Skip to content

Fix/wcn 196 eddsa recipient guard #8630

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Draft
mrdanish26 wants to merge 3 commits into
base: master
Choose a base branch
from
Draft

Fix/wcn 196 eddsa recipient guard #8630

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
3 commits
Select commit Hold shift + click to select a range
31cbea7
fix(sdk-core): verify recipients before signing to prevent signableHe…
mrdanish26 Apr 17, 2026
1f55399
fix(sdk-core): verify recipients before signing (ECDSA)
mrdanish26 Apr 22, 2026
5ccc429
fix(sdk-core): verify recipients before signing (EdDSA)
mrdanish26 Apr 24, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
13 changes: 10 additions & 3 deletions modules/abstract-eth/src/abstractEthLikeNewCoins.ts
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -3109,9 +3109,16 @@ export abstract class AbstractEthLikeNewCoins extends AbstractEthLikeCoin {
txParams.prebuildTx?.consolidateId ||
txPrebuild?.consolidateId ||
(txParams.type &&
['acceleration', 'fillNonce', 'transferToken', 'tokenApproval', 'consolidate', 'bridgeFunds'].includes(
txParams.type
))
[
'acceleration',
'fillNonce',
'transferToken',
'tokenApproval',
'consolidate',
'bridgeFunds',
'enableToken',
'customTx',
].includes(txParams.type))
)
) {
throw new Error('missing txParams');
Expand Down
114 changes: 114 additions & 0 deletions modules/bitgo/test/v2/unit/internal/tssUtils/ecdsa.ts
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -749,6 +749,7 @@ describe('TSS Ecdsa Utils:', async function () {
backupNShare: backupKeyShare.nShares[1],
}),
reqId,
txParams: { recipients: [{ address: '0xrecipient', amount: '1000' }] },
});
signedTxRequest.unsignedTxs.should.deepEqual(txRequest.unsignedTxs);
const userGpgActual = sendShareSpy.getCalls()[0].args[10] as string;
Expand All @@ -766,12 +767,125 @@ describe('TSS Ecdsa Utils:', async function () {
backupNShare: backupKeyShare.nShares[1],
}),
reqId,
txParams: { recipients: [{ address: '0xrecipient', amount: '1000' }] },
});
signedTxRequest.unsignedTxs.should.deepEqual(txRequest.unsignedTxs);
const userGpgActual = sendShareSpy.getCalls()[0].args[10] as string;
userGpgActual.should.startWith('-----BEGIN PGP PUBLIC KEY BLOCK-----');
});

it('signTxRequest should fail when txParams is missing', async function () {
await tssUtils
.signTxRequest({
txRequest,
prv: JSON.stringify({
pShare: userKeyShare.pShare,
bitgoNShare: bitgoKeyShare.nShares[1],
backupNShare: backupKeyShare.nShares[1],
}),
reqId,
})
.should.be.rejectedWith(
'Recipient details are required to verify this transaction before signing. Pass txParams with at least one recipient.'
);
});

it('signTxRequest should fail when txParams has empty recipients', async function () {
await tssUtils
.signTxRequest({
txRequest,
prv: JSON.stringify({
pShare: userKeyShare.pShare,
bitgoNShare: bitgoKeyShare.nShares[1],
backupNShare: backupKeyShare.nShares[1],
}),
reqId,
txParams: { recipients: [] },
})
.should.be.rejectedWith(
'Recipient details are required to verify this transaction before signing. Pass txParams with at least one recipient.'
);
});

it('signTxRequest should succeed when recipients are only in intent (smart contract interaction)', async function () {
await setupSignTxRequestNocks(false, userSignShare, aShare, dShare, enterpriseData);
const txRequestWithIntentRecipients = {
...txRequest,
intent: {
intentType: 'contractCall',
recipients: [
{
address: { address: '0xrecipient' },
amount: { value: '1000', symbol: 'hteth' },
},
],
},
};
const signedTxRequest = await tssUtils.signTxRequest({
txRequest: txRequestWithIntentRecipients,
prv: JSON.stringify({
pShare: userKeyShare.pShare,
bitgoNShare: bitgoKeyShare.nShares[1],
backupNShare: backupKeyShare.nShares[1],
}),
reqId,
// no txParams.recipients — should fall back to intent.recipients
});
signedTxRequest.unsignedTxs.should.deepEqual(txRequest.unsignedTxs);
});

it('signTxRequest should succeed for no-recipient tx types (tokenApproval)', async function () {
await setupSignTxRequestNocks(false, userSignShare, aShare, dShare, enterpriseData);
const signedTxRequest = await tssUtils.signTxRequest({
txRequest,
prv: JSON.stringify({
pShare: userKeyShare.pShare,
bitgoNShare: bitgoKeyShare.nShares[1],
backupNShare: backupKeyShare.nShares[1],
}),
reqId,
txParams: { type: 'tokenApproval' },
});
signedTxRequest.unsignedTxs.should.deepEqual(txRequest.unsignedTxs);
});

it('signTxRequest should succeed for no-recipient tx types (acceleration)', async function () {
await setupSignTxRequestNocks(false, userSignShare, aShare, dShare, enterpriseData);
const signedTxRequest = await tssUtils.signTxRequest({
txRequest,
prv: JSON.stringify({
pShare: userKeyShare.pShare,
bitgoNShare: bitgoKeyShare.nShares[1],
backupNShare: backupKeyShare.nShares[1],
}),
reqId,
txParams: { type: 'acceleration' },
});
signedTxRequest.unsignedTxs.should.deepEqual(txRequest.unsignedTxs);
});

it('signTxRequest should prefer txParams.recipients over intent.recipients when both are present', async function () {
await setupSignTxRequestNocks(false, userSignShare, aShare, dShare, enterpriseData);
const txRequestWithBothRecipients = {
...txRequest,
intent: {
intentType: 'contractCall',
recipients: [{ address: { address: '0xintentRecipient' }, amount: { value: '9999', symbol: 'hteth' } }],
},
};
const signedTxRequest = await tssUtils.signTxRequest({
txRequest: txRequestWithBothRecipients,
prv: JSON.stringify({
pShare: userKeyShare.pShare,
bitgoNShare: bitgoKeyShare.nShares[1],
backupNShare: backupKeyShare.nShares[1],
}),
reqId,
txParams: { recipients: [{ address: '0xrecipient', amount: '1000' }] },
});
signedTxRequest.unsignedTxs.should.deepEqual(txRequest.unsignedTxs);
});

it('signTxRequest should fail with wrong recipient', async function () {
// To generate these Hex values, we used the bitgo-ui to create a transaction and then
// used the `signableHex` and `serializedTxHex` values from the prebuild.
Expand Down
190 changes: 190 additions & 0 deletions modules/bitgo/test/v2/unit/internal/tssUtils/ecdsaMPCv2/signTxRequest.ts
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -193,6 +193,7 @@ describe('signTxRequest:', function () {
txRequest,
prv: userPrvBase64,
reqId,
txParams: { recipients: [{ address: '0xrecipient', amount: '1000' }] },
});
nockPromises[0].isDone().should.be.true();
nockPromises[1].isDone().should.be.true();
Expand All @@ -215,6 +216,7 @@ describe('signTxRequest:', function () {
prv: backupPrvBase64,
mpcv2PartyId: 1,
reqId,
txParams: { recipients: [{ address: '0xrecipient', amount: '1000' }] },
});
nockPromises[0].isDone().should.be.true();
nockPromises[1].isDone().should.be.true();
Expand All @@ -236,6 +238,7 @@ describe('signTxRequest:', function () {
txRequest,
prv: userPrvBase64,
reqId,
txParams: { recipients: [{ address: '0xrecipient', amount: '1000' }] },
});
nockPromises[0].isDone().should.be.true();
nockPromises[1].isDone().should.be.true();
Expand All @@ -257,6 +260,7 @@ describe('signTxRequest:', function () {
txRequest,
prv: userPrvBase64,
reqId,
txParams: { recipients: [{ address: '0xrecipient', amount: '1000' }] },
});
nockPromises[0].isDone().should.be.true();
nockPromises[1].isDone().should.be.true();
Expand All @@ -277,11 +281,197 @@ describe('signTxRequest:', function () {
txRequest,
prv: userPrvBase64,
reqId,
txParams: { recipients: [{ address: '0xrecipient', amount: '1000' }] },
})
.should.be.rejectedWith('Too many requests, slow down!');
nockPromises[0].isDone().should.be.true();
nockPromises[1].isDone().should.be.false();
});

it('rejects signTxRequest when txParams is missing', async function () {
const userShare = fs.readFileSync(shareFiles[vector.party1]);
const userPrvBase64 = Buffer.from(userShare).toString('base64');
await tssUtils
.signTxRequest({
txRequest,
prv: userPrvBase64,
reqId,
})
.should.be.rejectedWith(
'Recipient details are required to verify this transaction before signing. Pass txParams with at least one recipient.'
);
});

it('rejects signTxRequest when txParams has empty recipients', async function () {
const userShare = fs.readFileSync(shareFiles[vector.party1]);
const userPrvBase64 = Buffer.from(userShare).toString('base64');
await tssUtils
.signTxRequest({
txRequest,
prv: userPrvBase64,
reqId,
txParams: { recipients: [] },
})
.should.be.rejectedWith(
'Recipient details are required to verify this transaction before signing. Pass txParams with at least one recipient.'
);
});

it('accepts signTxRequest when recipients are only in intent (smart contract interaction)', async function () {
const txRequestWithIntentRecipients = {
...txRequest,
intent: {
intentType: 'contractCall',
recipients: [
{
address: { address: '0xrecipient' },
amount: { value: '1000', symbol: 'hteth' },
},
],
},
};
const nockPromises = [
await nockTxRequestResponseSignatureShareRoundOne(bitgoParty, txRequestWithIntentRecipients, bitgoGpgKey),
await nockTxRequestResponseSignatureShareRoundTwo(bitgoParty, txRequestWithIntentRecipients, bitgoGpgKey),
await nockTxRequestResponseSignatureShareRoundThree(txRequestWithIntentRecipients),
await nockSendTxRequest(txRequestWithIntentRecipients),
];
await Promise.all(nockPromises);

const userShare = fs.readFileSync(shareFiles[vector.party1]);
const userPrvBase64 = Buffer.from(userShare).toString('base64');
// Falls back to intent.recipients — guard should pass and signing should complete
await tssUtils.signTxRequest({
txRequest: txRequestWithIntentRecipients,
prv: userPrvBase64,
reqId,
// no txParams.recipients
});
nockPromises[0].isDone().should.be.true();
nockPromises[1].isDone().should.be.true();
nockPromises[2].isDone().should.be.true();
});

it('accepts signTxRequest for no-recipient tx types (tokenApproval)', async function () {
const nockPromises = [
await nockTxRequestResponseSignatureShareRoundOne(bitgoParty, txRequest, bitgoGpgKey),
await nockTxRequestResponseSignatureShareRoundTwo(bitgoParty, txRequest, bitgoGpgKey),
await nockTxRequestResponseSignatureShareRoundThree(txRequest),
await nockSendTxRequest(txRequest),
];
await Promise.all(nockPromises);

const userShare = fs.readFileSync(shareFiles[vector.party1]);
const userPrvBase64 = Buffer.from(userShare).toString('base64');
// Type exemption applies — guard passes without recipients
await tssUtils.signTxRequest({
txRequest,
prv: userPrvBase64,
reqId,
txParams: { type: 'tokenApproval' },
});
nockPromises[0].isDone().should.be.true();
nockPromises[1].isDone().should.be.true();
nockPromises[2].isDone().should.be.true();
});

it('accepts signTxRequest for no-recipient tx types (acceleration)', async function () {
const nockPromises = [
await nockTxRequestResponseSignatureShareRoundOne(bitgoParty, txRequest, bitgoGpgKey),
await nockTxRequestResponseSignatureShareRoundTwo(bitgoParty, txRequest, bitgoGpgKey),
await nockTxRequestResponseSignatureShareRoundThree(txRequest),
await nockSendTxRequest(txRequest),
];
await Promise.all(nockPromises);

const userShare = fs.readFileSync(shareFiles[vector.party1]);
const userPrvBase64 = Buffer.from(userShare).toString('base64');
await tssUtils.signTxRequest({
txRequest,
prv: userPrvBase64,
reqId,
txParams: { type: 'acceleration' },
});
nockPromises[0].isDone().should.be.true();
nockPromises[1].isDone().should.be.true();
nockPromises[2].isDone().should.be.true();
});

it('accepts signTxRequest for no-recipient tx types (customTx)', async function () {
const nockPromises = [
await nockTxRequestResponseSignatureShareRoundOne(bitgoParty, txRequest, bitgoGpgKey),
await nockTxRequestResponseSignatureShareRoundTwo(bitgoParty, txRequest, bitgoGpgKey),
await nockTxRequestResponseSignatureShareRoundThree(txRequest),
await nockSendTxRequest(txRequest),
];
await Promise.all(nockPromises);

const userShare = fs.readFileSync(shareFiles[vector.party1]);
const userPrvBase64 = Buffer.from(userShare).toString('base64');
// DeFi/WalletConnect smart contract interactions have no traditional recipients
await tssUtils.signTxRequest({
txRequest,
prv: userPrvBase64,
reqId,
txParams: { type: 'customTx' },
});
nockPromises[0].isDone().should.be.true();
nockPromises[1].isDone().should.be.true();
nockPromises[2].isDone().should.be.true();
});

it('accepts signTxRequest for no-recipient tx types (enableToken)', async function () {
const nockPromises = [
await nockTxRequestResponseSignatureShareRoundOne(bitgoParty, txRequest, bitgoGpgKey),
await nockTxRequestResponseSignatureShareRoundTwo(bitgoParty, txRequest, bitgoGpgKey),
await nockTxRequestResponseSignatureShareRoundThree(txRequest),
await nockSendTxRequest(txRequest),
];
await Promise.all(nockPromises);

const userShare = fs.readFileSync(shareFiles[vector.party1]);
const userPrvBase64 = Buffer.from(userShare).toString('base64');
// TSS wallets do not populate recipients for token enablement — exemption must apply
await tssUtils.signTxRequest({
txRequest,
prv: userPrvBase64,
reqId,
txParams: { type: 'enableToken' },
});
nockPromises[0].isDone().should.be.true();
nockPromises[1].isDone().should.be.true();
nockPromises[2].isDone().should.be.true();
});

it('accepts signTxRequest when txParams.recipients takes priority over intent.recipients', async function () {
const txRequestWithBothRecipients = {
...txRequest,
intent: {
intentType: 'contractCall',
recipients: [{ address: { address: '0xintentRecipient' }, amount: { value: '9999', symbol: 'hteth' } }],
},
};
const nockPromises = [
await nockTxRequestResponseSignatureShareRoundOne(bitgoParty, txRequestWithBothRecipients, bitgoGpgKey),
await nockTxRequestResponseSignatureShareRoundTwo(bitgoParty, txRequestWithBothRecipients, bitgoGpgKey),
await nockTxRequestResponseSignatureShareRoundThree(txRequestWithBothRecipients),
await nockSendTxRequest(txRequestWithBothRecipients),
];
await Promise.all(nockPromises);

const userShare = fs.readFileSync(shareFiles[vector.party1]);
const userPrvBase64 = Buffer.from(userShare).toString('base64');
// txParams.recipients takes priority — guard passes and signing completes
await tssUtils.signTxRequest({
txRequest: txRequestWithBothRecipients,
prv: userPrvBase64,
reqId,
txParams: { recipients: [{ address: '0xrecipient', amount: '1000' }] },
});
nockPromises[0].isDone().should.be.true();
nockPromises[1].isDone().should.be.true();
nockPromises[2].isDone().should.be.true();
});
});

export function getBitGoPartyGpgKeyPrv(key: openpgp.SerializedKeyPair<string>): DklsTypes.PartyGpgKey {
Expand Down
Loading
Loading