fix(security): on-device TX parsing for TRON, blind-sign warnings for TON/Solana by BitHighlander · Pull Request #52 · BitHighlander/keepkey-firmware

BitHighlander · 2026-03-17T06:22:06Z

Security Audit Findings Addressed

TRON — parse TransferContract from signed payload (CRITICAL)

Previously: device displayed host-supplied to_address/amount then signed unrelated raw_data bytes. A malicious host could show a benign transfer while signing a drain.

Fix: Added minimal protobuf parser (tron_parseTransfer()) that extracts to_address and amount directly from the signed raw_data payload for TransferContract (type 1). Simple TRX transfers now show on-device-verified details. Token/contract TXs get explicit blind-sign warning.

TON — explicit blind-sign warning (HIGH)

TON uses Cell/BoC encoding which cannot be feasibly parsed on an embedded device. Added explicit "Blind Signature" warning text so users understand TX details are host-asserted and unverifiable on-device. (On-device Cell parsing is a future improvement.)

Solana — multi-instruction fix + message signing (HIGH)

Only show parsed transfer details when num_instructions == 1 AND instruction is a system transfer. Previously showed parsed details for first instruction even in multi-instruction TXs, hiding potentially malicious subsequent instructions.
Multi-instruction and unknown programs now get explicit blind-sign warning.
Removed show_display=false bypass for message signing — user confirmation is always required since signed messages can authorize on-chain actions.

Test plan

CI green (build + unit tests + python integration)
TRON: simple TRX transfer shows verified amount/address from payload
TRON: TRC-20 token transfer shows blind-sign warning
TON: transfer shows blind-sign warning
Solana: single system transfer shows verified details
Solana: multi-instruction TX shows blind-sign warning
Solana: message signing always prompts (even with show_display=false)

Addresses security audit findings for TRON, TON, and Solana signing: TRON (CRITICAL fix): - Add minimal protobuf parser to extract TransferContract fields (to_address, amount) directly from the signed raw_data payload - Simple TRX transfers now show on-device-verified details - Token/contract TXs fall through to explicit blind-sign warning TON (blind-sign warning): - TON Cell/BoC encoding cannot be parsed on-device - Add explicit "Blind Signature" warning so users know TX details are host-asserted and unverifiable Solana (multi-instruction + message signing): - Only show parsed transfer details for single-instruction system transfers (num_instructions == 1) - Multi-instruction and unknown programs get blind-sign warning - Remove show_display=false bypass for message signing — always require user confirmation

…ount TRON: Add pb_count_field() to verify exactly one contract entry in raw_data before showing parsed transfer details. Multiple contracts now fall through to blind-sign (prevents hiding malicious contracts behind a benign first TransferContract). Solana: Add total_instructions field to SolanaParsedTransaction (actual count from TX, not capped at 8). Use it for the single-instruction guard and blind-sign warning display.

BitHighlander · 2026-03-18T03:03:03Z

Superseded by #56 (TRON reconstruct-then-sign) and #57 (TON address validation + clear signing). Both PRs include all security fixes from this PR plus full implementations.

BitHighlander added 2 commits March 17, 2026 00:21

BitHighlander mentioned this pull request Mar 18, 2026

feat(ton): address validation and explicit blind-sign warning #57

Merged

6 tasks

BitHighlander closed this Mar 18, 2026

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

fix(security): on-device TX parsing for TRON, blind-sign warnings for TON/Solana#52

fix(security): on-device TX parsing for TRON, blind-sign warnings for TON/Solana#52
BitHighlander wants to merge 2 commits intodevelopfrom
fix/audit-findings

BitHighlander commented Mar 17, 2026

Uh oh!

BitHighlander commented Mar 18, 2026

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

1 participant

Conversation

BitHighlander commented Mar 17, 2026

Security Audit Findings Addressed

TRON — parse TransferContract from signed payload (CRITICAL)

TON — explicit blind-sign warning (HIGH)

Solana — multi-instruction fix + message signing (HIGH)

Test plan

Uh oh!

BitHighlander commented Mar 18, 2026

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

1 participant