Use native code for validating VAAs

Author: thmzlt

package-lock.json

@@ -17,9 +17,11 @@
   "license": "Apache-2.0",
   "devDependencies": {
     "@types/jest": "^29.4.0",
+    "@types/keccak": "^3.0.1",
     "@types/long": "^4.0.1",
     "@types/node": "^16.6.1",
     "@types/node-fetch": "^2.6.2",
+    "@types/secp256k1": "^4.0.3",
     "@types/supertest": "^2.0.12",
     "jest": "^29.4.0",
     "prettier": "^2.3.2",
@@ -41,16 +43,17 @@
     "@types/ws": "^8.5.3",
     "cors": "^2.8.5",
     "dotenv": "^10.0.0",
-    "ethers": "^5.4.4",
     "express": "^4.17.2",
     "express-validation": "^4.0.1",
     "http-status-codes": "^2.2.0",
     "joi": "^17.6.0",
+    "keccak": "^3.0.3",
     "lru-cache": "^7.14.1",
     "morgan": "^1.10.0",
     "node-fetch": "^2.6.1",
     "prom-client": "^14.0.1",
     "response-time": "^2.3.2",
+    "secp256k1": "^5.0.0",
     "ts-retry-promise": "^0.7.0",
     "winston": "^3.3.3",
     "ws": "^8.12.0"

price_service/server/package.json

@@ -0,0 +1,46 @@
+import { isValidVaa } from "../vaa";
+import { GuardianSignature, parseVaa } from "@certusone/wormhole-sdk";
+import { randomBytes } from "crypto";
+
+const VAA = Buffer.from(
+  "AQAAAAMNABIL4Zs/yZlmGGUiAZujW8PMYR2ffWKTcuSNMRL+Yr3uQrVO1qxLToA8iksg/NWfsD3NeMSJujxSgd4fnjmqtSYBAiP92Eci7vsIVouS93bSack2bYg5ERXxZpcTb9LSWpEmILv62jbAd1HcbWu1w8WVbm++nqgbHH5S8eUY57QytegABIBcyvERWN2j9kb74zvQy+AEfXW6wjbrRKzlMvOUaKYpMG9nRzXkxd6wehsVFgV+i3G/lykR1hcrvgIczEPCuIYACPApsIJGheEpt/VQ4d36Tc0ZMzqq/kw1mTDJ8eKHikHeL8yFfo+Q9PtYK0CF1UYTKVpl32kFTtU+ubdKM7oVHMYBCiw25jnpX5+KOzxSTy+9Q5ovM3zqcN3yJBSbF80VL9N2AnehBhMTr1DylzpcYppdly4w/Iz5OHFGoZqT8dVgeY0AC0MseKj4EN0XUIGj8kXQ0CZKczfxywJPiueGTkAD6VkAOwpxnfZu212yXHAbojECKqtRCvb4UobTu+RK0pyemb0BDJKvSJ8RALV4CAGGWiS7XzHfa+/SxzCB6zxUsiOh0FGGEZBK+6i//7YUY83TOXp5SZzDGA0aH5tLXd6peL6np4ABDeHulcBX2LA1cIpmH+nqQLRq5zDPlKNBa6RVwHQUBVotBAWnCoTjOv+8xPZssl7r/BidPUbdu7j+0MGB/4/Oh6wBDub405biSsppFuBFxrBuFrJJdnsf3NvU5TWKF61aZKFtcWpxzyxNDsB3Nd7g+QYafiMkyL4okvvcthYaoiEzwX0BD1qhc5333/TKKbInkZcsitd0F/isWptZygRNqsh29f/xNuFyD4915mNWtsx3OaRAAkPcq21YzJb7ObzUB0OjhVcBEK46eqvVfpDHkF/w6+GWKACsICaAdgwDkmEwrCxXY2BgJe7cXkmDGl0Sfl8836AHd5OBwIC7g7EldFkLUanUUUwAEWpFfXwzaAnMQp+bO3RHKnpbPvJgKacjxFaCExe7dNkvYcVQ4UEC13QqIK3k7egZpHZp45O9AXfwmtpbBlJAvlgAEgu9te25pvTJ2alsQsxicrf5QyhDT7P6Ywr2WbNUnsfXKPFPC3U1P3G1yQOIjbUhrFtYkEGQ1+uZ4rNxsq2CchwBZGbcRwAAAAAAGvjNI8KrkSN3MHcLvqCNYQBc3aCYQ0jz9u7LVZY4wLugAAAAABlYLUwBUDJXSAADAAEAAQIABQCdLvoSNauGwJNctCSxAr5PIX500RCd+edd+oM4/A8JCHgvlYYrBFZwzSK+4xFMOXY6Sgi+62Y7FF0oPDHX0RAcTwAAAActs1rgAAAAAAFPo9T////4AAAABy9GhdAAAAAAARhiQwEAAAARAAAAFwAAAABkZtxHAAAAAGRm3EcAAAAAZGbcRgAAAActwjt4AAAAAAFAwzwAAAAAZGbcRkjWAz1zPieVDC4DUeJQVJHNkVSCT3FtlRNRTHS5+Y9YPdK2NoakUOxykN86HgtYPASB9lE1Ht+nY285rtVc+KMAAAACruGVUAAAAAAAv9F3////+AAAAAKux0rYAAAAAAC3HSIBAAAAFQAAABwAAAAAZGbcRwAAAABkZtxHAAAAAGRm3EYAAAACruGVUAAAAAAAv9F3AAAAAGRm3EY1FbOGHo/pPl9UC6QHfCFkBHgrhtXngHezy/0nMTqzvOYt9si0qF/hpn20TcEt5dszD3rGa3LcZYr+3w9KQVtDAAACcHgoTeAAAAAAJ08r4P////gAAAJwomgKAAAAAAAiQ9syAQAAABUAAAAfAAAAAGRm3EcAAAAAZGbcRwAAAABkZtxGAAACcHOoRAAAAAAAJlVaXAAAAABkZtxGm19z4AdefXA3YBIYDdupQnL2jYXq5BBOM1VhyYIlPUGhnQSsaWx6ZhbSkcfl0Td8yL5DfDJ7da213ButdF/K6AAAAAAE4NsJAAAAAAABWWT////4AAAAAATkLakAAAAAAAEvVQEAAAALAAAACwAAAABkZtxHAAAAAGRm3EcAAAAAZGbcRgAAAAAE4NsJAAAAAAABWWQAAAAAZGbcRuh2/NEwrdiYSjOqtSrza8G5+CLJ6+N286py1jCXThXw3O9Q3QpM0tzBfkXfFnbcszahGmHGnfegKZsBUMZy0lwAAAAAAG/y7wAAAAAAABJP////+AAAAAAAb/S7AAAAAAAAEfUBAAAAFQAAAB4AAAAAZGbcRwAAAABkZtxHAAAAAGRm3EYAAAAAAG/zhgAAAAAAABLmAAAAAGRm3EY=",
+  "base64"
+);
+
+describe("VAA validation works", () => {
+  test("with valid signatures", async () => {
+    let parsedVaa = parseVaa(VAA);
+
+    expect(isValidVaa(parsedVaa, "mainnet")).toBe(true);
+  });
+
+  test("with a wrong address", async () => {
+    let parsedVaa = parseVaa(VAA);
+    const vaaIndex = 8;
+    const setIndex1 = 4;
+    const setIndex2 = 5;
+
+    // Replace the signature from guardian at setIndex1 with the one from
+    // setIndex2.
+    parsedVaa.guardianSignatures[vaaIndex] = {
+      index: setIndex1,
+      signature: parsedVaa.guardianSignatures[setIndex2].signature,
+    };
+
+    expect(isValidVaa(parsedVaa, "mainnet")).toBe(false);
+  });
+
+  test("with an invalid signature", async () => {
+    let parsedVaa = parseVaa(VAA);
+    const vaaIndex = 8;
+    const setIndex = 4;
+
+    // Inject a random buffer as the signature of the guardian at setIndex.
+    parsedVaa.guardianSignatures[vaaIndex] = {
+      index: setIndex,
+      signature: randomBytes(65), // invalid signature
+    };
+
+    expect(isValidVaa(parsedVaa, "mainnet")).toBe(false);
+  });
+});

price_service/server/src/__tests__/vaa.test.ts

@@ -3,7 +3,6 @@ import { Listener } from "./listen";
 import { initLogger } from "./logging";
 import { PromClient } from "./promClient";
 import { RestAPI } from "./rest";
-import { wormholeClusterFromString } from "./vaa";
 import { WebSocketAPI } from "./ws";
 
 let configFile: string = ".env";

price_service/server/src/index.ts

@@ -17,7 +17,6 @@ import {
   PriceAttestation,
 } from "@pythnetwork/wormhole-attester-sdk";
 import { HexString, PriceFeed } from "@pythnetwork/price-service-sdk";
-import { ethers } from "ethers";
 import LRUCache from "lru-cache";
 import { DurationInSec, sleep, TimestampInSec } from "./helpers";
 import { logger } from "./logging";

price_service/server/src/listen.ts

@@ -1,6 +1,8 @@
+import { logger } from "./logging";
 import { ParsedVaa } from "@certusone/wormhole-sdk";
 import { GuardianSet } from "@certusone/wormhole-spydk/lib/cjs/proto/publicrpc/v1/publicrpc";
-import { ethers } from "ethers";
+import * as secp256k1 from "secp256k1";
+import * as keccak from "keccak";
 
 const WormholeClusters = ["localnet", "testnet", "mainnet"] as const;
 export type WormholeCluster = typeof WormholeClusters[number];
@@ -58,16 +60,59 @@ export function isValidVaa(vaa: ParsedVaa, cluster: WormholeCluster): boolean {
     return false;
   }
 
-  const digest = ethers.utils.keccak256(vaa.hash);
+  // It's not possible to call a signature verification function directly
+  // because we only have the addresses of the guardians and not their public
+  // keys. Instead, we compare the address extracted from the public key that
+  // signed the VAA with the corresponding address stored in the guardian set.
 
-  let validVaa = true;
-  vaa.guardianSignatures.forEach((sig) => {
-    if (
-      ethers.utils.recoverAddress(digest, sig.signature) !==
-      currentGuardianSet.addresses[sig.index]
-    )
-      validVaa = false;
-  });
+  const messageHash = keccak.default("keccak256").update(vaa.hash).digest();
+  let counter = 0;
 
-  return validVaa;
+  try {
+    vaa.guardianSignatures.forEach((sig) => {
+      // Each signature is a 65-byte secp256k1 signature with the recovery ID at
+      // the last byte. It is not the compact representation from EIP-2098.
+      const recoveryID = sig.signature[64] % 2;
+      const signature = sig.signature.slice(0, 64);
+      const publicKey = Buffer.from(
+        secp256k1.ecdsaRecover(signature, recoveryID, messageHash, false)
+      );
+      // The first byte of the public key is the prefix (0x03 or 0x04)
+      // indicating if the public key is compressed. Remove it before hashing.
+      const publicKeyHash = keccak
+        .default("keccak256")
+        .update(publicKey.slice(1))
+        .digest();
+      // The last 20 bytes of the hash are the address.
+      const address = publicKeyHash.slice(-20).toString("hex");
+
+      if (
+        checksumAddress(address) === currentGuardianSet.addresses[sig.index]
+      ) {
+        counter++;
+      }
+    });
+
+    return counter === vaa.guardianSignatures.length;
+  } catch (error) {
+    logger.warn("Error validating VAA signatures:", error);
+
+    return false;
+  }
+}
+
+function checksumAddress(address: string) {
+  address = address.toLowerCase().replace("0x", "");
+  const hash = keccak.default("keccak256").update(address).digest("hex");
+  let ret = "0x";
+
+  for (let i = 0; i < address.length; i++) {
+    if (parseInt(hash[i], 16) >= 8) {
+      ret += address[i].toUpperCase();
+    } else {
+      ret += address[i];
+    }
+  }
+
+  return ret;
 }