@vurto/sign-tx 0.1.0-stage.1

package/src/decodeAbi.js

@@ -0,0 +1,198 @@
+import { Interface, getAddress, formatUnits } from 'ethers';
+import { isErc20Selector } from './contractAllowList.js';
+
+const AAVE_V3_POOL_ABI = [
+  'function supply(address asset, uint256 amount, address onBehalfOf, uint16 referralCode)',
+  'function withdraw(address asset, uint256 amount, address to) returns (uint256)',
+  'function borrow(address asset, uint256 amount, uint256 interestRateMode, uint16 referralCode, address onBehalfOf)',
+  'function repay(address asset, uint256 amount, uint256 interestRateMode, address onBehalfOf) returns (uint256)',
+  'function repayWithATokens(address asset, uint256 amount, uint256 interestRateMode) returns (uint256)',
+  'function setUserUseReserveAsCollateral(address asset, bool useAsCollateral)',
+  'function setUserEMode(uint8 categoryId)',
+  'function liquidationCall(address collateralAsset, address debtAsset, address user, uint256 debtToCover, bool receiveAToken)',
+];
+
+const ERC20_ABI = [
+  'function approve(address spender, uint256 amount)',
+  'function transfer(address to, uint256 amount)',
+  'function transferFrom(address from, address to, uint256 amount)',
+];
+
+const VURTO_DUAL_ADAPTER_ABI = [
+  'function executeDualSwap(tuple(address fromAsset,address toAsset,uint256 fromAmount,uint256 minToAmount,address aggregator,address spender,bytes swapData) coll, tuple(address fromAsset,address toAsset,uint256 fromAmount,uint256 minToAmount,address aggregator,address spender,bytes swapData) debt, uint256 deadline)',
+];
+
+const ABIS = [
+  { iface: new Interface(AAVE_V3_POOL_ABI),     scope: 'aave-pool' },
+  { iface: new Interface(ERC20_ABI),            scope: 'erc20' },
+  { iface: new Interface(VURTO_DUAL_ADAPTER_ABI), scope: 'vurto-adapter' },
+];
+
+export const MAX_UINT256 = (1n << 256n) - 1n;
+
+const KNOWN_TOKENS = new Map(Object.entries({
+  '1:0xa0b86991c6218b36c1d19d4a2e9eb0ce3606eb48':  { symbol: 'USDC',   decimals: 6  },
+  '1:0xdac17f958d2ee523a2206206994597c13d831ec7':  { symbol: 'USDT',   decimals: 6  },
+  '1:0x6b175474e89094c44da98b954eedeac495271d0f':  { symbol: 'DAI',    decimals: 18 },
+  '1:0x2260fac5e5542a773aa44fbcfedf7c193bc2c599':  { symbol: 'WBTC',   decimals: 8  },
+  '1:0xc02aaa39b223fe8d0a0e5c4f27ead9083c756cc2':  { symbol: 'WETH',   decimals: 18 },
+  '10:0x0b2c639c533813f4aa9d7837caf62653d097ff85': { symbol: 'USDC',   decimals: 6  },
+  '10:0x94b008aa00579c1307b0ef2c499ad98a8ce58e58': { symbol: 'USDT',   decimals: 6  },
+  '10:0x4200000000000000000000000000000000000006': { symbol: 'WETH',   decimals: 18 },
+  '137:0x3c499c542cef5e3811e1192ce70d8cc03d5c3359':  { symbol: 'USDC',   decimals: 6  },
+  '137:0xc2132d05d31c914a87c6611c10748aeb04b58e8f':  { symbol: 'USDT',   decimals: 6  },
+  '137:0x0d500b1d8e8ef31e21c99d1db9a6444d3adf1270':  { symbol: 'WPOL',   decimals: 18 },
+  '8453:0x833589fcd6edb6e08f4c7c32d4f71b54bda02913': { symbol: 'USDC',   decimals: 6  },
+  '8453:0x60a3e35cc302bfa44cb288bc5a4f316fdb1adb42': { symbol: 'EURC',   decimals: 6  },
+  '8453:0x4200000000000000000000000000000000000006': { symbol: 'WETH',   decimals: 18 },
+  '42161:0xaf88d065e77c8cc2239327c5edb3a432268e5831': { symbol: 'USDC',  decimals: 6  },
+  '42161:0xff970a61a04b1ca14834a43f5de4533ebddb5cc8': { symbol: 'USDC.E', decimals: 6  },
+  '42161:0xfd086bc7cd5c481dcc9c85ebe478a1c0b69fcbb9': { symbol: 'USDT',   decimals: 6  },
+  '42161:0x82af49447d8a07e3bd95bd0d56f35241523fbab1': { symbol: 'WETH',   decimals: 18 },
+  '56:0x8ac76a51cc950d9822d68b83fe1ad97b32cd580d':   { symbol: 'USDC',   decimals: 18 },
+  '56:0x55d398326f99059ff775485246999027b3197955':   { symbol: 'USDT',   decimals: 18 },
+  '100:0xddafbb505ad214d7b80b1f830fccc89b60fb7a83': { symbol: 'USDC',   decimals: 6  },
+  '100:0xcb444e90d8198415266c6a2724b7900fb12fc56e': { symbol: 'EURe',   decimals: 18 },
+  '43114:0xb97ef9ef8734c71904d8002f8b6bc66dd9c48a6e': { symbol: 'USDC', decimals: 6  },
+  '146:0x29219dd400f2bf60e5a23d13be72b486d4038894':  { symbol: 'USDC',   decimals: 6  },
+}));
+
+export function lookupToken(chainId, address) {
+  if (typeof address !== 'string') return null;
+  return KNOWN_TOKENS.get(`${Number(chainId)}:${address.toLowerCase()}`) || null;
+}
+
+function tryParse(data, value) {
+  for (const { iface, scope } of ABIS) {
+    try {
+      const parsed = iface.parseTransaction({ data, value: value || '0x0' });
+      if (parsed) return { parsed, scope };
+    } catch {}
+  }
+  return null;
+}
+
+function formatParam(arg, frag, chainId, contextAsset) {
+  const type = frag.type;
+  if (type === 'address') {
+    let checksummed = String(arg);
+    try { checksummed = getAddress(checksummed); } catch {}
+    const token = lookupToken(chainId, checksummed);
+    return {
+      type,
+      raw: checksummed,
+      display: token ? `${checksummed} (${token.symbol})` : checksummed,
+    };
+  }
+  if (type.startsWith('uint') || type.startsWith('int')) {
+    const big = typeof arg === 'bigint' ? arg : BigInt(arg.toString());
+    let display = big.toString();
+    let isUnlimited = false;
+    if (big === MAX_UINT256) {
+      display = 'MAX_UINT256 (unlimited)';
+      isUnlimited = true;
+    } else if (contextAsset && contextAsset.decimals != null) {
+      try {
+        const human = formatUnits(big, contextAsset.decimals);
+        display = `${human} ${contextAsset.symbol} (raw: ${big.toString()})`;
+      } catch {}
+    }
+    return { type, raw: big.toString(), display, isUnlimited };
+  }
+  if (type === 'bool') return { type, raw: arg, display: arg ? 'true' : 'false' };
+  if (type === 'bytes' || type.startsWith('bytes')) {
+    const s = String(arg);
+    const short = s.length > 66 ? `${s.slice(0, 32)}…${s.slice(-10)} (${(s.length - 2) / 2} bytes)` : s;
+    return { type, raw: s, display: short };
+  }
+  return { type, raw: arg, display: JSON.stringify(arg, (_k, v) => typeof v === 'bigint' ? v.toString() : v) };
+}
+
+export function decodeTx({ to, data, value, chainId }) {
+  const safeData = typeof data === 'string' && data.length >= 10 ? data : '0x';
+  const result = {
+    decoded: false,
+    selector: safeData.length >= 10 ? safeData.slice(0, 10) : null,
+    name: null,
+    signature: null,
+    scope: null,
+    params: [],
+    notes: [],
+    isApprove: false,
+    isUnlimitedApprove: false,
+    approvedToken: null,
+    approvedSpender: null,
+    approvedAmount: null,
+  };
+
+  if (safeData === '0x' || safeData.length < 10) {
+    if (value && BigInt(value) > 0n) {
+      result.notes.push('Plain value transfer (no calldata).');
+    } else {
+      result.notes.push('Empty calldata — likely a self-call or contract destruction (rare).');
+    }
+    return result;
+  }
+
+  const erc20Hint = isErc20Selector(safeData);
+  let contextAsset = erc20Hint ? lookupToken(chainId, to) : null;
+
+  const attempt = tryParse(safeData, value);
+  if (!attempt) {
+    result.notes.push(`Unknown function selector ${result.selector}. Inspect the raw calldata carefully.`);
+    return result;
+  }
+
+  const { parsed, scope } = attempt;
+  result.decoded = true;
+  result.name = parsed.name;
+  result.signature = parsed.signature;
+  result.scope = scope;
+
+  const params = parsed.fragment.inputs.map((frag, i) => {
+    const isAmountField = ['amount', 'fromAmount', 'minToAmount', 'value'].includes(frag.name);
+    const assetForAmount = isAmountField ? contextAsset : null;
+    return {
+      name: frag.name || `arg${i}`,
+      ...formatParam(parsed.args[i], frag, chainId, assetForAmount),
+    };
+  });
+
+  if (scope === 'aave-pool' && ['supply', 'withdraw', 'borrow', 'repay', 'repayWithATokens'].includes(parsed.name)) {
+    const assetParam = params.find((p) => p.name === 'asset');
+    if (assetParam) {
+      const tokenInfo = lookupToken(chainId, assetParam.raw);
+      if (tokenInfo) {
+        const amtParam = params.find((p) => p.name === 'amount');
+        if (amtParam && /^\d+$/.test(amtParam.raw) && !amtParam.isUnlimited) {
+          try {
+            amtParam.display = `${formatUnits(BigInt(amtParam.raw), tokenInfo.decimals)} ${tokenInfo.symbol} (raw: ${amtParam.raw})`;
+          } catch {}
+        }
+      }
+    }
+  }
+
+  result.params = params;
+
+  if (scope === 'erc20' && parsed.name === 'approve') {
+    result.isApprove = true;
+    const spenderArg = params.find((p) => p.name === 'spender');
+    const amountArg = params.find((p) => p.name === 'amount');
+    result.approvedToken = contextAsset
+      ? { address: to, ...contextAsset }
+      : { address: to, symbol: 'token', decimals: null };
+    result.approvedSpender = spenderArg ? spenderArg.raw : null;
+    result.approvedAmount = amountArg ? amountArg.raw : null;
+    if (amountArg && amountArg.isUnlimited) {
+      result.isUnlimitedApprove = true;
+    } else if (amountArg && contextAsset && contextAsset.decimals != null) {
+      try {
+        const human = Number(formatUnits(BigInt(amountArg.raw), contextAsset.decimals));
+        if (human >= 1_000_000_000) result.isUnlimitedApprove = true;
+      } catch {}
+    }
+  }
+
+  return result;
+}

package/src/openBrowser.js

@@ -0,0 +1,33 @@
+import { spawn } from 'node:child_process';
+import { platform } from 'node:os';
+
+export function openBrowser(url) {
+  return new Promise((resolve, reject) => {
+    const p = platform();
+    let cmd;
+    let args;
+    let opts = { stdio: 'ignore', detached: true };
+
+    if (p === 'darwin') {
+      cmd = 'open';
+      args = [url];
+    } else if (p === 'win32') {
+      cmd = 'cmd';
+      args = ['/c', 'start', '""', url.replace(/&/g, '^&')];
+    } else {
+      cmd = 'xdg-open';
+      args = [url];
+    }
+
+    let child;
+    try {
+      child = spawn(cmd, args, opts);
+    } catch (err) {
+      reject(err);
+      return;
+    }
+    child.on('error', reject);
+    child.unref?.();
+    resolve();
+  });
+}

package/src/server.js

@@ -0,0 +1,139 @@
+import http from 'node:http';
+import crypto from 'node:crypto';
+import { buildSignerHtml } from './signerHtml.js';
+
+const TX_HASH_RE = /^0x[0-9a-f]{64}$/i;
+const ADDR_RE = /^0x[0-9a-fA-F]{40}$/;
+const MAX_BODY_BYTES = 16 * 1024;
+
+export function startSignerServer({ payload, port = 0, timeoutMs = 180_000, onListen }) {
+  return new Promise((resolve) => {
+    const scriptNonce = crypto.randomBytes(16).toString('base64');
+    const styleNonce = crypto.randomBytes(16).toString('base64');
+    const sessionToken = crypto.randomBytes(24).toString('hex');
+
+    let consumed = false;
+    let timer = null;
+
+    const html = buildSignerHtml({
+      payload,
+      scriptNonce,
+      styleNonce,
+      sessionToken,
+      timeoutMs,
+    });
+    const cspHeader =
+      `default-src 'none'; ` +
+      `script-src 'self' 'nonce-${scriptNonce}'; ` +
+      `style-src 'self' 'nonce-${styleNonce}'; ` +
+      `connect-src 'self'; ` +
+      `img-src 'self' data:; ` +
+      `frame-ancestors 'none'; ` +
+      `form-action 'none'; ` +
+      `base-uri 'none';`;
+
+    const server = http.createServer((req, res) => {
+      const url = new URL(req.url, `http://${req.headers.host || '127.0.0.1'}`);
+
+      const send = (status, headers, body) => {
+        res.writeHead(status, {
+          'cache-control': 'no-store',
+          'x-content-type-options': 'nosniff',
+          'referrer-policy': 'no-referrer',
+          ...headers,
+        });
+        res.end(body);
+      };
+
+      if (consumed) {
+        send(410, { 'content-type': 'text/plain; charset=utf-8' }, 'Gone — this signer is single-use.');
+        return;
+      }
+
+      if (req.method === 'GET' && (url.pathname === '/' || url.pathname === '/index.html')) {
+        send(200, {
+          'content-type': 'text/html; charset=utf-8',
+          'content-security-policy': cspHeader,
+        }, html);
+        return;
+      }
+
+      if (req.method === 'POST' && url.pathname === '/result') {
+        const provided = req.headers['x-session-token'];
+        if (provided !== sessionToken) {
+          send(403, { 'content-type': 'application/json' }, JSON.stringify({ ok: false, error: 'forbidden' }));
+          return;
+        }
+        let raw = '';
+        let aborted = false;
+        req.on('data', (chunk) => {
+          raw += chunk;
+          if (raw.length > MAX_BODY_BYTES) {
+            aborted = true;
+            send(413, { 'content-type': 'application/json' }, JSON.stringify({ ok: false, error: 'payload too large' }));
+            req.destroy();
+          }
+        });
+        req.on('end', () => {
+          if (aborted) return;
+          let body;
+          try { body = JSON.parse(raw || '{}'); } catch {
+            send(400, { 'content-type': 'application/json' }, JSON.stringify({ ok: false, error: 'invalid json' }));
+            return;
+          }
+
+          if (body && body.rejected === true) {
+            consumed = true;
+            send(200, { 'content-type': 'application/json' }, JSON.stringify({ ok: true }));
+            finish({ kind: 'rejected' });
+            return;
+          }
+
+          if (body && typeof body.txHash === 'string' && TX_HASH_RE.test(body.txHash)) {
+            const from = typeof body.from === 'string' && ADDR_RE.test(body.from) ? body.from : payload.walletAddress;
+            consumed = true;
+            send(200, { 'content-type': 'application/json' }, JSON.stringify({ ok: true }));
+            finish({
+              kind: 'signed',
+              txHash: body.txHash,
+              from,
+              signedAt: new Date().toISOString(),
+            });
+            return;
+          }
+
+          send(400, { 'content-type': 'application/json' }, JSON.stringify({ ok: false, error: 'invalid result body' }));
+        });
+        req.on('error', () => {});
+        return;
+      }
+
+      send(404, { 'content-type': 'text/plain; charset=utf-8' }, 'Not found');
+    });
+
+    const finish = (result) => {
+      if (timer) { clearTimeout(timer); timer = null; }
+      setTimeout(() => {
+        try { server.close(); } catch {}
+        resolve(result);
+      }, 50);
+    };
+
+    server.on('error', (err) => {
+      finish({ kind: 'error', message: `server error: ${err.message}` });
+    });
+
+    server.listen(port, '127.0.0.1', () => {
+      const addr = server.address();
+      const url = `http://127.0.0.1:${addr.port}/`;
+      timer = setTimeout(() => {
+        if (consumed) return;
+        consumed = true;
+        finish({ kind: 'timeout' });
+      }, timeoutMs);
+      if (typeof onListen === 'function') {
+        try { onListen({ url, port: addr.port }); } catch {}
+      }
+    });
+  });
+}