fix(sdk-coin-stx): verify recipient and amount in native STX verifyTransaction#9244
fix(sdk-coin-stx): verify recipient and amount in native STX verifyTransaction#9244bitgo-ai-agent-dev[bot] wants to merge 1 commit into
Conversation
eac74de to
cce41e6
Compare
6d7a890 to
fcbb68f
Compare
|
@claude review this pr for potential regressions and provide verdict |
|
Claude finished @prajwalu142's task —— View job PR Review for STX verifyTransaction Security FixTasks:
Review SummaryThis PR addresses a critical security vulnerability in the STX ✅ VERDICT: APPROVEThis PR should be merged - it fixes a high-severity security issue without introducing regressions. Detailed AnalysisSecurity Fix QualityExcellent - The implementation properly validates:
Implementation AssessmentCode Quality: Good
Dependencies: Safe
Test CoverageComprehensive - 8 new tests cover:
Regression AnalysisNo Breaking Changes Detected:
Performance ImpactMinimal - One additional Minor Observations
This security fix is essential and ready for production deployment. |
| } | ||
| const explainedTx = await this.explainTransaction({ txHex: rawTx, feeInfo: { fee: '' } }); | ||
| if (txParams.recipients !== undefined && explainedTx) { | ||
| const filteredRecipients = txParams.recipients.map((recipient) => { |
There was a problem hiding this comment.
This doesn't support multiple recipients, we can remove the logic of looping over recipients
| See [Conventional Commits](https://conventionalcommits.org) for commit guidelines. | ||
|
|
||
| ## [4.0.1](https://github.com/BitGo/BitGoJS/compare/@bitgo/sdk-coin-stx@4.0.0...@bitgo/sdk-coin-stx@4.0.1) (2026-07-09) | ||
|
|
a575d5d to
9dff461
Compare
…ansaction Previously, Stx.verifyTransaction was a near no-op: it only checked that the recipient count was <= 1. A compromised prebuild could redirect native STX sends to any address or alter the amount, and local verification would still pass. Port the decode-and-compare pattern from Sip10Token.verifyTransaction into Stx.verifyTransaction, adapted for single-recipient STX. The new implementation decodes the prebuild txHex via explainTransaction and directly compares the single decoded output's address and amount against txParams.recipients[0], then validates the memo. No iteration needed since STX enforces a single-recipient constraint at the top of the method. This closes the gap where the SIP10 token path already had full recipient validation but native STX did not. Ticket: CSHLD-839 Session-Id: 7de30368-fc1b-4b09-9d2e-55be78e462dc Task-Id: 2203e736-35f2-4e2f-8cde-6cdbd0d3e2b6
9dff461 to
aea2d73
Compare
What
Stx.verifyTransactionpreviously returnedtrueafter checking only that the recipient count was ≤ 1 — no address or amount comparison was performed.Sip10Token.verifyTransaction:txHexviaexplainTransactiontxParams.recipientstxParams.memoor embedded in recipient address) against the decoded transaction memogetMemoIdAndBaseAddressFromAddressimport from existing utilslodashimport (already a listed dependency) for_.isEqualWhy
verifyTransactionwould still returntruewithout detecting the mismatch.Test plan
cd modules/sdk-coin-stx && mocha)truetxHexin prebuild throws an errorsdk-coin-stxwith no new errorsTicket: CSHLD-839