fix(bridge): block cross-chain destination backed by random key#88
Open
graysonhyc wants to merge 1 commit into
Open
fix(bridge): block cross-chain destination backed by random key#88graysonhyc wants to merge 1 commit into
graysonhyc wants to merge 1 commit into
Conversation
When a wallet was imported via single-curve private key (`zerion wallet import --evm-key` or `--sol-key`), OWS generates a random key for the other curve so the wallet still exposes both EVM and Solana addresses. `exportWallet` returns only the imported secret — the random key is not recoverable outside the CLI vault. Bridge auto-derived the cross-chain receiver from the source wallet's other-curve address. For EVM-key wallets bridging to Solana (and the reverse), this silently sent funds to an address the user could only sign for from this CLI. Lose the vault, lose the funds. Now `resolveDestination` checks wallet origin before falling back to the source wallet or accepting `--to-wallet`. Curve mismatch throws with guidance to pass `--to-address <addr>` to a wallet the user actually controls. Mnemonic and OWS-direct wallets stay permissive (their other-curve keys are real). 4 new tests cover both directions and the explicit-address bypass. Reported by Horjet in user feedback. The `--to-address` flag was already supported; the gap was the auto-derive path. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Bridge silently sent funds to an unrecoverable address when the source wallet was imported via single-curve private key (
zerion wallet import --evm-keyor--sol-key).OWS's
importWalletPrivateKeyuses the provided key for its curve's chains and generates a random key for the other curve.exportWalletreturns only the originally-imported secret — the random key is locked to the CLI vault. Auto-derived cross-chain destinations sent funds to the random-key address.Fix
resolveDestinationnow checksWALLET_ORIGINbefore falling back to the source wallet or accepting--to-wallet. Curve mismatch throws with guidance to pass--to-address <addr>to a wallet the user actually controls.EVM_KEY--to-addressSOL_KEY--to-addressMNEMONIC--to-address <addr>Repro (before fix)
After fix
Known limitation
Wallets created via
owsCLI directly (bypassingzerion wallet import) have no origin marker and default toMNEMONIC(permissive). OWS-direct wallets actually derive from a real mnemonic so both curves are real, so this default is correct. Pre-featurezerion-imported wallets without an origin marker fall through too — re-import to fix.Reporter
Horjet via user feedback (
--to-addressflag they requested was already there; the actual bug was the auto-derive path).Test plan
npm test— 303 pass, 0 failresolve.test.mjscover EVM_KEY→Solana, SOL_KEY→EVM, both via fallback and via--to-wallet, plus the--to-addressbypass🤖 Generated with Claude Code