feat(sdk-coin-algo): verify consolidation transaction

Implement verification to ensure consolidation transactions send funds to
the wallet's base address (rootAddress). This prevents malicious transactions
from redirecting consolidated funds to unauthorized addresses.

Changes:
- Add consolidationToBaseAddress verification in verifyTransaction method
- Verify transaction recipient matches wallet rootAddress for both native
  (pay) and token (axfer) transactions
- Test both positive (valid consolidation) and negative (malicious) cases

The verification is triggered when params.verification.consolidationToBaseAddress
is set to true, which happens automatically in sendAccountConsolidations.

Ticket: WP-5729

TICKET: WP-5729

Author: mohammadalfaiyazbitgo

modules/sdk-coin-algo/src/algo.ts

@@ -30,6 +30,7 @@ import {
   MultisigType,
   multisigTypes,
   AuditDecryptedKeyParams,
+  TxIntentMismatchError,
 } from '@bitgo/sdk-core';
 import stellar from 'stellar-sdk';
 import BigNumber from 'bignumber.js';
@@ -580,7 +581,7 @@ export class Algo extends BaseCoin {
   }
 
   async verifyTransaction(params: VerifyTransactionOptions): Promise<boolean> {
-    const { txParams, txPrebuild } = params;
+    const { txParams, txPrebuild, wallet, verification } = params;
 
     if (!txParams) {
       throw new Error('missing txParams');
@@ -602,14 +603,40 @@ export class Algo extends BaseCoin {
     // Validate based on Algorand transaction type
     switch (txJson.type) {
       case 'pay':
-        return this.validatePayTransaction(txJson, txParams);
+        this.validatePayTransaction(txJson, txParams);
+        break;
       case 'axfer':
-        return this.validateAssetTransferTransaction(txJson, txParams);
+        this.validateAssetTransferTransaction(txJson, txParams);
+        break;
       default:
         // For other transaction types, perform basic validation
         this.validateBasicTransaction(txJson);
-        return true;
+        break;
     }
+
+    // Verify consolidation transactions send to base address
+    if (verification?.consolidationToBaseAddress) {
+      if (!wallet?.coinSpecific()?.rootAddress) {
+        throw new Error('Unable to determine base address for consolidation');
+      }
+      const rootAddress = wallet.coinSpecific()?.rootAddress as string;
+
+      // Verify the transaction recipient matches the rootAddress
+      if (!txJson.to) {
+        throw new Error('Transaction is missing recipient address');
+      }
+
+      if (txJson.to !== rootAddress) {
+        throw new TxIntentMismatchError(
+          'Consolidation transaction recipient does not match wallet base address',
+          txJson.to,
+          [txParams],
+          txJson
+        );
+      }
+    }
+
+    return true;
   }
 
   /**

modules/sdk-coin-algo/test/fixtures/resources.ts

@@ -132,3 +132,13 @@ export const base64Txn = {
     txid: 'RSWDVNXWLX7UEDVGJR7B7SSCL3Q43UILPYIEX2AMDD72JIFV7TVA',
   },
 } as const;
+
+export const consolidation = {
+  // Real consolidation transaction from account-consolidation-build
+  rootAddress: 'L6OMQGFVXSDOCEXVB3FFRBYUD3FH6UFMT6WNTFYDJXGEV6ZDQ74EXGF6BE',
+  receiveAddress: 'U3YYPVGS7MOEPLAMOEBQYMQL6K6OG6VA5CL4RGMPXQTMWEWHBSN2RYS774',
+  txHex:
+    'iaNhbXTOAJcL+KNmZWXNA+iiZnbOA2bxbqNnZW6sdGVzdG5ldC12MS4womdoxCBIY7UYpLPITsgQ8i1PEIHLD3HwWaesIN7GL39w5Qk6IqJsds4DZvVWo3JjdsQgX5zIGLW8huES9Q7KWIcUHsp/UKyfrNmXA03MSvsjh/ijc25kxCCm8YfU0vscR6wMcQMMMgvyvON6oOiXyJmPvCbLEscMm6R0eXBlo3BheQ==',
+  amount: '9899000',
+  txId: 'ROTFDRSEAWKSYIOBE6PKX5TVZIYKRFWEN4PET54ODY3RDMRCMMQA',
+} as const;