fix(tss): verify recipients before signing

TICKET: WAL-375

Author: mrdanish26

modules/bitgo/test/v2/unit/internal/tssUtils/ecdsa.ts

@@ -747,6 +747,7 @@ describe('TSS Ecdsa Utils:', async function () {
           backupNShare: backupKeyShare.nShares[1],
         }),
         reqId,
+        txParams: { recipients: [{ address: '0xrecipient', amount: '1000' }] },
       });
       signedTxRequest.unsignedTxs.should.deepEqual(txRequest.unsignedTxs);
       const userGpgActual = sendShareSpy.getCalls()[0].args[10] as string;
@@ -764,12 +765,125 @@ describe('TSS Ecdsa Utils:', async function () {
           backupNShare: backupKeyShare.nShares[1],
         }),
         reqId,
+        txParams: { recipients: [{ address: '0xrecipient', amount: '1000' }] },
       });
       signedTxRequest.unsignedTxs.should.deepEqual(txRequest.unsignedTxs);
       const userGpgActual = sendShareSpy.getCalls()[0].args[10] as string;
       userGpgActual.should.startWith('-----BEGIN PGP PUBLIC KEY BLOCK-----');
     });
 
+    it('signTxRequest should fail when txParams is missing', async function () {
+      await tssUtils
+        .signTxRequest({
+          txRequest,
+          prv: JSON.stringify({
+            pShare: userKeyShare.pShare,
+            bitgoNShare: bitgoKeyShare.nShares[1],
+            backupNShare: backupKeyShare.nShares[1],
+          }),
+          reqId,
+        })
+        .should.be.rejectedWith(
+          'Recipient details are required to verify this transaction before signing. Pass txParams with at least one recipient.'
+        );
+    });
+
+    it('signTxRequest should fail when txParams has empty recipients', async function () {
+      await tssUtils
+        .signTxRequest({
+          txRequest,
+          prv: JSON.stringify({
+            pShare: userKeyShare.pShare,
+            bitgoNShare: bitgoKeyShare.nShares[1],
+            backupNShare: backupKeyShare.nShares[1],
+          }),
+          reqId,
+          txParams: { recipients: [] },
+        })
+        .should.be.rejectedWith(
+          'Recipient details are required to verify this transaction before signing. Pass txParams with at least one recipient.'
+        );
+    });
+
+    it('signTxRequest should succeed when recipients are only in intent (smart contract interaction)', async function () {
+      await setupSignTxRequestNocks(false, userSignShare, aShare, dShare, enterpriseData);
+      const txRequestWithIntentRecipients = {
+        ...txRequest,
+        intent: {
+          intentType: 'contractCall',
+          recipients: [
+            {
+              address: { address: '0xrecipient' },
+              amount: { value: '1000', symbol: 'hteth' },
+            },
+          ],
+        },
+      };
+      const signedTxRequest = await tssUtils.signTxRequest({
+        txRequest: txRequestWithIntentRecipients,
+        prv: JSON.stringify({
+          pShare: userKeyShare.pShare,
+          bitgoNShare: bitgoKeyShare.nShares[1],
+          backupNShare: backupKeyShare.nShares[1],
+        }),
+        reqId,
+        // no txParams.recipients — should fall back to intent.recipients
+      });
+      signedTxRequest.unsignedTxs.should.deepEqual(txRequest.unsignedTxs);
+    });
+
+    it('signTxRequest should succeed for no-recipient tx types (tokenApproval)', async function () {
+      await setupSignTxRequestNocks(false, userSignShare, aShare, dShare, enterpriseData);
+      const signedTxRequest = await tssUtils.signTxRequest({
+        txRequest,
+        prv: JSON.stringify({
+          pShare: userKeyShare.pShare,
+          bitgoNShare: bitgoKeyShare.nShares[1],
+          backupNShare: backupKeyShare.nShares[1],
+        }),
+        reqId,
+        txParams: { type: 'tokenApproval' },
+      });
+      signedTxRequest.unsignedTxs.should.deepEqual(txRequest.unsignedTxs);
+    });
+
+    it('signTxRequest should succeed for no-recipient tx types (acceleration)', async function () {
+      await setupSignTxRequestNocks(false, userSignShare, aShare, dShare, enterpriseData);
+      const signedTxRequest = await tssUtils.signTxRequest({
+        txRequest,
+        prv: JSON.stringify({
+          pShare: userKeyShare.pShare,
+          bitgoNShare: bitgoKeyShare.nShares[1],
+          backupNShare: backupKeyShare.nShares[1],
+        }),
+        reqId,
+        txParams: { type: 'acceleration' },
+      });
+      signedTxRequest.unsignedTxs.should.deepEqual(txRequest.unsignedTxs);
+    });
+
+    it('signTxRequest should prefer txParams.recipients over intent.recipients when both are present', async function () {
+      await setupSignTxRequestNocks(false, userSignShare, aShare, dShare, enterpriseData);
+      const txRequestWithBothRecipients = {
+        ...txRequest,
+        intent: {
+          intentType: 'contractCall',
+          recipients: [{ address: { address: '0xintentRecipient' }, amount: { value: '9999', symbol: 'hteth' } }],
+        },
+      };
+      const signedTxRequest = await tssUtils.signTxRequest({
+        txRequest: txRequestWithBothRecipients,
+        prv: JSON.stringify({
+          pShare: userKeyShare.pShare,
+          bitgoNShare: bitgoKeyShare.nShares[1],
+          backupNShare: backupKeyShare.nShares[1],
+        }),
+        reqId,
+        txParams: { recipients: [{ address: '0xrecipient', amount: '1000' }] },
+      });
+      signedTxRequest.unsignedTxs.should.deepEqual(txRequest.unsignedTxs);
+    });
+
     it('signTxRequest should fail with wrong recipient', async function () {
       // To generate these Hex values, we used the bitgo-ui to create a transaction and then
       // used the `signableHex` and `serializedTxHex` values from the prebuild.

modules/bitgo/test/v2/unit/internal/tssUtils/ecdsaMPCv2/signTxRequest.ts

@@ -193,6 +193,7 @@ describe('signTxRequest:', function () {
       txRequest,
       prv: userPrvBase64,
       reqId,
+      txParams: { recipients: [{ address: '0xrecipient', amount: '1000' }] },
     });
     nockPromises[0].isDone().should.be.true();
     nockPromises[1].isDone().should.be.true();
@@ -215,6 +216,7 @@ describe('signTxRequest:', function () {
       prv: backupPrvBase64,
       mpcv2PartyId: 1,
       reqId,
+      txParams: { recipients: [{ address: '0xrecipient', amount: '1000' }] },
     });
     nockPromises[0].isDone().should.be.true();
     nockPromises[1].isDone().should.be.true();
@@ -236,6 +238,7 @@ describe('signTxRequest:', function () {
       txRequest,
       prv: userPrvBase64,
       reqId,
+      txParams: { recipients: [{ address: '0xrecipient', amount: '1000' }] },
     });
     nockPromises[0].isDone().should.be.true();
     nockPromises[1].isDone().should.be.true();
@@ -257,6 +260,7 @@ describe('signTxRequest:', function () {
       txRequest,
       prv: userPrvBase64,
       reqId,
+      txParams: { recipients: [{ address: '0xrecipient', amount: '1000' }] },
     });
     nockPromises[0].isDone().should.be.true();
     nockPromises[1].isDone().should.be.true();
@@ -277,11 +281,122 @@ describe('signTxRequest:', function () {
         txRequest,
         prv: userPrvBase64,
         reqId,
+        txParams: { recipients: [{ address: '0xrecipient', amount: '1000' }] },
       })
       .should.be.rejectedWith('Too many requests, slow down!');
     nockPromises[0].isDone().should.be.true();
     nockPromises[1].isDone().should.be.false();
   });
+
+  it('rejects signTxRequest when txParams is missing', async function () {
+    const userShare = fs.readFileSync(shareFiles[vector.party1]);
+    const userPrvBase64 = Buffer.from(userShare).toString('base64');
+    await tssUtils
+      .signTxRequest({
+        txRequest,
+        prv: userPrvBase64,
+        reqId,
+      })
+      .should.be.rejectedWith(
+        'Recipient details are required to verify this transaction before signing. Pass txParams with at least one recipient.'
+      );
+  });
+
+  it('rejects signTxRequest when txParams has empty recipients', async function () {
+    const userShare = fs.readFileSync(shareFiles[vector.party1]);
+    const userPrvBase64 = Buffer.from(userShare).toString('base64');
+    await tssUtils
+      .signTxRequest({
+        txRequest,
+        prv: userPrvBase64,
+        reqId,
+        txParams: { recipients: [] },
+      })
+      .should.be.rejectedWith(
+        'Recipient details are required to verify this transaction before signing. Pass txParams with at least one recipient.'
+      );
+  });
+
+  it('accepts signTxRequest when recipients are only in intent (smart contract interaction)', async function () {
+    const userShare = fs.readFileSync(shareFiles[vector.party1]);
+    const userPrvBase64 = Buffer.from(userShare).toString('base64');
+    const txRequestWithIntentRecipients = {
+      ...txRequest,
+      intent: {
+        intentType: 'contractCall',
+        recipients: [
+          {
+            address: { address: '0xrecipient' },
+            amount: { value: '1000', symbol: 'hteth' },
+          },
+        ],
+      },
+    };
+    // Should not throw the recipients guard error — falls back to intent.recipients
+    await tssUtils
+      .signTxRequest({
+        txRequest: txRequestWithIntentRecipients,
+        prv: userPrvBase64,
+        reqId,
+        // no txParams.recipients
+      })
+      .should.not.be.rejectedWith(
+        'Recipient details are required to verify this transaction before signing. Pass txParams with at least one recipient.'
+      );
+  });
+
+  it('accepts signTxRequest for no-recipient tx types (tokenApproval)', async function () {
+    const userShare = fs.readFileSync(shareFiles[vector.party1]);
+    const userPrvBase64 = Buffer.from(userShare).toString('base64');
+    // Should not throw the recipients guard error — type exemption applies
+    await tssUtils
+      .signTxRequest({
+        txRequest,
+        prv: userPrvBase64,
+        reqId,
+        txParams: { type: 'tokenApproval' },
+      })
+      .should.not.be.rejectedWith(
+        'Recipient details are required to verify this transaction before signing. Pass txParams with at least one recipient.'
+      );
+  });
+
+  it('accepts signTxRequest for no-recipient tx types (acceleration)', async function () {
+    const userShare = fs.readFileSync(shareFiles[vector.party1]);
+    const userPrvBase64 = Buffer.from(userShare).toString('base64');
+    await tssUtils
+      .signTxRequest({
+        txRequest,
+        prv: userPrvBase64,
+        reqId,
+        txParams: { type: 'acceleration' },
+      })
+      .should.not.be.rejectedWith(
+        'Recipient details are required to verify this transaction before signing. Pass txParams with at least one recipient.'
+      );
+  });
+
+  it('accepts signTxRequest when txParams.recipients takes priority over intent.recipients', async function () {
+    const userShare = fs.readFileSync(shareFiles[vector.party1]);
+    const userPrvBase64 = Buffer.from(userShare).toString('base64');
+    const txRequestWithBothRecipients = {
+      ...txRequest,
+      intent: {
+        intentType: 'contractCall',
+        recipients: [{ address: { address: '0xintentRecipient' }, amount: { value: '9999', symbol: 'hteth' } }],
+      },
+    };
+    await tssUtils
+      .signTxRequest({
+        txRequest: txRequestWithBothRecipients,
+        prv: userPrvBase64,
+        reqId,
+        txParams: { recipients: [{ address: '0xrecipient', amount: '1000' }] },
+      })
+      .should.not.be.rejectedWith(
+        'Recipient details are required to verify this transaction before signing. Pass txParams with at least one recipient.'
+      );
+  });
 });
 
 export function getBitGoPartyGpgKeyPrv(key: openpgp.SerializedKeyPair<string>): DklsTypes.PartyGpgKey {

modules/sdk-core/src/bitgo/pendingApproval/pendingApproval.ts

@@ -246,7 +246,9 @@ export class PendingApproval implements IPendingApproval {
     }
 
     const decryptedPrv = await this.wallet.getPrv({ walletPassphrase });
-    const txRequest = await this.tssUtils!.recreateTxRequest(txRequestId, decryptedPrv, reqId);
+    const pendingApprovalRecipients = this._pendingApproval.info?.transactionRequest?.recipients;
+    const txParams = pendingApprovalRecipients?.length ? { recipients: pendingApprovalRecipients } : undefined;
+    const txRequest = await this.tssUtils!.recreateTxRequest(txRequestId, decryptedPrv, reqId, txParams);
     if (txRequest.apiVersion === 'lite') {
       if (!txRequest.unsignedTxs || txRequest.unsignedTxs.length === 0) {
         throw new Error('Unexpected error, no transactions found in txRequest.');

modules/sdk-core/src/bitgo/utils/tss/baseTSSUtils.ts

@@ -39,6 +39,7 @@ import {
   TxRequest,
   TxRequestVersion,
 } from './baseTypes';
+import { TransactionParams } from '../../baseCoin/iBaseCoin';
 import { GShare, SignShare } from '../../../account-lib/mpc/tss';
 import { RequestTracer } from '../util';
 import { envRequiresBitgoPubGpgKeyConfig, getBitgoMpcGpgPubKey } from '../../tss/bitgoPubKeys';
@@ -533,11 +534,16 @@ export default class BaseTssUtils<KeyShare> extends MpcUtils implements ITssUtil
    * @param {RequestTracer} reqId id tracer.
    * @returns {Promise<any>}
    */
-  async recreateTxRequest(txRequestId: string, decryptedPrv: string, reqId: IRequestTracer): Promise<TxRequest> {
+  async recreateTxRequest(
+    txRequestId: string,
+    decryptedPrv: string,
+    reqId: IRequestTracer,
+    txParams?: TransactionParams
+  ): Promise<TxRequest> {
     await this.deleteSignatureShares(txRequestId, reqId);
     // after delete signatures shares get the tx without them
     const txRequest = await getTxRequest(this.bitgo, this.wallet.id(), txRequestId, reqId);
-    return await this.signTxRequest({ txRequest, prv: decryptedPrv, reqId });
+    return await this.signTxRequest({ txRequest, prv: decryptedPrv, reqId, txParams });
   }
 
   /**

modules/sdk-core/src/bitgo/utils/tss/baseTypes.ts

@@ -759,7 +759,12 @@ export interface ITssUtils<KeyShare = EDDSA.KeyShare> {
   deleteSignatureShares(txRequestId: string): Promise<SignatureShareRecord[]>;
   // eslint-disable-next-line @typescript-eslint/no-explicit-any
   sendTxRequest(txRequestId: string): Promise<any>;
-  recreateTxRequest(txRequestId: string, decryptedPrv: string, reqId: IRequestTracer): Promise<TxRequest>;
+  recreateTxRequest(
+    txRequestId: string,
+    decryptedPrv: string,
+    reqId: IRequestTracer,
+    txParams?: TransactionParams
+  ): Promise<TxRequest>;
   getTxRequest(txRequestId: string): Promise<TxRequest>;
   supportedTxRequestVersions(): TxRequestVersion[];
 }