fix(sdk-coin-xrp): enforce destination tag in verifyTransaction#9110
Draft
bitgo-ai-agent-dev[bot] wants to merge 1 commit into
Draft
fix(sdk-coin-xrp): enforce destination tag in verifyTransaction#9110bitgo-ai-agent-dev[bot] wants to merge 1 commit into
bitgo-ai-agent-dev[bot] wants to merge 1 commit into
Conversation
The verifyTransaction comparator was only checking the base address (stripping ?dt=N), allowing transactions with a different destination tag to pass verification silently. A payment built for rXXXX?dt=123 would verify successfully even if the prebuild targeted rXXXX?dt=0, causing the transaction to land at the wrong account subdivision and never appear for the intended recipient. Compare r1Details.destinationTag against r2Details.destinationTag so that a mismatch between the intended and actual destination tag is caught before the transaction is signed and submitted. Ticket: CSHLD-1115 Co-Authored-By: Claude <noreply@anthropic.com> Session-Id: 1cceafce-d4d3-4c86-a796-8e300680dc18 Task-Id: fa37dd24-b008-4d0e-b331-5db8f5e1371d
bitgo-ai-agent-dev
Bot
force-pushed
the
fix/CSHLD-1115-xrp-destination-tag-verify
branch
from
34f3ee1 to
447e960
Compare
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
What
Xrp.verifyTransaction, the address comparator was only checking the base XRP address and ignoring the destination tag (?dt=N). A prebuild targetingrXXXX?dt=0would pass verification even iftxParams.recipients[0].addresswasrXXXX?dt=123(or no tag at all).getAddressDetailsresults for both recipients and comparedestinationTagin addition to the base address.dt=0vs no-tag, no-tag vsdt=0, and mismatched non-zero tags.Why
Test plan
cd modules/sdk-coin-xrp && BITGOJS_TEST_PASSWORD=test npx mocha 'test/unit/xrp.ts'— 136 tests pass including 5 new destination-tag enforcement testseslint src/xrp.ts test/unit/xrp.tsTicket: CSHLD-1115