Skip to content

feat(sdk-core): pass buildParams in /tx/send for UTXO and account-based coins#8233

Draft
derranW26 wants to merge 5 commits intomasterfrom
WP-8015-pass-buildparams-in-tx-send
Draft

feat(sdk-core): pass buildParams in /tx/send for UTXO and account-based coins#8233
derranW26 wants to merge 5 commits intomasterfrom
WP-8015-pass-buildparams-in-tx-send

Conversation

@derranW26
Copy link

@derranW26 derranW26 commented Mar 3, 2026
edited
Loading

Summary

  • Preserve server-validated buildParams from /tx/build response through the prebuild→sign→send pipeline
  • Forward buildParams fields (e.g. recipients, feeRate, rbfTxIds, maxFee, feeMultiplier, nonce) in the /tx/send request body
  • Enables platform intent verification by matching what was built against what is being sent
  • Changes are coin-agnostic — applies to both UTXO coins (BTC, LTC, BCH, DOGE, ZEC) and account-based coins (ETH, Polygon, BSC, etc.)

Changes

modules/sdk-core/src/bitgo/wallet/wallet.ts

  1. prebuildTransaction(): Capture buildResponse.buildParams before Object.assign overwrites it. Instead of deleting buildParams, preserve server-validated params (falling back to request params if server doesn't return them).

  2. prebuildAndSignTransaction(): After signing, attach buildParams from the prebuild to the signed transaction result so they flow through to sendMany().

  3. sendMany(): Destructure buildParams from the signed transaction and spread its fields into the final send params. User selectParams take precedence over server buildParams for any overlapping fields.

modules/bitgo/test/v2/unit/wallet.ts

UTXO coin tests (WP-8015):

  • prebuildTransaction preserves server-returned buildParams on the result
  • prebuildTransaction falls back to request params when server doesn't return buildParams
  • sendMany includes recipients from server buildParams in /tx/send request
  • sendMany includes RBF fields (rbfTxIds, maxFee, feeMultiplier) in /tx/send request
  • sendMany works when server returns no buildParams (backwards compat)
  • sendMany lets explicit user params override server buildParams

Account-based coin tests (WP-8014):

  • ETH /tx/send has top-level recipients alongside halfSigned with server buildParams
  • ETH /tx/send has top-level recipients via selectParams even without server buildParams
  • ETH /tx/send includes nonce and other fields from server buildParams at top level

modules/sdk-coin-eth/test/unit/ethWallet.ts

  • Updated ETH hop transaction test to expect buildParams on prebuild result (no longer deleted)

Test plan

  • Existing wallet unit tests pass (no regressions)
  • New UTXO tests verify buildParams flow
  • New account-based coin tests verify recipients at top level alongside halfSigned
  • Verify /tx/send request body contains recipients for both UTXO and account-based sendMany calls

WP-8015, WP-8014

derranW26 added 3 commits March 3, 2026 11:34
@derranW26
feat(sdk-core): pass server buildParams through prebuild→sign→send pi…
ac1e04c 
…peline for UTXO coins

Preserve server-validated buildParams from /tx/build response and forward
them in the /tx/send request body, enabling platform intent verification
for UTXO coins (BTC, LTC, BCH, DOGE, ZEC).

WP-8015

TICKET: WP-8015
@derranW26
fix(bitgo): add non-null assertions for buildParams in tests
5125153 
TypeScript strict checks require null guards before accessing the
optional buildParams property on PrebuildTransactionResult.

WP-8015

TICKET: WP-8015
@derranW26
fix(sdk-coin-eth): update test to expect buildParams on prebuild result
ac58a01 
prebuildTransaction now preserves buildParams on the result instead of
deleting them, so update the ETH hop transaction test assertion from
should.not.exist to should.exist.

WP-8015

TICKET: WP-8015
@derranW26 derranW26 marked this pull request as ready for review March 3, 2026 23:48
@derranW26 derranW26 requested review from a team as code owners March 3, 2026 23:48
@derranW26
test(bitgo): add account-based coin tests for buildParams pass-through
e1c5a9a 
Verify that recipients appears at the top level of /tx/send request
body for account-based coins (ETH) alongside halfSigned, confirming
WP-8014 is covered by the coin-agnostic WP-8015 changes.

Tests cover:
- recipients at top level with server buildParams (ETH halfSigned)
- recipients at top level via selectParams without server buildParams
- nonce and other fields from server buildParams at top level

WP-8014

TICKET: WP-8015
@derranW26 derranW26 changed the title feat(sdk-core): pass buildParams in /tx/send for UTXO coins feat(sdk-core): pass buildParams in /tx/send for UTXO and account-based coins Mar 4, 2026
@sachushaji
Copy link
Contributor

sachushaji commented Mar 4, 2026

@claude

kaustubhbitgo
kaustubhbitgo previously approved these changes Mar 4, 2026
View reviewed changes
OttoAllmendinger
OttoAllmendinger requested changes Mar 4, 2026
View reviewed changes
Copy link
Contributor

@OttoAllmendinger OttoAllmendinger left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

see slack

@derranW26
fix(sdk-core): revert server buildParams forwarding, keep user-param …
b794c91 
…tests

Revert the production changes that forwarded server-returned buildParams
through the prebuild→sign→send pipeline. Per BitGo security architecture
(mutual distrust principle), the SDK must not forward WP-provided data
back to WP — a compromised WP could rewrite recipients.

Recipients already appear at the top level of /tx/send via selectParams
(the user's original params) for both UTXO and account-based coins.
New tests verify this existing behavior.

WP-8015, WP-8014

TICKET: WP-8015
@mohammadalfaiyazbitgo mohammadalfaiyazbitgo marked this pull request as draft March 4, 2026 15:50
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@OttoAllmendinger OttoAllmendinger OttoAllmendinger requested changes

@kaustubhbitgo kaustubhbitgo kaustubhbitgo left review comments

@mohammadalfaiyazbitgo mohammadalfaiyazbitgo Awaiting requested review from mohammadalfaiyazbitgo mohammadalfaiyazbitgo is a code owner automatically assigned from BitGo/wallet-core

@KaustubhPatange KaustubhPatange Awaiting requested review from KaustubhPatange

Requested changes must be addressed to merge this pull request.

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

5 participants

@derranW26 @sachushaji @OttoAllmendinger @KaustubhPatange @kaustubhbitgo