fix: TON blind sign — stop displaying deprecated fields not in raw_tx#243
Open
BitHighlander wants to merge 2 commits into
Open
fix: TON blind sign — stop displaying deprecated fields not in raw_tx#243BitHighlander wants to merge 2 commits into
BitHighlander wants to merge 2 commits into
Conversation
fsm_msgTonSignTx displayed to_address and amount from deprecated proto fields that are NOT included in the raw_tx bytes being signed. A malicious host could show one transfer on screen while getting a different transaction signed — identical CVE pattern to TronSignTx. Replace with a single blind-sign prompt showing only the raw_tx byte count.
deps/device-protocol → 8ef74da (feat(ripple): memo + THORChain routing) deps/python-keepkey → bf870e6 (7.14.2: XRP memo + EVM depositWithExpiry + msg-signing)
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
fsm_msgTonSignTxdisplayedto_addressandamountfrom theTonSignTxmessage's optional fields. These fields are deprecated convenience metadata — they are not bound toraw_tx(the bytes actually signed by Ed25519). An attacker can supply a different address/amount in those fields while embedding entirely different instructions inraw_tx.to_address/amountfields.raw_tx:"Sign %u-byte TON transaction?"— forces the user to acknowledge they are signing raw bytes they cannot inspect on-device.fix/tron-blind-sign).Files Changed
lib/firmware/fsm_msg_ton.h— remove deprecated field display, add raw blind-sign confirmationTest Plan
raw_txis still signed correctly after the confirmation change