Master into rel latest

.iyarc

@@ -75,3 +75,43 @@ GHSA-2w8x-224x-785m
 # - The xmp bypass produces live HTML markup in output, but since we discard all tags and use
 #   the result as plain text in Error messages, there is no DOM rendering path and no XSS risk
 GHSA-rpr9-rxv7-x643
+
+# Excluded because:
+# - CVE affects esbuild's Deno distribution only: binary downloads without SHA-256 integrity verification
+# - BitGoJS is a Node.js project; the Node.js esbuild distribution already includes binaryIntegrityCheck()
+# - esbuild is a dev-time build tool (via babylonlabs-io-btc-staking-ts), not runtime production code
+# - The attacker-controlled NPM_CONFIG_REGISTRY vector does not apply to our controlled CI environment
+GHSA-gv7w-rqvm-qjhr
+
+# Excluded because:
+# - ws: Memory exhaustion DoS by sending many tiny fragments/data chunks to exhaust server memory
+# - Transitive dependency via @cosmjs/socket, @ethersproject/providers, @polkadot/rpc-provider,
+#   jayson, rpc-websockets (via @solana/web3.js), and avalanche — all requiring ws <8.21.0
+# - Our usage is exclusively as a WebSocket CLIENT for blockchain RPC connections, not as a server
+# - The DoS vector requires an attacker to send crafted frames to a ws server we control; we do not
+#   expose any ws server surfaces in production
+GHSA-96hv-2xvq-fx4p
+
+# Excluded because:
+# - form-data: CRLF injection via unescaped multipart field names and filenames
+# - Transitive dependency via superagent (abstract-cosmos, express, supertest) and @aptos-labs/ts-sdk
+# - The injection requires attacker-controlled field names or filenames in multipart requests
+# - All form-data field names and filenames in our codebase are code-controlled constants,
+#   not derived from user input — no untrusted data flows into form field names or filenames
+GHSA-hmw2-7cc7-3qxx
+
+# Excluded because:
+# - protobufjs: DoS through unbounded Any expansion during JSON conversion (parseAny recursion)
+# - Transitive dependency via @cosmjs (abstract-cosmos, babylonlabs-io-btc-staking-ts) and
+#   @hashgraph/proto, @hashgraph/sdk (sdk-coin-hbar) — all requiring protobufjs <=7.5.x
+# - Input to protobuf decoding comes from trusted blockchain RPC responses, not arbitrary user data
+# - Patched version (7.6.1) requires upstream @cosmjs and @hashgraph dependency updates
+GHSA-wcpc-wj8m-hjx6
+
+# Excluded because:
+# - tmp: path traversal via type-confusion in _assertPath (non-string prefix/postfix/template)
+# - Transitive dependency via cypress (web-demo), karma (bitgo module), and lerna/nx (dev tooling)
+# - All usages are dev-time only; tmp is never used in production or runtime code
+# - The prefix/postfix/template args are all hard-coded string constants in calling code,
+#   not user-supplied — the type-confusion vector does not apply
+GHSA-7c78-jf6q-g5cm

CODEOWNERS

@@ -136,6 +136,7 @@
 /modules/sdk-core/src/bitgo/lightning/ @BitGo/btc-team
 /modules/sdk-core/test/unit/bitgo/lightning/ @BitGo/btc-team
 /modules/sdk-core/test/unit/bitgo/wallet/resourceManagement.ts @BitGo/ethalt-team
+/modules/sdk-core/test/unit/bitgo/utils/tss/preHashedSignable.ts @BitGo/ethalt-team
 /modules/sdk-lib-mpc/ @BitGo/wallet-core @BitGo/wallet-core-india @BitGo/hsm
 /modules/deser-lib/ @BitGo/wallet-core @BitGo/wallet-core-india @BitGo/hsm
 /modules/sdk-rpc-wrapper @BitGo/ethalt-team

commitlint.config.js

@@ -75,6 +75,7 @@ module.exports = {
         'WCN-',
         'WCI-',
         'COIN-',
+        'COINS-',
         'COINFLP-',
         'FIAT-',
         'ME-',

modules/abstract-eth/src/abstractEthLikeNewCoins.ts

@@ -41,8 +41,11 @@ import {
   VerifyTransactionOptions,
   Wallet,
   verifyMPCWalletAddress,
+  deriveMPCWalletAddress,
   TssVerifyAddressOptions,
   isTssVerifyAddressOptions,
+  DeriveAddressOptions,
+  DeriveAddressResult,
 } from '@bitgo/sdk-core';
 import { getDerivationPath } from '@bitgo/sdk-lib-mpc';
 import { bip32 } from '@bitgo/secp256k1';
@@ -3040,6 +3043,43 @@ export abstract class AbstractEthLikeNewCoins extends AbstractEthLikeCoin {
     throw new Error(`Base address verification not supported for wallet version ${params.walletVersion}`);
   }
 
+  /**
+   * Locally derive an ETH wallet receive address from a derivation path, using the wallet's
+   * commonKeychain only (no private keys, no network access). The inverse of
+   * {@link isWalletAddress}: it *produces* the address via the same secp256k1 MPC derivation
+   * that isWalletAddress checks against (`deriveMPCWalletAddress` + `KeyPair.getAddress()`),
+   * so derive and verify can never diverge.
+   *
+   * Supports MPC/TSS wallets only (wallet versions 3, 5, 6). Legacy BIP32 forwarder wallets
+   * (versions 1, 2, 4) derive per-index forwarder contract addresses and are handled separately.
+   * @param params keychains (commonKeychain), derivation index, walletVersion, and optional SMC seed
+   * @returns the derived address, the index used, and the HD derivation path
+   */
+  async deriveAddress(params: DeriveAddressOptions): Promise<DeriveAddressResult> {
+    const isMpcWallet = params.walletVersion === 3 || params.walletVersion === 5 || params.walletVersion === 6;
+    if (!isMpcWallet) {
+      throw new Error(
+        `deriveAddress currently supports only MPC/TSS ETH wallets (wallet versions 3, 5, 6). ` +
+          `Legacy BIP32 forwarder wallets (versions 1, 2, 4) are not yet supported. ` +
+          `Got walletVersion ${params.walletVersion}.`
+      );
+    }
+
+    const { address, derivationPath } = await deriveMPCWalletAddress(
+      {
+        // extractCommonKeychain validates the commonKeychain is present at runtime
+        keychains: (params.keychains ?? []) as TssVerifyAddressOptions['keychains'],
+        index: params.index,
+        derivedFromParentWithSeed: params.derivedFromParentWithSeed,
+        multisigTypeVersion: params.multisigTypeVersion,
+        keyCurve: 'secp256k1',
+      },
+      (pubKey) => new KeyPairLib({ pub: pubKey }).getAddress()
+    );
+
+    return { address, index: params.index, derivationPath };
+  }
+
   /**
    *
    * @param {TransactionPrebuild} txPrebuild

modules/abstract-utxo/src/abstractUtxoCoin.ts

@@ -41,6 +41,8 @@ import {
   Wallet,
   isValidPrv,
   isValidXprv,
+  DeriveAddressOptions,
+  DeriveAddressResult,
 } from '@bitgo/sdk-core';
 
 import {
@@ -75,7 +77,7 @@ import {
 } from './transaction/descriptor/verifyTransaction';
 import { assertDescriptorWalletAddress, getDescriptorMapFromWallet, isDescriptorWallet } from './descriptor';
 import { getFullNameFromCoinName, getMainnetCoinName, isMainnetCoin, UtxoCoinName, UtxoCoinNameMainnet } from './names';
-import { assertFixedScriptWalletAddress } from './address/fixedScript';
+import { assertFixedScriptWalletAddress, generateAddress } from './address/fixedScript';
 import { ParsedTransaction } from './transaction/types';
 import { decodeDescriptorPsbt, decodePsbt, encodeTransaction, stringToBufferTryFormats } from './transaction/decode';
 import { fetchKeychains, toBip32Triple, UtxoKeychain } from './keychains';
@@ -716,6 +718,35 @@ export abstract class AbstractUtxoCoin extends BaseCoin implements Musig2Partici
     return true;
   }
 
+  /**
+   * Locally derive a fixed-script (2-of-3 multisig) wallet receive address from the xpub triple
+   * and a chain/index, using public keys only (no private keys, no network access). This is the
+   * inverse of {@link isWalletAddress}, delegating to the same `generateAddress` used by the
+   * verification path, so derive and verify can never diverge.
+   *
+   * The `chain` code selects the script type (e.g. 0/1 = P2SH, 20/21 = P2WSH/bech32, 30/31 = P2TR);
+   * an optional `format` overrides the address encoding.
+   * @param params keychains (xpub triple via `pub`), chain, index, and optional format
+   * @returns the derived address and the chain/index used
+   */
+  async deriveAddress(params: DeriveAddressOptions): Promise<DeriveAddressResult> {
+    const { keychains, chain, index, format } = params;
+
+    if (!keychains) {
+      throw new Error('missing required param keychains');
+    }
+
+    const address = generateAddress(this.name, {
+      // fixed-script (multisig) coins derive from the xpub triple via `pub`
+      keychains: keychains as { pub: string }[],
+      chain,
+      index,
+      format,
+    });
+
+    return { address, chain, index };
+  }
+
   /**
    * @param addressType
    * @returns true iff coin supports spending from unspentType

modules/abstract-utxo/test/unit/address.ts

@@ -5,7 +5,7 @@ import { fixedScriptWallet } from '@bitgo/wasm-utxo';
 
 import { assertFixedScriptWalletAddress, generateAddress } from '../../src';
 
-import { keychainsBase58 } from './util';
+import { getUtxoCoin, keychainsBase58 } from './util';
 
 const keychains = keychainsBase58.map((k) => ({ pub: k.pub }));
 
@@ -202,3 +202,30 @@ describe('assertFixedScriptWalletAddress', function () {
     });
   });
 });
+
+describe('AbstractUtxoCoin.deriveAddress', function () {
+  const coin = getUtxoCoin('btc');
+
+  // Bullish scope: legacy P2SH (chain 0) + bech32 P2WSH (chain 20).
+  for (const { label, chain } of [
+    { label: 'legacy P2SH', chain: 0 },
+    { label: 'bech32 P2WSH', chain: 20 },
+  ]) {
+    it(`derives the ${label} address (chain ${chain}) matching generateAddress`, async function () {
+      const result = await coin.deriveAddress({ keychains, chain, index: 0 });
+      result.address.should.equal(generateAddress('btc', { keychains, chain, index: 0 }));
+      result.chain!.should.equal(chain);
+      result.index!.should.equal(0);
+    });
+
+    it(`round-trips with isWalletAddress for ${label} (chain ${chain})`, async function () {
+      const { address } = await coin.deriveAddress({ keychains, chain, index: 3 });
+      const verified = await coin.isWalletAddress({ address, keychains, chain, index: 3 });
+      verified.should.equal(true);
+    });
+  }
+
+  it('throws if keychains are missing', async function () {
+    await assert.rejects(async () => coin.deriveAddress({ chain: 0, index: 0 }), /keychains/);
+  });
+});

modules/express/src/clientRoutes.ts

@@ -721,6 +721,20 @@ export async function handleV2IsWalletAddress(
   return await wallet.baseCoin.isWalletAddress(req.decoded as any);
 }
 
+/**
+ * handle v2 deriveAddress - locally derive and return a wallet receive address from a
+ * derivation path, using public key material only.
+ *
+ * Offline by design: operates purely on the request body (keychains + chain/index), with no
+ * `wallets().get` lookup and no network access. The inverse of {@link handleV2IsWalletAddress}.
+ * @param req
+ */
+export async function handleV2DeriveAddress(req: ExpressApiRouteRequest<'express.v2.address.derive', 'post'>) {
+  const bitgo = req.bitgo;
+  const coin = bitgo.coin(req.decoded.coin);
+  return await coin.deriveAddress(req.decoded as any);
+}
+
 /**
  * handle v2 approve transaction
  * @param req
@@ -1963,6 +1977,7 @@ export function setupAPIRoutes(app: express.Application, config: Config): void {
     prepareBitGo(config),
     typedPromiseWrapper(handleV2IsWalletAddress),
   ]);
+  router.post('express.v2.address.derive', [prepareBitGo(config), typedPromiseWrapper(handleV2DeriveAddress)]);
 
   router.post('express.wallet.share', [prepareBitGo(config), typedPromiseWrapper(handleV2ShareWallet)]);
   app.post(

modules/express/src/typedRoutes/api/index.ts

@@ -58,6 +58,7 @@ import { PostWalletEnableTokens } from './v2/walletEnableTokens';
 import { PostWalletSweep } from './v2/walletSweep';
 import { PostWalletAccelerateTx } from './v2/walletAccelerateTx';
 import { PostIsWalletAddress } from './v2/isWalletAddress';
+import { PostDeriveAddress } from './v2/deriveAddress';
 import { GetAccountResources } from './v2/accountResources';
 import { GetResourceDelegations } from './v2/resourceDelegations';
 import { PostDelegateResources } from './v2/delegateResources';
@@ -235,6 +236,12 @@ export const ExpressV2WalletIsWalletAddressApiSpec = apiSpec({
   },
 });
 
+export const ExpressV2AddressDeriveApiSpec = apiSpec({
+  'express.v2.address.derive': {
+    post: PostDeriveAddress,
+  },
+});
+
 export const ExpressV2WalletSendManyApiSpec = apiSpec({
   'express.wallet.sendmany': {
     post: PostSendMany,
@@ -399,6 +406,7 @@ export type ExpressApi = typeof ExpressPingApiSpec &
   typeof ExpressWalletFanoutUnspentsApiSpec &
   typeof ExpressV2WalletCreateAddressApiSpec &
   typeof ExpressV2WalletIsWalletAddressApiSpec &
+  typeof ExpressV2AddressDeriveApiSpec &
   typeof ExpressKeychainLocalApiSpec &
   typeof ExpressKeychainChangePasswordApiSpec &
   typeof ExpressLightningWalletPaymentApiSpec &
@@ -444,6 +452,7 @@ export const ExpressApi: ExpressApi = {
   ...ExpressV2WalletCreateAddressApiSpec,
   ...ExpressV2WalletConsolidateAccountApiSpec,
   ...ExpressV2WalletIsWalletAddressApiSpec,
+  ...ExpressV2AddressDeriveApiSpec,
   ...ExpressKeychainLocalApiSpec,
   ...ExpressKeychainChangePasswordApiSpec,
   ...ExpressLightningWalletPaymentApiSpec,

modules/express/src/typedRoutes/api/v2/deriveAddress.ts

@@ -0,0 +1,96 @@
+import * as t from 'io-ts';
+import { httpRoute, httpRequest, optional } from '@api-ts/io-ts-http';
+import { BitgoExpressError } from '../../schemas/error';
+import { CreateAddressFormat } from '../../schemas/address';
+
+/**
+ * Path parameters for locally deriving a wallet address
+ */
+export const DeriveAddressParams = {
+  /** Blockchain identifier (e.g., 'btc', 'eth', 'tbtc', 'teth', 'sol') */
+  coin: t.string,
+} as const;
+
+/**
+ * A keychain entry for local derivation. Public key material only — no private keys.
+ * Modelled as a union so a keychain must carry at least one of `pub` / `commonKeychain`:
+ * - `pub` (xpub) for BIP32 multisig coins (UTXO, legacy EVM)
+ * - `commonKeychain` for TSS/MPC coins (SOL, EVM MPC) — identical across keychains
+ *
+ * (A keychain may legitimately carry both; TSS keychains commonly do.)
+ */
+export const DeriveAddressKeychainCodec = t.union([t.type({ pub: t.string }), t.type({ commonKeychain: t.string })]);
+
+/**
+ * Request body for locally deriving a wallet receive address
+ */
+export const DeriveAddressBody = {
+  /**
+   * Keychains for derivation (public key material only).
+   * BIP32 multisig: the user/backup/bitgo xpub triple via `pub`.
+   * TSS/MPC: the `commonKeychain`.
+   */
+  keychains: t.array(DeriveAddressKeychainCodec),
+  /** Derivation index for the address (caller-supplied; the endpoint is stateless) */
+  index: t.number,
+  /** Derivation chain code: UTXO script-type / external(0) vs internal(1) selector */
+  chain: optional(t.number),
+  /** Address format override (e.g. 'p2sh', 'p2wsh' for UTXO; 'cashaddr' / 'base58') */
+  format: optional(CreateAddressFormat),
+  /** Wallet version, to disambiguate derivation strategy (e.g. EVM forwarder vs MPC) */
+  walletVersion: optional(t.number),
+  /**
+   * Seed from the user keychain's derivedFromParentWithSeed field (SMC TSS wallets);
+   * makes the derivation path `{prefix}/{index}` instead of `m/{index}`.
+   */
+  derivedFromParentWithSeed: optional(t.string),
+} as const;
+
+/**
+ * Response for locally deriving a wallet address
+ */
+export const DeriveAddressResponse = {
+  /** The derived address and related derivation info */
+  200: t.intersection([
+    t.type({
+      /** The derived address */
+      address: t.string,
+      /** The derivation index used */
+      index: t.number,
+    }),
+    t.partial({
+      /** The derivation chain code used */
+      chain: t.number,
+      /** Coin-specific address data (e.g. redeemScript/witnessScript for UTXO) */
+      coinSpecific: t.UnknownRecord,
+      /** The HD derivation path actually used */
+      derivationPath: t.string,
+    }),
+  ]),
+  /** Invalid request parameters or derivation failed */
+  400: BitgoExpressError,
+} as const;
+
+/**
+ * Locally derive and return a wallet receive address from a derivation path.
+ *
+ * Unlike `iswalletaddress` (which checks a candidate address), this *produces* the address
+ * offline from public key material only — the xpub triple for BIP32 multisig coins, or the
+ * commonKeychain for TSS/MPC coins. No private keys, no wallet lookup, and no network access:
+ * the handler operates purely on the request body and can run in an air-gapped Express.
+ *
+ * Pairs with `iswalletaddress` for a derive→verify round-trip: derive the address here, then
+ * verify it against the same keychains to independently confirm correctness.
+ *
+ * @operationId express.v2.address.derive
+ * @tag Express
+ */
+export const PostDeriveAddress = httpRoute({
+  path: '/api/v2/{coin}/address/derive',
+  method: 'POST',
+  request: httpRequest({
+    params: DeriveAddressParams,
+    body: DeriveAddressBody,
+  }),
+  response: DeriveAddressResponse,
+});