Skip to content

fix(tss): require txParams with recipients for TSS tx signing#8462

Open
mrdanish26 wants to merge 1 commit intomasterfrom
WAL-375-mpcv2-sign-tx-require-txparams
Open

fix(tss): require txParams with recipients for TSS tx signing#8462
mrdanish26 wants to merge 1 commit intomasterfrom
WAL-375-mpcv2-sign-tx-require-txparams

Conversation

@mrdanish26
Copy link
Copy Markdown
Contributor

@mrdanish26 mrdanish26 commented Apr 9, 2026
edited
Loading

Summary

  • Fixes WAL-375: MPCv2 (and ECDSA TSS) signTxRequest() silently defaulted txParams to { recipients: [] } when the caller omitted it, allowing a compromised BitGo API to swap signableHex to redirect funds without client detection
  • Adds an early guard in signRequestBase() that throws when txParams.recipients is absent or empty for RequestType.tx, ensuring verifyTransaction() always receives explicit caller-supplied params
  • Propagates optional txParams through recreateTxRequest() so the pending-approval re-sign path keeps working; extracts recipients from pendingApproval.info.transactionRequest

Test plan

  • Existing success tests for signTxRequest in ecdsaMPCv2/signTxRequest.ts and ecdsa.ts updated to pass txParams with recipients
  • New negative tests verify rejection when txParams is missing
  • New negative tests verify rejection when txParams.recipients is an empty array
  • Run yarn unit-test in modules/bitgo

@linear
Copy link
Copy Markdown

linear bot commented Apr 9, 2026

WAL-375 [Security] MPCv2 signTxRequest() Defaults txParams to Empty Recipients — Transaction Verification Bypass

@mrdanish26 mrdanish26 force-pushed the WAL-375-mpcv2-sign-tx-require-txparams branch from 63ddf05 to 346f349 Compare April 9, 2026 19:12
@bitgo-ai-agent-dev bitgo-ai-agent-dev bot force-pushed the WAL-375-mpcv2-sign-tx-require-txparams branch from 346f349 to b04cdf0 Compare April 9, 2026 19:38
@mrdanish26 mrdanish26 marked this pull request as ready for review April 9, 2026 22:59
@mrdanish26 mrdanish26 requested review from a team as code owners April 9, 2026 22:59
@sachushaji
Copy link
Copy Markdown
Contributor

sachushaji commented Apr 10, 2026

@claude

pranavjain97
pranavjain97 requested changes Apr 10, 2026
View reviewed changes
modules/sdk-core/src/bitgo/utils/tss/ecdsa/ecdsa.ts Outdated
txRequest.apiVersion === 'full' ? txRequest.transactions![0].unsignedTx : txRequest.unsignedTxs[0];

if (!params.txParams?.recipients?.length) {
throw new Error('txParams with recipients is required for TSS transaction signing');
Copy link
Copy Markdown
Contributor

@pranavjain97 pranavjain97 Apr 10, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

this should be an Invalid and let's make the error more UI friendly

modules/sdk-core/src/bitgo/utils/tss/ecdsa/ecdsaMPCv2.ts
Comment on lines +739 to +741
if (!params.txParams?.recipients?.length) {
throw new Error('txParams with recipients is required for TSS transaction signing');
}
Copy link
Copy Markdown
Contributor

@pranavjain97 pranavjain97 Apr 10, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

same

modules/sdk-core/src/bitgo/pendingApproval/pendingApproval.ts
const txRequest = await this.tssUtils!.recreateTxRequest(txRequestId, decryptedPrv, reqId);
const pendingApprovalRecipients = this._pendingApproval.info?.transactionRequest?.recipients;
const txParams = pendingApprovalRecipients?.length ? { recipients: pendingApprovalRecipients } : undefined;
const txRequest = await this.tssUtils!.recreateTxRequest(txRequestId, decryptedPrv, reqId, txParams);
Copy link
Copy Markdown
Contributor

@pranavjain97 pranavjain97 Apr 10, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

whats the behavior here if txParams is undefined?

Copy link
Copy Markdown
Contributor Author

@mrdanish26 mrdanish26 Apr 10, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

If txParams is undefined, recreateTxRequest still calls signTxRequest with txParams omitted. For ECDSA transaction signing, the SDK then throws error because recipients are required for verification—same guard as when callers omit txParams elsewhere. It’s only “optional” at the recreateTxRequest call site when the pending approval has no transactionRequest.recipients; downstream ECDSA tx signing rejects that instead of defaulting to empty recipients.

@mrdanish26 mrdanish26 force-pushed the WAL-375-mpcv2-sign-tx-require-txparams branch 2 times, most recently from 2245b20 to ab5753e Compare April 10, 2026 18:59
@mrdanish26 mrdanish26 force-pushed the WAL-375-mpcv2-sign-tx-require-txparams branch from ab5753e to 2be89f5 Compare April 10, 2026 19:03
@mrdanish26 mrdanish26 requested a review from pranavjain97 April 10, 2026 19:17
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@Marzooqa Marzooqa Awaiting requested review from Marzooqa Marzooqa is a code owner automatically assigned from BitGo/wallet-core-india

@pranavjain97 pranavjain97 Awaiting requested review from pranavjain97

Requested changes must be addressed to merge this pull request.

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@mrdanish26 @sachushaji @pranavjain97