Improve CanWithdrawToAccount by detecting if the public key is on the curve

jeffyanta · jeffyanta · commit c32c20e34129 · 2025-06-04T16:03:23.000-04:00
diff --git a/go.mod b/go.mod
@@ -3,6 +3,7 @@ module github.com/code-payments/code-server
 go 1.23.0
 
 require (
+	filippo.io/edwards25519 v1.1.0
 	github.com/aws/aws-sdk-go-v2 v0.17.0
 	github.com/bits-and-blooms/bloom/v3 v3.1.0
 	github.com/code-payments/code-protobuf-api v1.19.1-0.20250603030803-cbe2bfca5052
diff --git a/go.sum b/go.sum
@@ -37,6 +37,8 @@ cloud.google.com/go/storage v1.8.0/go.mod h1:Wv1Oy7z6Yz3DshWRJFhqM/UCfaWIRTdp0RX
 cloud.google.com/go/storage v1.10.0/go.mod h1:FLPqc6j+Ki4BU591ie1oL6qBQGu2Bl/tZ9ullr3+Kg0=
 cloud.google.com/go/storage v1.14.0/go.mod h1:GrKmX003DSIwi9o29oFT7YDnHYwZoctc3fOKtUw0Xmo=
 dmitri.shuralyov.com/gpu/mtl v0.0.0-20190408044501-666a987793e9/go.mod h1:H6x//7gZCb22OMCxBHrMx7a5I7Hp++hsVxbQ4BYO7hU=
+filippo.io/edwards25519 v1.1.0 h1:FNf4tywRC1HmFuKW5xopWpigGjJKiJSV0Cqo0cJWDaA=
+filippo.io/edwards25519 v1.1.0/go.mod h1:BxyFTGdWcka3PhytdK4V28tE5sGfRvvvRV7EaN4VDT4=
 github.com/Azure/go-ansiterm v0.0.0-20170929234023-d6e3b3328b78 h1:w+iIsaOQNcT7OZ575w+acHgRric5iCyQh+xv+KJ4HB8=
 github.com/Azure/go-ansiterm v0.0.0-20170929234023-d6e3b3328b78/go.mod h1:LmzpDX56iTiv29bbRTIsUNlaFfuhWRQBWjQdVyAevI8=
 github.com/BurntSushi/toml v0.3.1/go.mod h1:xHWCNGjB5oqiDr8zfno3MHue2Ht5sIBksp03qcyfWMU=
diff --git a/pkg/code/common/account.go b/pkg/code/common/account.go
@@ -6,6 +6,7 @@ import (
 	"crypto/ed25519"
 	"fmt"
 
+	"filippo.io/edwards25519"
 	"github.com/pkg/errors"
 
 	commonpb "github.com/code-payments/code-protobuf-api/generated/go/common/v1"
@@ -325,6 +326,10 @@ func (a *Account) IsManagedByCode(ctx context.Context, data code_data.Provider)
 	return IsManagedByCode(ctx, timelockRecord), nil
 }
 
+func (a *Account) IsOnCurve() bool {
+	return isOnCurve(a.publicKey.ToBytes())
+}
+
 func (a *Account) Validate() error {
 	if a == nil {
 		return errors.New("account is nil")
@@ -455,3 +460,13 @@ func ValidateExternalTokenAccount(ctx context.Context, data code_data.Provider,
 		return false, "", err
 	}
 }
+
+func isOnCurve(pubKey ed25519.PublicKey) bool {
+	if len(pubKey) != ed25519.PublicKeySize {
+		return false
+	}
+
+	// Try to parse the public key as a point
+	_, err := new(edwards25519.Point).SetBytes(pubKey)
+	return err == nil
+}
diff --git a/pkg/code/common/account_test.go b/pkg/code/common/account_test.go
@@ -189,6 +189,21 @@ func TestGetVmDepositAccounts(t *testing.T) {
 	assert.EqualValues(t, mintAccount.PublicKey().ToBytes(), actual.Mint.PublicKey().ToBytes())
 }
 
+func TestIsOnCurve(t *testing.T) {
+	for _, tc := range []struct {
+		expected  bool
+		publicKey string
+	}{
+		{true, "codeHy87wGD5oMRLG75qKqsSi1vWE3oxNyYmXo5F9YR"},   // Example owner
+		{false, "Cgx4Ff1mmdqRnUbMQ8SbM23hDEbaNaGuhxUHF4aDN8if"}, // Example ATA
+		{false, "ChpRZqD1KKdbVsFkRGu85rqMa85MHKhWHuGwJXwAiRCN"}, // Example Timelock vault
+	} {
+		account, err := NewAccountFromPublicKeyString(tc.publicKey)
+		require.NoError(t, err)
+		assert.Equal(t, tc.expected, account.IsOnCurve())
+	}
+}
+
 func TestIsAccountManagedByCode_TimelockState(t *testing.T) {
 	ctx := context.Background()
 	data := code_data.NewTestDataProvider()
diff --git a/pkg/code/server/transaction/intent.go b/pkg/code/server/transaction/intent.go
@@ -803,47 +803,60 @@ func (s *transactionServer) CanWithdrawToAccount(ctx context.Context, req *trans
 	}
 	log = log.WithField("account", accountToCheck.PublicKey().ToBase58())
 
+	isOnCurve := accountToCheck.IsOnCurve()
+
 	//
-	// Part 1: Is this a timelock vault? If so, only allow primary accounts.
+	// Part 1: Is this a Timelock vault? If so, only allow primary accounts.
 	//
 
-	accountInfoRecord, err := s.data.GetAccountInfoByTokenAddress(ctx, accountToCheck.PublicKey().ToBase58())
-	switch err {
-	case nil:
-		return &transactionpb.CanWithdrawToAccountResponse{
-			IsValidPaymentDestination: accountInfoRecord.AccountType == commonpb.AccountType_PRIMARY,
-			AccountType:               transactionpb.CanWithdrawToAccountResponse_TokenAccount,
-		}, nil
-	case account.ErrAccountInfoNotFound:
-		// Nothing to do
-	default:
-		log.WithError(err).Warn("failure checking account info db")
-		return nil, status.Error(codes.Internal, "")
+	if !isOnCurve {
+		accountInfoRecord, err := s.data.GetAccountInfoByTokenAddress(ctx, accountToCheck.PublicKey().ToBase58())
+		switch err {
+		case nil:
+			return &transactionpb.CanWithdrawToAccountResponse{
+				IsValidPaymentDestination: accountInfoRecord.AccountType == commonpb.AccountType_PRIMARY,
+				AccountType:               transactionpb.CanWithdrawToAccountResponse_TokenAccount,
+			}, nil
+		case account.ErrAccountInfoNotFound:
+			// Nothing to do
+		default:
+			log.WithError(err).Warn("failure checking account info db")
+			return nil, status.Error(codes.Internal, "")
+		}
 	}
 
 	//
 	// Part 2: Is this an opened core mint token account? If so, allow it.
 	//
 
-	_, err = s.data.GetBlockchainTokenAccountInfo(ctx, accountToCheck.PublicKey().ToBase58(), solana.CommitmentFinalized)
-	switch err {
-	case nil:
-		return &transactionpb.CanWithdrawToAccountResponse{
-			IsValidPaymentDestination: true,
-			AccountType:               transactionpb.CanWithdrawToAccountResponse_TokenAccount,
-		}, nil
-	case token.ErrAccountNotFound, solana.ErrNoAccountInfo, token.ErrInvalidTokenAccount:
-		// Nothing to do
-	default:
-		log.WithError(err).Warn("failure checking against blockchain as a token account")
-		return nil, status.Error(codes.Internal, "")
+	if !isOnCurve {
+		_, err = s.data.GetBlockchainTokenAccountInfo(ctx, accountToCheck.PublicKey().ToBase58(), solana.CommitmentFinalized)
+		switch err {
+		case nil:
+			return &transactionpb.CanWithdrawToAccountResponse{
+				IsValidPaymentDestination: true,
+				AccountType:               transactionpb.CanWithdrawToAccountResponse_TokenAccount,
+			}, nil
+		case token.ErrAccountNotFound, solana.ErrNoAccountInfo, token.ErrInvalidTokenAccount:
+			// Nothing to do
+		default:
+			log.WithError(err).Warn("failure checking against blockchain as a token account")
+			return nil, status.Error(codes.Internal, "")
+		}
 	}
 
 	//
 	// Part 3: Is this an owner account with an opened Core Mint ATA? If so, allow it.
 	//         If not, indicate to the client to pay a fee for a create-on-send withdrawal.
 	//
 
+	if !isOnCurve {
+		return &transactionpb.CanWithdrawToAccountResponse{
+			IsValidPaymentDestination: false,
+			AccountType:               transactionpb.CanWithdrawToAccountResponse_Unknown,
+		}, nil
+	}
+
 	ata, err := accountToCheck.ToAssociatedTokenAccount(common.CoreMintAccount)
 	if err != nil {
 		log.WithError(err).Warn("failure getting ata address")
