Skip to content

feat(tron): reconstruct-then-sign for clear-signed transactions#56

Merged
BitHighlander merged 3 commits intodevelopfrom
feature/tron-clear-signing
Mar 18, 2026
Merged

feat(tron): reconstruct-then-sign for clear-signed transactions#56
BitHighlander merged 3 commits intodevelopfrom
feature/tron-clear-signing

Conversation

@BitHighlander
Copy link
Owner

@BitHighlander BitHighlander commented Mar 18, 2026

Summary

  • Firmware reconstructs protobuf from structured fields (TronTransferContract, TronTriggerSmartContract) and signs the reconstruction — display shows verified data
  • Legacy raw_data path preserved with explicit blind-sign warning
  • TRC-20 ABI decoding for transfer(address,uint256) with 12 hardcoded token defs (USDT, USDC, etc.)
  • Bounded protobuf serialization with capacity checks on every write
  • Address validation BEFORE display (prevents confusion attacks)
  • C unit tests for address decode, TRC-20 ABI, formatting

Proto changes

  • TronTransferContract message: to_address (Base58) + amount (SUN)
  • TronTriggerSmartContract message: contract_address + data (ABI) + call_value
  • TronSignTx gains fields 10-14 (transfer, trigger_smart, fee_limit, timestamp, data/memo)
  • TronSignedTx gains serialized_tx for host verification

Base

Built on top of upstream keepkey#387 (feat/tron-ton-support)

Test plan

  • C unit tests pass (tron.cpp — address decode, TRC-20, formatting)
  • ARM firmware build succeeds
  • Emulator build succeeds
  • On-device: TRX transfer shows verified amount/address
  • On-device: TRC-20 USDT shows "Send X USDT to T..."
  • Legacy raw_data shows blind-sign warning

@BitHighlander BitHighlander mentioned this pull request Mar 18, 2026
Closed
7 tasks
BitHighlander and others added 3 commits March 17, 2026 21:27
@BitHighlander
feat(tron,ton): add TRON and TON chain support
7145bb4 
TRON: secp256k1 + Keccak256 address derivation, SHA256 tx signing
TON: Ed25519 address derivation with CRC16 + Base64url, Ed25519 tx signing

Both use existing trezor-crypto primitives only.
@BitHighlander
feat(tron): reconstruct-then-sign for clear-signed TRON transactions
e93d914 
Security improvement: firmware reconstructs protobuf from structured
fields (TronTransferContract, TronTriggerSmartContract) and signs the
reconstruction. Display shows verified data, not host-asserted strings.

- Structured mode: host sends transfer/trigger_smart fields, firmware
  rebuilds raw_data protobuf, displays verified amount/address, signs
- Legacy mode: raw_data field still works with explicit blind-sign warning
- TRC-20 ABI decoding: recognizes transfer(address,uint256) selector
- 12 hardcoded TRC-20 tokens (USDT, USDC, SUN, BTT, etc.)
- Bounded protobuf serialization with capacity checks
- Address validation BEFORE display (prevents confusion attacks)
- C unit tests for address, TRC-20 decoding, formatting
- Device-protocol updated with structured message definitions

Based on upstream keepkey#387 (feat/tron-ton-support)
@BitHighlander
fix(tron): reject when both transfer and trigger_smart are set
314e6e3 
Proto defines transfer and trigger_smart as separate optional fields,
not a oneof. The serializer only processes one (if/else if), so if both
are present the UI would walk both confirmation branches but only one
gets signed — a display/signature mismatch. Reject with SyntaxError
before any confirmation dialog.
@BitHighlander BitHighlander force-pushed the feature/tron-clear-signing branch from 43a8438 to 314e6e3 Compare March 18, 2026 03:35
@BitHighlander BitHighlander marked this pull request as ready for review March 18, 2026 03:40
@BitHighlander BitHighlander merged commit 1357d7d into develop Mar 18, 2026
18 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@BitHighlander