@velumdotcash/sdk 2.1.0 → 2.1.1

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (5) hide show
  1. package/dist/models/utxo.d.ts +1 -1
  2. package/dist/models/utxo.js +13 -1
  3. package/dist/utils/debug-logger.d.ts +1 -1
  4. package/dist/utils/debug-logger.js +9 -3
  5. package/package.json +1 -1
package/dist/models/utxo.d.ts CHANGED
@@ -29,7 +29,7 @@ export declare class Utxo {
29
29
  *
30
30
  * Generate a new keypair for each UTXO
31
31
  */
32
- keypair, publicKey, blinding, // Use fixed value for consistency instead of randomBN()
32
+ keypair, publicKey, blinding, // Cryptographically secure random blinding
33
33
  index, mintAddress, // Default to Solana native SOL mint address,
34
34
  version }: {
35
35
  lightWasm: hasher.LightWasm;
package/dist/models/utxo.js CHANGED
@@ -5,10 +5,22 @@
5
5
  * Based on: https://github.com/tornadocash/tornado-nova
6
6
  */
7
7
  import BN from 'bn.js';
8
+ import nacl from 'tweetnacl';
8
9
  import { Keypair } from './keypair.js';
9
10
  import { ethers } from 'ethers';
10
11
  import { getMintAddressField } from '../utils/utils.js';
11
12
  import { PublicKey } from '@solana/web3.js';
13
+ import { FIELD_SIZE } from '../utils/constants.js';
14
+ /**
15
+ * Generate a cryptographically secure random blinding factor.
16
+ * Uses nacl.randomBytes() instead of Math.random() for security.
17
+ */
18
+ function generateSecureBlinding() {
19
+ const randomBytes = nacl.randomBytes(32);
20
+ const randomBN = new BN(randomBytes);
21
+ // Reduce modulo FIELD_SIZE to ensure it's within the valid range
22
+ return randomBN.mod(FIELD_SIZE);
23
+ }
12
24
  /**
13
25
  * Simplified Utxo class inspired by Tornado Cash Nova
14
26
  * Based on: https://github.com/tornadocash/tornado-nova/blob/f9264eeffe48bf5e04e19d8086ee6ec58cdf0d9e/src/utxo.js
@@ -31,7 +43,7 @@ export class Utxo {
31
43
  *
32
44
  * Generate a new keypair for each UTXO
33
45
  */
34
- keypair, publicKey, blinding = new BN(Math.floor(Math.random() * 1000000000)), // Use fixed value for consistency instead of randomBN()
46
+ keypair, publicKey, blinding = generateSecureBlinding(), // Cryptographically secure random blinding
35
47
  index = 0, mintAddress = '11111111111111111111111111111112', // Default to Solana native SOL mint address,
36
48
  version = 'v2' }) {
37
49
  this.amount = new BN(amount.toString());
package/dist/utils/debug-logger.d.ts CHANGED
@@ -76,7 +76,7 @@ export declare function installDebugCommands(): void;
76
76
  * 2. PRIVACY_CASH_DEBUG environment variable is set to 'true' or '1'
77
77
  * 3. window.PRIVACY_CASH_DEBUG is set to true, 'true', or '1'
78
78
  * 4. Running in development mode (NODE_ENV=development or localhost)
79
- * 5. URL contains ?privacy_cash_debug=true or ?privacy_cash_debug=1 (production feature)
79
+ * 5. URL contains ?privacy_cash_debug=true or ?privacy_cash_debug=1 (localhost only)
80
80
  */
81
81
  export declare function isDebugEnabled(): boolean;
82
82
  /**
package/dist/utils/debug-logger.js CHANGED
@@ -30,13 +30,19 @@ function isDevelopmentMode() {
30
30
  return false;
31
31
  }
32
32
  /**
33
- * Check URL parameters for debug enablement (production feature)
33
+ * Check URL parameters for debug enablement (development only)
34
34
  * Enables via ?privacy_cash_debug=1 or ?privacy_cash_debug=true
35
+ * SECURITY: Only works on localhost to prevent information leakage in production
35
36
  */
36
37
  function checkUrlParamDebugEnabled() {
37
38
  if (typeof window === 'undefined' || typeof location === 'undefined') {
38
39
  return false;
39
40
  }
41
+ // SECURITY: Only allow URL parameter debugging on localhost
42
+ // This prevents attackers from enabling debug mode in production via URL manipulation
43
+ if (location.hostname !== 'localhost' && location.hostname !== '127.0.0.1') {
44
+ return false;
45
+ }
40
46
  // Only check once to avoid repeated URL parsing
41
47
  if (urlParamChecked) {
42
48
  return false;
@@ -162,7 +168,7 @@ export function installDebugCommands() {
162
168
  console.log(`[PRIVACY-CASH-DEBUG] Status: ${enabled ? 'ENABLED' : 'DISABLED'}`);
163
169
  console.log(`[PRIVACY-CASH-DEBUG] Verbose: ${verbose ? 'ENABLED' : 'DISABLED'}`);
164
170
  console.log(`[PRIVACY-CASH-DEBUG] Mode: ${mode}`);
165
- console.log('[PRIVACY-CASH-DEBUG] To enable: window.privacyCashDebug.enable() or add ?privacy_cash_debug=1 to URL');
171
+ console.log('[PRIVACY-CASH-DEBUG] To enable: window.privacyCashDebug.enable() (or ?privacy_cash_debug=1 on localhost)');
166
172
  console.log('[PRIVACY-CASH-DEBUG] For verbose: window.privacyCashDebug.verbose() or set PRIVACY_CASH_VERBOSE=1');
167
173
  }
168
174
  };
@@ -179,7 +185,7 @@ if (typeof window !== 'undefined') {
179
185
  * 2. PRIVACY_CASH_DEBUG environment variable is set to 'true' or '1'
180
186
  * 3. window.PRIVACY_CASH_DEBUG is set to true, 'true', or '1'
181
187
  * 4. Running in development mode (NODE_ENV=development or localhost)
182
- * 5. URL contains ?privacy_cash_debug=true or ?privacy_cash_debug=1 (production feature)
188
+ * 5. URL contains ?privacy_cash_debug=true or ?privacy_cash_debug=1 (localhost only)
183
189
  */
184
190
  export function isDebugEnabled() {
185
191
  return debugEnabled || checkEnvDebugEnabled() || isDevelopmentMode() || checkUrlParamDebugEnabled();
package/package.json CHANGED
@@ -1,6 +1,6 @@
1
1
  {
2
2
  "name": "@velumdotcash/sdk",
3
- "version": "2.1.0",
3
+ "version": "2.1.1",
4
4
  "description": "TypeScript SDK for private payments on Solana using Zero-Knowledge proofs",
5
5
  "main": "dist/index.js",
6
6
  "exports": {