Merge pull request #6990 from BitGo/validate-data-on-tx

henryyang183 · web-flow · commit 465f4a25070a · 2025-09-18T10:43:51.000-04:00
fix(bitgo): add data validation on tx Ticket: SC-1436
diff --git a/modules/bitgo/test/v2/fixtures/staking/stakingWallet.ts b/modules/bitgo/test/v2/fixtures/staking/stakingWallet.ts
@@ -77,4 +77,42 @@ export default {
     },
     senderWalletId: 'btcDescriptorWalletId',
   },
+
+  matchingDataBuildParams: {
+    memo: 'matching-memo',
+    gasLimit: 200000,
+    type: 'pay',
+    solInstructions: [{ programId: 'Stake111', keys: [], data: 'delegate' }],
+    aptosCustomTransactionParams: { moduleName: '0x1::staking', functionName: 'stake' },
+  },
+
+  mismatchMemoBuildParams: {
+    memo: 'user-memo',
+  },
+
+  mismatchGasLimitBuildParams: {
+    gasLimit: 100000,
+  },
+
+  mismatchTypeBuildParams: {
+    type: 'stake',
+  },
+
+  mismatchSolInstructionsBuildParams: {
+    solInstructions: [
+      {
+        programId: 'UserStakeProgram1111111111111111111111111111',
+        keys: [{ pubkey: 'user-key', isSigner: true, isWritable: true }],
+        data: 'user-delegate-data',
+      },
+    ],
+  },
+
+  mismatchAptosParamsBuildParams: {
+    aptosCustomTransactionParams: {
+      moduleName: '0x1::staking',
+      functionName: 'stake',
+      functionArguments: ['10000'],
+    },
+  },
 };
diff --git a/modules/sdk-core/src/bitgo/staking/stakingWallet.ts b/modules/sdk-core/src/bitgo/staking/stakingWallet.ts
@@ -2,6 +2,7 @@
  * @prettier
  */
 import { CoinFamily } from '@bitgo/statics';
+import isEqual from 'lodash/isEqual';
 
 import {
   DelegationOptions,
@@ -381,6 +382,7 @@ export class StakingWallet implements IStakingWallet {
     }
 
     const explainedTransaction = await coin.explainTransaction(result);
+    const mismatchErrors: string[] = [];
 
     if (buildParams?.recipients && buildParams.recipients.length > 0) {
       const userRecipientMap = new Map(
@@ -389,9 +391,6 @@ export class StakingWallet implements IStakingWallet {
       const platformRecipientMap = new Map(
         (explainedTransaction?.outputs ?? []).map((recipient) => [recipient.address.toLowerCase(), recipient])
       );
-
-      const mismatchErrors: string[] = [];
-
       for (const [address] of platformRecipientMap) {
         if (!userRecipientMap.has(address)) {
           mismatchErrors.push(`Unexpected recipient address found in built transaction: ${address}`);
@@ -420,13 +419,60 @@ export class StakingWallet implements IStakingWallet {
           );
         }
       }
-      if (mismatchErrors.length > 0) {
-        const errorMessage = `Staking transaction validation failed before signing: ${mismatchErrors.join('; ')}`;
-        debug(errorMessage);
-        throw new Error(errorMessage);
+    }
+
+    if (buildParams?.memo && (explainedTransaction as any).memo !== buildParams.memo) {
+      mismatchErrors.push(
+        `Memo mismatch. Expected: '${JSON.stringify(buildParams.memo)}', Got: '${JSON.stringify(
+          (explainedTransaction as any).memo
+        )}'`
+      );
+    }
+
+    if (buildParams?.gasLimit && String((explainedTransaction as any).gasLimit) !== String(buildParams.gasLimit)) {
+      mismatchErrors.push(
+        `Gas Limit mismatch. Expected: ${buildParams.gasLimit}, Got: ${(explainedTransaction as any).gasLimit}`
+      );
+    }
+
+    if (buildParams?.type && (explainedTransaction as any).type !== buildParams.type) {
+      mismatchErrors.push(
+        `Transaction type mismatch. Expected: '${buildParams.type}', Got: '${(explainedTransaction as any).type}'`
+      );
+    }
+
+    if (buildParams?.solInstructions) {
+      if (!isEqual((explainedTransaction as any).solInstructions, buildParams.solInstructions)) {
+        mismatchErrors.push(
+          `Solana instructions mismatch. Expected: ${JSON.stringify(
+            buildParams.solInstructions
+          )}, Got: ${JSON.stringify((explainedTransaction as any).solInstructions)}`
+        );
+      }
+    }
+
+    if (buildParams?.aptosCustomTransactionParams) {
+      if (
+        !isEqual((explainedTransaction as any).aptosCustomTransactionParams, buildParams.aptosCustomTransactionParams)
+      ) {
+        mismatchErrors.push(
+          `Aptos custom transaction parameters mismatch. Expected: ${JSON.stringify(
+            buildParams.aptosCustomTransactionParams
+          )}, Got: ${JSON.stringify((explainedTransaction as any).aptosCustomTransactionParams)}`
+        );
       }
-    } else {
-      debug(`Cannot validate staking transaction ${transaction.stakingRequestId} without specified build params`);
+    }
+
+    if (mismatchErrors.length > 0) {
+      const errorMessage = `Staking transaction validation failed before signing: ${mismatchErrors.join('; ')}`;
+      debug(errorMessage);
+      throw new Error(errorMessage);
+    }
+
+    if (!buildParams) {
+      debug(
+        `Cannot perform deep validation for staking transaction ${transaction.stakingRequestId} without specified build params`
+      );
     }
   }
 }
