Skip to content

fix: backport security fixes from app-version branch#25

Merged
SlavaSereb merged 4 commits into
mainfrom
fix/feedback-review
Jun 11, 2026
Merged

fix: backport security fixes from app-version branch#25
SlavaSereb merged 4 commits into
mainfrom
fix/feedback-review

Conversation

@SlavaSereb

Copy link
Copy Markdown
Collaborator

Summary

Backports critical security fixes from the app-version branch to main to ensure both branches have consistent security hardening.

Security Improvements

FireblocksSigner.ts:

  • Add externalTxId parameter for idempotent signing requests (prevents duplicate transactions on retry)
  • Replace fixed 3-second polling with exponential backoff (3s → 30s ceiling)
  • Add 30-minute hard timeout to prevent infinite polling during cold storage approvals
  • Fix stale log message that never updated during polling loop

helpers.ts:

  • concatSignature: Validate recovery ID v ∈ {0, 1} (reject malformed signatures)
  • concatSignature: Validate signature is exactly 128 hex characters
  • concatSignature: Normalize high-S signatures via @noble/secp256k1 for node compatibility
  • validateAddress: Support multisig addresses (SM prefix for mainnet, SN for testnet)
  • untilBurnHeightForCycles: Fix off-by-one error in PoX cycle calculation

Security improvements:
- FireblocksSigner: Add externalTxId for idempotency (prevents duplicate signing)
- FireblocksSigner: Replace fixed 3s poll with exponential backoff (3s→30s)
- FireblocksSigner: Add 30-minute timeout to prevent infinite polling
- concatSignature: Validate v ∈ {0,1} (reject invalid recovery IDs)
- concatSignature: Validate signature length (128 hex chars)
- concatSignature: Normalize high-S signatures via @noble/secp256k1
- validateAddress: Support multisig addresses (SM/SN prefixes)
- untilBurnHeightForCycles: Fix off-by-one error in cycle calculation
- concatSignature: test low-S normalization and v validation
- untilBurnHeightForCycles: fix expected value (removed off-by-one)
- Add @noble/secp256k1 as explicit dependency (was transitive only)
- Add network error handling in transaction polling loop
- Wrap signature parsing in try-catch with descriptive error
- Document v-flip logic for low-S normalization
@socket-security

Copy link
Copy Markdown

Review the following changes in direct dependencies. Learn more about Socket for GitHub.

Diff Package Supply Chain
Security
Vulnerability Quality Maintenance License
Addednpm/​@​noble/​secp256k1@​1.7.210010010085100

View full report

@SlavaSereb SlavaSereb merged commit b2270e7 into main Jun 11, 2026
4 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant