Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

addOutputAddress doesn't validate address checksum #37

Closed
mahnunchik opened this issue May 31, 2023 · 0 comments
Closed

addOutputAddress doesn't validate address checksum #37

mahnunchik opened this issue May 31, 2023 · 0 comments
Labels
bug Something isn't working

Comments

@mahnunchik
Copy link
Contributor

addOutputAddress method uses Address.decode which uses base58 instead base58check.

Checksum bytes stripped away.

In addition the same address is decoded multiple times.

scure-btc-signer/index.ts

Lines 1486 to 1499 in 98fd1c6

const data = base58.decode(address);
if (data.length !== 25) throw new Error('Invalid base58 address');
// Pay To Public Key Hash
if (data[0] === network.pubKeyHash) {
const bytes = base58.decode(address);
return { type: 'pkh', hash: bytes.slice(1, bytes.length - 4) };
} else if (data[0] === network.scriptHash) {
const bytes = base58.decode(address);
return {
type: 'sh',
hash: base58.decode(address).slice(1, bytes.length - 4),
};
}
throw new Error(`Invalid address prefix=${data[0]}`);

It seems address should be decoded the following way:

const data = base58check.decode(address);
if (data.length !== 21) throw new Error('Invalid base58 address');
// Pay To Public Key Hash
if (data[0] === network.pubKeyHash) {
  return { type: 'pkh', hash: data.slice(1) };
} else if (data[0] === network.scriptHash) {
  return {
    type: 'sh',
    hash: data.slice(1),
  };
}
@paulmillr paulmillr added the bug Something isn't working label May 31, 2023
mahnunchik added a commit to mahnunchik/scure-btc-signer that referenced this issue Jun 19, 2023
@mahnunchik
fix: validate address in addOutputAddress paulmillr#37
93b5e7b
@mahnunchik mahnunchik mentioned this issue Jun 19, 2023
Merged
paulmillr added a commit that referenced this issue Jun 19, 2023
@paulmillr
Merge pull request #43 from mahnunchik/output-address
dd1f96e 
fix: validate address in addOutputAddress #37
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug Something isn't working
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@paulmillr @mahnunchik