Merge pull request #8875 from BitGo/T1-3418

feat(sdk-core,abstract-utxo): add qr param and client-side output val…

Author: davidkaplanbitgo

modules/abstract-lightning/package.json

@@ -39,7 +39,7 @@
     ]
   },
   "dependencies": {
-    "@bitgo/public-types": "6.21.0",
+    "@bitgo/public-types": "6.22.0",
     "@bitgo/sdk-core": "^37.3.0",
     "@bitgo/statics": "^58.43.0",
     "@bitgo/utxo-lib": "^11.22.1",

modules/abstract-utxo/src/abstractUtxoCoin.ts

@@ -279,6 +279,7 @@ export interface TransactionParams extends BaseTransactionParams {
   rbfTxIds?: string[];
   /** Parameters for bridging intents (e.g. BTC -> sBTC peg-in), present when `type === 'bridging'`. */
   bridgingParams?: BridgingParams;
+  qr?: boolean;
 }
 
 export interface ParseTransactionOptions<TNumber extends number | bigint = number> extends BaseParseTransactionOptions {

modules/abstract-utxo/src/transaction/descriptor/verifyTransaction.ts

@@ -94,7 +94,32 @@ export async function verifyTransaction<TNumber extends number | bigint>(
     );
   }
 
-  assertValidTransaction(psbt, descriptorMap, params.txParams.recipients ?? [], coin.name);
+  const parsedOutputs = toBaseParsedTransactionOutputsFromPsbt(
+    psbt,
+    descriptorMap,
+    params.txParams.recipients ?? [],
+    coin.name
+  );
+
+  if (params.txParams.qr) {
+    const allExternalOutputs = [...parsedOutputs.explicitExternalOutputs, ...parsedOutputs.implicitExternalOutputs];
+    if (allExternalOutputs.length > 0) {
+      const txExplanation = await TxIntentMismatchError.tryGetTxExplanation(
+        coin as unknown as IBaseCoin,
+        params.txPrebuild
+      );
+      throw new TxIntentMismatchError(
+        'quantum-resistant sweep transactions must only contain wallet-internal outputs',
+        params.reqId,
+        [params.txParams],
+        params.txPrebuild.txHex,
+        txExplanation
+      );
+    }
+    return true;
+  }
+
+  assertExpectedOutputDifference(parsedOutputs);
 
   return true;
 }

modules/abstract-utxo/src/transaction/fixedScript/verifyTransaction.ts

@@ -127,6 +127,17 @@ export async function verifyTransaction<TNumber extends bigint | number>(
     debug('successfully verified user public key and custom change key signatures');
   }
 
+  if (txParams.qr) {
+    const allExternalOutputs = [
+      ...parsedTransaction.explicitExternalOutputs,
+      ...parsedTransaction.implicitExternalOutputs,
+    ];
+    if (allExternalOutputs.length > 0) {
+      throwTxMismatch('quantum-resistant sweep transactions must only contain wallet-internal outputs');
+    }
+    return true;
+  }
+
   const missingOutputs = parsedTransaction.missingOutputs;
   if (missingOutputs.length !== 0) {
     // there are some outputs in the recipients list that have not made it into the actual transaction

modules/abstract-utxo/test/unit/transaction/descriptor/verifyTransactionQr.ts

@@ -0,0 +1,93 @@
+import assert from 'assert';
+
+import * as testutils from '@bitgo/wasm-utxo/testutils';
+
+import { verifyTransaction } from '../../../../src/transaction/descriptor/verifyTransaction';
+import { getUtxoCoin } from '../../util';
+
+const { getDefaultXPubs, getDescriptor, getDescriptorMap, mockPsbt } = testutils.descriptor;
+
+describe('descriptor verifyTransaction - quantum-resistant sweep', function () {
+  const coin = getUtxoCoin('tbtc');
+
+  const xpubsSelf = getDefaultXPubs('a');
+  const xpubsOther = getDefaultXPubs('b');
+  const descriptorSelf = getDescriptor('Wsh2Of3', xpubsSelf);
+  const descriptorOther = getDescriptor('Wsh2Of3', xpubsOther);
+  const descriptorMap = getDescriptorMap('Wsh2Of3', xpubsSelf);
+
+  function buildPsbtAllInternal() {
+    return mockPsbt(
+      [
+        { descriptor: descriptorSelf, index: 0 },
+        { descriptor: descriptorSelf, index: 1, id: { vout: 1 } },
+      ],
+      [
+        { descriptor: descriptorSelf, index: 0, value: BigInt(4e5) },
+        { descriptor: descriptorSelf, index: 1, value: BigInt(4e5) },
+      ]
+    );
+  }
+
+  function buildPsbtWithExternal() {
+    return mockPsbt(
+      [
+        { descriptor: descriptorSelf, index: 0 },
+        { descriptor: descriptorSelf, index: 1, id: { vout: 1 } },
+      ],
+      [
+        { descriptor: descriptorOther, index: 0, value: BigInt(4e5), external: true },
+        { descriptor: descriptorSelf, index: 0, value: BigInt(4e5) },
+      ]
+    );
+  }
+
+  it('should reject when external outputs exist and qr is true', async function () {
+    const psbt = buildPsbtWithExternal();
+
+    await assert.rejects(
+      verifyTransaction(
+        coin,
+        {
+          txParams: { qr: true, recipients: [] },
+          txPrebuild: { txHex: Buffer.from(psbt.serialize()).toString('hex') },
+          wallet: {} as any,
+        },
+        descriptorMap
+      ),
+      /quantum-resistant sweep transactions must only contain wallet-internal outputs/
+    );
+  });
+
+  it('should pass when all outputs are internal and qr is true', async function () {
+    const psbt = buildPsbtAllInternal();
+
+    const result = await verifyTransaction(
+      coin,
+      {
+        txParams: { qr: true, recipients: [] },
+        txPrebuild: { txHex: Buffer.from(psbt.serialize()).toString('hex') },
+        wallet: {} as any,
+      },
+      descriptorMap
+    );
+
+    assert.strictEqual(result, true);
+  });
+
+  it('should not apply qr check when qr is not set (internal-only outputs pass normally)', async function () {
+    const psbt = buildPsbtAllInternal();
+
+    const result = await verifyTransaction(
+      coin,
+      {
+        txParams: { recipients: [] },
+        txPrebuild: { txHex: Buffer.from(psbt.serialize()).toString('hex') },
+        wallet: {} as any,
+      },
+      descriptorMap
+    );
+
+    assert.strictEqual(result, true);
+  });
+});

modules/abstract-utxo/test/unit/verifyTransaction.ts

@@ -465,6 +465,119 @@ describe('Verify Transaction', function () {
     coinMock.restore();
   });
 
+  describe('quantum-resistant sweep (qr: true)', function () {
+    it('should reject when explicit external outputs are present', async () => {
+      const coinMock = sinon.stub(coin, 'parseTransaction').resolves({
+        keychains: {} as any,
+        keySignatures: {},
+        outputs: [],
+        missingOutputs: [],
+        explicitExternalOutputs: [{ address: 'external_addr', amount: '5000' }],
+        implicitExternalOutputs: [],
+        changeOutputs: [{ address: 'change_addr', amount: '4000' }],
+        explicitExternalSpendAmount: 5000,
+        implicitExternalSpendAmount: 0,
+        needsCustomChangeKeySignatureVerification: false,
+      });
+
+      await assert.rejects(
+        coin.verifyTransaction({
+          txParams: { walletPassphrase: passphrase, qr: true },
+          txPrebuild: {},
+          wallet: unsignedSendingWallet as any,
+          verification: {},
+        }),
+        /quantum-resistant sweep transactions must only contain wallet-internal outputs/
+      );
+
+      coinMock.restore();
+    });
+
+    it('should reject when implicit external outputs are present', async () => {
+      const coinMock = sinon.stub(coin, 'parseTransaction').resolves({
+        keychains: {} as any,
+        keySignatures: {},
+        outputs: [],
+        missingOutputs: [],
+        explicitExternalOutputs: [],
+        implicitExternalOutputs: [{ address: 'paygo_addr', amount: '100' }],
+        changeOutputs: [{ address: 'change_addr', amount: '9900' }],
+        explicitExternalSpendAmount: 0,
+        implicitExternalSpendAmount: 100,
+        needsCustomChangeKeySignatureVerification: false,
+      });
+
+      await assert.rejects(
+        coin.verifyTransaction({
+          txParams: { walletPassphrase: passphrase, qr: true },
+          txPrebuild: {},
+          wallet: unsignedSendingWallet as any,
+          verification: {},
+        }),
+        /quantum-resistant sweep transactions must only contain wallet-internal outputs/
+      );
+
+      coinMock.restore();
+    });
+
+    it('should pass when all outputs are internal (change only)', async () => {
+      const coinMock = sinon.stub(coin, 'parseTransaction').resolves({
+        keychains: {} as any,
+        keySignatures: {},
+        outputs: [{ address: 'change_addr', amount: '10000' }],
+        missingOutputs: [],
+        explicitExternalOutputs: [],
+        implicitExternalOutputs: [],
+        changeOutputs: [{ address: 'change_addr', amount: '10000' }],
+        explicitExternalSpendAmount: 0,
+        implicitExternalSpendAmount: 0,
+        needsCustomChangeKeySignatureVerification: false,
+      });
+
+      const result = await coin.verifyTransaction({
+        txParams: { walletPassphrase: passphrase, qr: true },
+        txPrebuild: {},
+        wallet: unsignedSendingWallet as any,
+        verification: {},
+      });
+
+      assert.strictEqual(result, true);
+
+      coinMock.restore();
+    });
+
+    it('should not apply qr check when qr is not set', async () => {
+      const coinMock = sinon.stub(coin, 'parseTransaction').resolves({
+        keychains: {} as any,
+        keySignatures: {},
+        outputs: [],
+        missingOutputs: [],
+        explicitExternalOutputs: [{ address: 'external_addr', amount: '5000' }],
+        implicitExternalOutputs: [],
+        changeOutputs: [],
+        explicitExternalSpendAmount: 5000,
+        implicitExternalSpendAmount: 0,
+        needsCustomChangeKeySignatureVerification: false,
+      });
+
+      const bitcoinMock = sinon
+        .stub(coin, 'createTransactionFromHex')
+        .returns({ ins: [] } as unknown as utxolib.bitgo.UtxoTransaction);
+
+      const result = await coin.verifyTransaction({
+        txParams: { walletPassphrase: passphrase },
+        txPrebuild: { txHex: '00' },
+        wallet: unsignedSendingWallet as any,
+        verification: {},
+      });
+
+      assert.strictEqual(result, true);
+
+      coinMock.restore();
+      bitcoinMock.restore();
+    });
+  });
+
   it('should work with bigint amounts', async () => {
     // need a coin that uses bigint
     const bigintCoin = getUtxoCoin('tdoge');

modules/bitgo/package.json

@@ -140,7 +140,7 @@
     "superagent": "^9.0.1"
   },
   "devDependencies": {
-    "@bitgo/public-types": "6.21.0",
+    "@bitgo/public-types": "6.22.0",
     "@bitgo/sdk-opensslbytes": "^2.1.0",
     "@bitgo/sdk-test": "^9.1.46",
     "@openpgp/web-stream-tools": "0.0.14",

modules/express/package.json

@@ -60,7 +60,7 @@
     "superagent": "^9.0.1"
   },
   "devDependencies": {
-    "@bitgo/public-types": "6.21.0",
+    "@bitgo/public-types": "6.22.0",
     "@bitgo/sdk-lib-mpc": "^10.14.0",
     "@bitgo/sdk-test": "^9.1.46",
     "@types/argparse": "^1.0.36",

modules/sdk-coin-flrp/package.json

@@ -47,7 +47,7 @@
     "@bitgo/sdk-test": "^9.1.46"
   },
   "dependencies": {
-    "@bitgo/public-types": "6.21.0",
+    "@bitgo/public-types": "6.22.0",
     "@bitgo/sdk-core": "^37.3.0",
     "@bitgo/secp256k1": "^1.11.0",
     "@bitgo/statics": "^58.43.0",

modules/sdk-coin-sol/package.json

@@ -57,7 +57,7 @@
   },
   "dependencies": {
     "@bitgo/logger": "^1.4.0",
-    "@bitgo/public-types": "6.21.0",
+    "@bitgo/public-types": "6.22.0",
     "@bitgo/sdk-core": "^37.3.0",
     "@bitgo/sdk-lib-mpc": "^10.14.0",
     "@bitgo/statics": "^58.43.0",