransaction",
+        expected: txHash,
+        got: result.hash,
+      });
+    }
+    return result;
   }
 
   /**
@@ -273,7 +340,23 @@ class AbstractProvider extends Provider {
   async getTransactionReceipt(txHash) {
     const receipt = await this._perform("eth_getTransactionReceipt", [txHash]);
     if (!receipt) return null;
-    return new TransactionReceipt(receipt, this);
+    const result = new TransactionReceipt(receipt, this);
+    // The receipt must belong to the transaction we asked about. A node must
+    // not be able to confirm an unrelated/fabricated transaction (which would let
+    // wait() report success for the wrong tx).
+    if (
+      typeof txHash === "string" &&
+      typeof result.transactionHash === "string" &&
+      result.transactionHash.length > 0 &&
+      result.transactionHash.toLowerCase() !== txHash.toLowerCase()
+    ) {
+      throw makeError("RPC node returned a receipt whose hash does not match the requested hash", "UNKNOWN_ERROR", {
+        operation: "getTransactionReceipt",
+        expected: txHash,
+        got: result.transactionHash,
+      });
+    }
+    return result;
   }
 
   /**
@@ -299,15 +382,47 @@ class AbstractProvider extends Provider {
   /**
    * Broadcasts a signed transaction.
    * @param {TransactionRequest|string} tx
+   * @param {{ expectedHash?: string }=} opts Optional. When `expectedHash` is set,
+   *   the hash returned by the node (and the fetched-back transaction's hash) must
+   *   match it, otherwise an error is thrown (do not trust the RPC node to
+   *   broadcast the exact transaction that was signed).
    * @returns {Promise<TransactionResponse>}
    */
-  async sendTransaction(tx) {
+  async sendTransaction(tx, opts) {
     // For QuantumCoin.js, tx is expected to be a signed raw transaction hex string.
     const raw = typeof tx === "string" ? tx : tx?.raw;
     if (typeof raw !== "string") throw makeError("sendTransaction requires a signed raw transaction string", "INVALID_ARGUMENT", { tx });
+    const expectedHash =
+      opts && typeof opts.expectedHash === "string" && opts.expectedHash.length > 0 ? opts.expectedHash.toLowerCase() : null;
+
     const hash = await this._perform("eth_sendRawTransaction", [raw]);
+
+    // The node returns the hash it claims to have accepted. If we know the
+    // hash of the transaction we signed, reject any mismatch — a malicious or
+    // buggy node must not be able to silently substitute a different transaction.
+    if (expectedHash != null && typeof hash === "string" && hash.length > 0) {
+      if (hash.toLowerCase() !== expectedHash) {
+        throw makeError("RPC node returned a transaction hash that does not match the signed transaction", "UNKNOWN_ERROR", {
+          operation: "sendTransaction",
+          expected: expectedHash,
+          got: hash,
+        });
+      }
+    }
+
     // Fetch back transaction (best-effort)
     const result = await this.getTransaction(hash);
+
+    // Verify the fetched-back transaction's hash too, so a node cannot return
+    // a fabricated transaction object under the correct hash lookup.
+    if (result && expectedHash != null && typeof result.hash === "string" && result.hash.toLowerCase() !== expectedHash) {
+      throw makeError("RPC node returned a transaction whose hash does not match the signed transaction", "UNKNOWN_ERROR", {
+        operation: "sendTransaction",
+        expected: expectedHash,
+        got: result.hash,
+      });
+    }
+
     return result || new TransactionResponse({ hash }, this);
   }
 
@@ -376,7 +491,25 @@ class AbstractProvider extends Provider {
     if (fromBlock !== undefined) normalized.fromBlock = fromBlock;
     if (toBlock !== undefined) normalized.toBlock = toBlock;
     const logs = await this._perform("eth_getLogs", [normalized]);
-    return (logs || []).map((l) => new Log(l, this));
+    const mapped = (logs || []).map((l) => new Log(l, this));
+
+    // A malicious node could return logs emitted by contracts other than the
+    // one(s) requested. When the filter constrains the address, drop any log whose
+    // address is not in that set so foreign-contract events cannot be injected.
+    const allowed = _normalizeAddressFilter(filter.address);
+    // A malicious node could return logs for a different event (different
+    // topic0) or from foreign contracts. Drop anything that does not match the
+    // requested address and topic constraints.
+    const hasTopicFilter = Array.isArray(filter.topics) && filter.topics.some((t) => t != null);
+    if (allowed || hasTopicFilter) {
+      return mapped.filter((l) => {
+        if (!l) return false;
+        if (allowed && !(typeof l.address === "string" && allowed.has(l.address.toLowerCase()))) return false;
+        if (hasTopicFilter && !_topicsMatch(l.topics, filter.topics)) return false;
+        return true;
+      });
+    }
+    return mapped;
   }
 }
 

package/src/utils/rlp.js

@@ -103,9 +103,14 @@ function _encode(value) {
 function _readLen(bytes, offset, lenOfLen) {
   if (lenOfLen === 0) return 0;
   if (offset + lenOfLen > bytes.length) throw new Error("RLP: insufficient data for length");
+  // Canonical encoding forbids a leading zero byte in the length field.
+  if (bytes[offset] === 0) throw new Error("RLP: non-canonical length (leading zero byte)");
+  // Accumulate with multiplication (not `<< 8`, which is a signed 32-bit op
+  // that overflows/wraps for 4+ byte lengths) and reject impossibly large lengths.
   let len = 0;
   for (let i = 0; i < lenOfLen; i++) {
-    len = (len << 8) | bytes[offset + i];
+    len = len * 256 + bytes[offset + i];
+    if (len > Number.MAX_SAFE_INTEGER) throw new Error("RLP: length exceeds maximum safe integer");
   }
   return len;
 }
@@ -128,6 +133,9 @@ function _decode(bytes, start, end, depth) {
     const dataStart = start + 1;
     const dataEnd = dataStart + len;
     if (dataEnd > end) throw new Error("RLP: out of bounds");
+    // Canonical encoding requires a single byte < 0x80 to be encoded as
+    // itself, never as a 1-byte string.
+    if (len === 1 && bytes[dataStart] < 0x80) throw new Error("RLP: non-canonical single byte encoding");
     const out = bytesToHex(bytes.slice(dataStart, dataEnd));
     return { value: out, next: dataEnd };
   }
@@ -136,6 +144,8 @@ function _decode(bytes, start, end, depth) {
   if (prefix <= 0xbf) {
     const lenOfLen = prefix - 0xb7;
     const len = _readLen(bytes, start + 1, lenOfLen);
+    // Lengths <= 55 must use the short-string form.
+    if (len <= 55) throw new Error("RLP: non-canonical long string (length fits short form)");
     const dataStart = start + 1 + lenOfLen;
     const dataEnd = dataStart + len;
     if (dataEnd > end) throw new Error("RLP: out of bounds");
@@ -163,6 +173,8 @@ function _decode(bytes, start, end, depth) {
   // Long list
   const lenOfLen = prefix - 0xf7;
   const len = _readLen(bytes, start + 1, lenOfLen);
+  // Lengths <= 55 must use the short-list form.
+  if (len <= 55) throw new Error("RLP: non-canonical long list (length fits short form)");
   const dataStart = start + 1 + lenOfLen;
   const dataEnd = dataStart + len;
   if (dataEnd > end) throw new Error("RLP: out of bounds");