feat: verify psbt withdraw lightning

TICKET: BTC-2470

Author: parvbitgo067

modules/abstract-lightning/src/codecs/api/withdraw.ts

@@ -1,6 +1,7 @@
 import * as t from 'io-ts';
 import { LightningOnchainRequest, optionalString } from '@bitgo/public-types';
 import { PendingApprovalData, TxRequestState } from '@bitgo/sdk-core';
+import { Bip32Derivation } from 'bip174/src/lib/interfaces';
 
 export const WithdrawStatusDelivered = 'delivered';
 export const WithdrawStatusFailed = 'failed';
@@ -124,3 +125,10 @@ export const SendPsbtResponse = t.intersection(
   'SendPsbtResponse'
 );
 export type SendPsbtResponse = t.TypeOf<typeof SendPsbtResponse>;
+
+export type WithdrawBaseOutputUTXO<TNumber extends number | bigint = number> = {
+  value: TNumber;
+  change: boolean;
+  address: string;
+  bip32Derivation?: Bip32Derivation;
+};

modules/abstract-lightning/src/lightning/index.ts

@@ -1,3 +1,4 @@
 export * from './signableJson';
 export * from './signature';
 export * from './lightningUtils';
+export * from './parseWithdrawPsbt';

modules/abstract-lightning/src/lightning/parseWithdrawPsbt.ts

@@ -0,0 +1,145 @@
+import * as utxolib from '@bitgo/utxo-lib';
+import { Psbt } from '@bitgo/utxo-lib';
+import { WatchOnlyAccount, WithdrawBaseOutputUTXO } from '../codecs';
+import { LightningOnchainRecipient } from '@bitgo/public-types';
+import { Bip32Derivation } from 'bip174/src/lib/interfaces';
+
+function parseDerivationPath(derivationPath: string): {
+  purpose: number;
+  change: number;
+  addressIndex: number;
+} {
+  const pathSegments = derivationPath.split('/');
+  const purpose = Number(pathSegments[1].replace(/'/g, ''));
+  const change = Number(pathSegments[pathSegments.length - 2]);
+  const addressIndex = Number(pathSegments[pathSegments.length - 1]);
+  return { purpose, change, addressIndex };
+}
+
+function parsePsbtOutputs(psbt: Psbt, network: utxolib.Network): WithdrawBaseOutputUTXO<bigint>[] {
+  const parsedOutputs: WithdrawBaseOutputUTXO<bigint>[] = [];
+  let bip32Derivation: Bip32Derivation | undefined;
+
+  for (let i = 0; i < psbt.data.outputs.length; i++) {
+    const output = psbt.data.outputs[i];
+    const txOutput = psbt.txOutputs[i];
+
+    let address = '';
+    const value = txOutput.value;
+    let isChange = false;
+
+    if (output.bip32Derivation && output.bip32Derivation.length > 0) {
+      isChange = true;
+      bip32Derivation = output.bip32Derivation[0];
+    }
+    if (txOutput.script) {
+      address = utxolib.address.fromOutputScript(txOutput.script, network);
+    }
+    const valueBigInt = BigInt(value);
+
+    parsedOutputs.push({
+      address,
+      value: valueBigInt,
+      change: isChange,
+      bip32Derivation,
+    });
+  }
+
+  return parsedOutputs;
+}
+
+function verifyChangeAddress(
+  output: WithdrawBaseOutputUTXO<bigint>,
+  accounts: WatchOnlyAccount[],
+  network: utxolib.Network
+): void {
+  if (!output.bip32Derivation || !output.bip32Derivation.path) {
+    throw new Error(`bip32Derivation path not found for change address`);
+  }
+  // derivation path example: m/84'/0'/0'/1/0
+  const { purpose, change, addressIndex } = parseDerivationPath(output.bip32Derivation.path);
+
+  // Find the corresponding account using the purpose
+  const account = accounts.find((acc) => acc.purpose === purpose);
+  if (!account) {
+    throw new Error(`Account not found for purpose: ${purpose}`);
+  }
+
+  // Create a BIP32 node from the xpub
+  const xpubNode = utxolib.bip32.fromBase58(account.xpub, network);
+
+  // Derive the public key from the xpub using the change and address index
+  const derivedPubkey = xpubNode.derive(change).derive(addressIndex).publicKey;
+
+  if (derivedPubkey.toString('hex') !== output.bip32Derivation.pubkey.toString('hex')) {
+    throw new Error(
+      `Derived pubkey does not match for address: ${output.address}, derived: ${derivedPubkey.toString(
+        'hex'
+      )}, expected: ${output.bip32Derivation.pubkey.toString('hex')}`
+    );
+  }
+
+  // Determine the correct payment type based on the purpose
+  let derivedAddress: string | undefined;
+  switch (purpose) {
+    case 49: // P2SH-P2WPKH (Nested SegWit)
+      derivedAddress = utxolib.payments.p2sh({
+        redeem: utxolib.payments.p2wpkh({
+          pubkey: derivedPubkey,
+          network,
+        }),
+        network,
+      }).address;
+      break;
+    case 84: // P2WPKH (Native SegWit)
+      derivedAddress = utxolib.payments.p2wpkh({
+        pubkey: derivedPubkey,
+        network,
+      }).address;
+      break;
+    case 86: // P2TR (Taproot)
+      derivedAddress = utxolib.payments.p2tr({
+        pubkey: derivedPubkey,
+        network,
+      }).address;
+      break;
+    default:
+      throw new Error(`Unsupported purpose: ${purpose}`);
+  }
+
+  if (derivedAddress !== output.address) {
+    throw new Error(`invalid change address: expected ${derivedAddress}, got ${output.address}`);
+  }
+}
+
+/**
+ * Validates the funded psbt before creating the signatures for withdraw.
+ */
+export function validatePsbtForWithdraw(
+  psbtHex: string,
+  network: utxolib.Network,
+  recipients: LightningOnchainRecipient[],
+  accounts: WatchOnlyAccount[]
+): void {
+  const parsedPsbt = Psbt.fromHex(psbtHex, { network: network });
+  const outputs = parsePsbtOutputs(parsedPsbt, network);
+  outputs.forEach((output) => {
+    if (output.change) {
+      try {
+        verifyChangeAddress(output, accounts, network);
+      } catch (e: any) {
+        throw new Error(`Unable to verify change address: ${e}`);
+      }
+    } else {
+      let match = false;
+      recipients.forEach((recipient) => {
+        if (recipient.address === output.address && BigInt(recipient.amountSat) === output.value) {
+          match = true;
+        }
+      });
+      if (!match) {
+        throw new Error(`PSBT output ${output.address} with value ${output.value} does not match any recipient`);
+      }
+    }
+  });
+}

modules/abstract-lightning/src/wallet/lightning.ts

@@ -10,7 +10,12 @@ import {
   decodeOrElse,
 } from '@bitgo/sdk-core';
 import * as t from 'io-ts';
-import { createMessageSignature, unwrapLightningCoinSpecific } from '../lightning';
+import {
+  createMessageSignature,
+  getUtxolibNetwork,
+  unwrapLightningCoinSpecific,
+  validatePsbtForWithdraw,
+} from '../lightning';
 import {
   CreateInvoiceBody,
   Invoice,
@@ -28,6 +33,7 @@ import {
   ListInvoicesResponse,
   ListPaymentsResponse,
   LndCreateWithdrawResponse,
+  WatchOnly,
 } from '../codecs';
 import { LightningPaymentIntent, LightningPaymentRequest } from '@bitgo/public-types';
 
@@ -364,6 +370,32 @@ export class LightningWallet implements ILightningWallet {
       throw new Error(`serialized txHex is missing`);
     }
 
+    const walletData = this.wallet.toJSON();
+    if (!walletData.coinSpecific.watchOnlyAccounts) {
+      throw new Error(`wallet is missing watch only accounts`);
+    }
+
+    const watchOnlyAccountDetails = decodeOrElse(
+      WatchOnly.name,
+      WatchOnly,
+      walletData.coinSpecific.watchOnlyAccounts,
+      (errors) => {
+        throw new Error(`invalid watch only accounts, error: ${errors}`);
+      }
+    );
+    const network = getUtxolibNetwork(this.wallet.coin());
+
+    try {
+      validatePsbtForWithdraw(
+        transactionRequestCreate.transactions[0].unsignedTx.serializedTxHex,
+        network,
+        params.recipients,
+        watchOnlyAccountDetails.accounts
+      );
+    } catch (err: any) {
+      throw new Error(`error validating withdraw psbt: ${err}`);
+    }
+
     const { userAuthKey } = await getLightningAuthKeychains(this.wallet);
     const userAuthKeyEncryptedPrv = userAuthKey.encryptedPrv;
     if (!userAuthKeyEncryptedPrv) {