fix(sdk-coin-xtz): verify destination and amount in verifyTransaction#9245
fix(sdk-coin-xtz): verify destination and amount in verifyTransaction#9245bitgo-ai-agent-dev[bot] wants to merge 1 commit into
Conversation
5ac3d86 to
415f972
Compare
|
@claude review this pr for potential regressions and provide verdict |
|
Claude finished @prajwalu142's task —— View job Review of PR: fix(sdk-coin-xtz): verify destination and amount in verifyTransactionTodo List:
AnalysisThe PR introduces security verification logic to the Key Changes in Implementation:
Test Coverage:
Potential Regressions Assessment✅ LOW RISK - The implementation follows a careful backward-compatibility approach:
No Breaking Changes Identified:
Security Improvements✅ SIGNIFICANT SECURITY ENHANCEMENT:
The fix addresses a critical vulnerability where a compromised prebuild service could redirect transfers while signatures validate correctly. Code Quality✅ HIGH QUALITY IMPLEMENTATION:
Verdict🟢 APPROVED - RECOMMEND MERGE This is a well-implemented security fix that:
The implementation is conservative, well-tested, and provides significant security value without breaking existing functionality. |
| threw.should.equal(true); | ||
| }); | ||
|
|
||
| it('should pass when no recipients are specified (no destination check)', async function () { |
There was a problem hiding this comment.
not really sure if the last two cases are valid, please check and confirm
415f972 to
77e948c
Compare
Previously, Xtz.verifyTransaction only checked that the recipient count was at most 1, then returned true unconditionally. This meant a compromised prebuild service could redirect an XTZ transfer to an attacker-controlled address and the local signer would still sign it. This fix decodes the transaction from txPrebuild.txHex when a single recipient is present and compares the encoded destination address and amount against txParams.recipients[0]. Any decode failure or mismatch throws, failing closed to prevent silent fund redirection. Behavior is unchanged when no recipients or no txHex are present (e.g. wallet initialization transactions), preserving backward compatibility. Ticket: CSHLD-838 Co-Authored-By: Claude <noreply@anthropic.com> Session-Id: 4815208a-ec3a-411f-a659-358c0aaa25e6 Task-Id: 0ce30aac-a75b-4b67-acca-38533b9d28f0
77e948c to
a3af4e4
Compare
What
Xtz.verifyTransactionnow decodestxPrebuild.txHexand compares the encoded destination address and transfer amount againsttxParams.recipients[0]txHexare present (wallet initialisation)Why
verifyTransactionpreviously only checked that the recipient count was ≤ 1 and returnedtrueunconditionallytxParams.recipients) matches the bytes that will actually be signed and broadcastTest plan
should verify a valid transaction where destination and amount match— passes for a matching prebuildshould reject when prebuild destination does not match requested recipient— catches address redirectionshould reject when prebuild amount does not match requested recipient— catches amount manipulationshould reject when the prebuild contains an unexpected number of outputs— catches unexpected multi-output buildsshould reject when the prebuild cannot be decoded— fail-closed on corrupt/invalid txHexshould pass when no recipients are specified— backward-compatible for wallet-init flowsshould pass when no txHex is present in the prebuild— backward-compatible for wallet-init flowsyarn run unit-test --scope @bitgo/sdk-coin-xtz)Ticket: CSHLD-838