refactor(abstract-utxo): reduce test boilerplate

- util/address.ts: Extract getWalletAddress helper from psbt.ts for
  generating addresses from RootWalletKeys, enabling dynamic address
  generation in tests instead of hardcoded values

- util/nockBitGo.ts: Add nockWalletKeys helper to encapsulate the
  repeated pattern of mocking wallet key fetch endpoints, reducing
  10+ lines of boilerplate per test to a single function call

- util/index.ts: Export nockBitGo and address utilities so they're
  accessible from the central util import

- postProcessPrebuild.ts: Use getUtxoCoin('tbtc') instead of manual
  TestBitGo setup, and generate output address dynamically instead
  of hardcoding

- testSpoofTransaction.ts: Replace hardcoded addresses with dynamically
  generated ones using wallet keys vs attacker keys, making the test
  intent clearer. Use nockBitGo() and nockWalletKeys() to eliminate
  URL extraction and key mocking boilerplate

Co-authored-by: Cursor <cursoragent@cursor.com>

TICKET: BTC-2650

Author: OttoAllmendinger

modules/abstract-utxo/test/unit/postProcessPrebuild.ts

@@ -1,34 +1,23 @@
 import 'should';
 
-import { type TestBitGoAPI, TestBitGo } from '@bitgo/sdk-test';
-import { BitGoAPI } from '@bitgo/sdk-api';
 import { fixedScriptWallet } from '@bitgo/wasm-utxo';
 import * as testutils from '@bitgo/wasm-utxo/testutils';
 
-import { Tbtc } from '../../src/impl/btc';
-
-import { constructPsbt } from './util';
+import { constructPsbt, getWalletAddress, getUtxoCoin } from './util';
 
 const { BitGoPsbt } = fixedScriptWallet;
 
 describe('Post Build Validation', function () {
-  let bitgo: TestBitGoAPI;
-  let coin: Tbtc;
-
-  before(function () {
-    bitgo = TestBitGo.decorate(BitGoAPI, { env: 'test' });
-    bitgo.safeRegister('tbtc', Tbtc.createInstance);
-    bitgo.initializeTestVars();
-    coin = bitgo.coin('tbtc') as Tbtc;
-  });
+  const coin = getUtxoCoin('tbtc');
 
   it('should not modify locktime on postProcessPrebuild', async function () {
     const walletKeys = testutils.getDefaultWalletKeys();
+    const walletAddress = getWalletAddress('tbtc', walletKeys);
 
     // Create a PSBT with lockTime=0 and sequence=0xffffffff
     const psbt = constructPsbt(
       [{ scriptType: 'p2wsh' as const, value: BigInt(100000) }],
-      [{ address: 'tb1qrp33g0q5c5txsp9arysrx4k6zdkfs4nce4xj0gdcccefvpysxf3q0sl5k7', value: BigInt(90000) }],
+      [{ address: walletAddress, value: BigInt(90000) }],
       'tbtc',
       walletKeys,
       { lockTime: 0, sequence: 0xffffffff }

modules/abstract-utxo/test/unit/testSpoofTransaction.ts

@@ -1,62 +1,40 @@
 import assert from 'assert';
 
-import { type TestBitGoAPI, TestBitGo } from '@bitgo/sdk-test';
-import { BitGoAPI, encrypt } from '@bitgo/sdk-api';
 import * as testutils from '@bitgo/wasm-utxo/testutils';
 import { Wallet } from '@bitgo/sdk-core';
 
-import { Tbtc } from '../../src/impl/btc';
-
-import { constructPsbt } from './util';
+import { constructPsbt, getWalletAddress, getUtxoCoin, defaultBitGo, nockBitGo, nockWalletKeys } from './util';
 
 describe('Transaction Spoofability Tests', function () {
-  describe('Unspent management spoofability - Consolidation (BUILD_SIGN_SEND)', function () {
-    let coin: Tbtc;
-    let bitgoTest: TestBitGoAPI;
-
-    before(function () {
-      bitgoTest = TestBitGo.decorate(BitGoAPI, { env: 'test' });
-      bitgoTest.safeRegister('tbtc', Tbtc.createInstance);
-      bitgoTest.initializeTestVars();
-      coin = bitgoTest.coin('tbtc') as Tbtc;
-    });
+  const coin = getUtxoCoin('tbtc');
 
-    it('should detect hex spoofing in BUILD_SIGN_SEND', async function (): Promise<void> {
+  describe('Unspent management spoofability - Consolidation (BUILD_SIGN_SEND)', function () {
+    it('should detect spoofed consolidation to attacker address', async function (): Promise<void> {
       const keyTriple = testutils.getKeyTriple('default');
-      const rootWalletKey = testutils.getDefaultWalletKeys();
-      const [user] = keyTriple;
+      const walletKeys = testutils.getDefaultWalletKeys();
+      const attackerKeys = testutils.getWalletKeysForSeed('attacker');
 
-      const wallet = new Wallet(bitgoTest, coin, {
+      const wallet = new Wallet(defaultBitGo, coin, {
         id: '5b34252f1bf349930e34020a',
         coin: 'tbtc',
         keys: ['user', 'backup', 'bitgo'],
       });
 
-      // originalPsbt is created to show what the legitimate transaction would look like
-      // eslint-disable-next-line @typescript-eslint/no-unused-vars
-      const originalPsbt = constructPsbt(
-        [{ scriptType: 'p2wsh' as const, value: BigInt(10000) }],
-        [{ address: 'tb1qrp33g0q5c5txsp9arysrx4k6zdkfs4nce4xj0gdcccefvpysxf3q0sl5k7', value: BigInt(9000) }],
-        'tbtc',
-        rootWalletKey
-      );
+      // The attacker replaces the legitimate wallet address with their own
+      const attackerAddress = getWalletAddress('tbtc', attackerKeys);
       const spoofedPsbt = constructPsbt(
         [{ scriptType: 'p2wsh' as const, value: BigInt(10000) }],
-        [{ address: 'tb1pjgg9ty3s2ztp60v6lhgrw76f7hxydzuk9t9mjsndh3p2gf2ah7gs4850kn', value: BigInt(9000) }],
+        [{ address: attackerAddress, value: BigInt(9000) }],
         'tbtc',
-        rootWalletKey
+        walletKeys // Input uses wallet keys (the funds being stolen)
       );
       const spoofedHex: string = Buffer.from(spoofedPsbt.serialize()).toString('hex');
 
-      // eslint-disable-next-line @typescript-eslint/no-explicit-any
-      const bgUrl: string = (bitgoTest as any)._baseUrl;
-      const nock = require('nock');
-
-      nock(bgUrl)
+      nockBitGo()
         .post(`/api/v2/${wallet.coin()}/wallet/${wallet.id()}/consolidateUnspents`)
         .reply(200, { txHex: spoofedHex, consolidateId: 'test' });
 
-      nock(bgUrl)
+      nockBitGo()
         .post(`/api/v2/${wallet.coin()}/wallet/${wallet.id()}/tx/send`)
         // eslint-disable-next-line @typescript-eslint/no-explicit-any
         .reply((requestBody: any) => {
@@ -66,15 +44,7 @@ describe('Transaction Spoofability Tests', function () {
           return [200, { txid: 'test-txid-123', status: 'signed' }];
         });
 
-      const pubs = keyTriple.map((k) => k.neutered().toBase58());
-      const responses = [
-        { pub: pubs[0], encryptedPrv: encrypt('pass', user.toBase58()) },
-        { pub: pubs[1] },
-        { pub: pubs[2] },
-      ];
-      wallet
-        .keyIds()
-        .forEach((id, i) => nock(bgUrl).get(`/api/v2/${wallet.coin()}/key/${id}`).reply(200, responses[i]));
+      nockWalletKeys(wallet, keyTriple, 'pass');
 
       await assert.rejects(
         wallet.consolidateUnspents({ walletPassphrase: 'pass' }),
@@ -87,53 +57,32 @@ describe('Transaction Spoofability Tests', function () {
   });
 
   describe('Unspent management spoofability - Fanout (BUILD_SIGN_SEND)', function () {
-    let coin: Tbtc;
-    let bitgoTest: TestBitGoAPI;
-
-    before(function () {
-      bitgoTest = TestBitGo.decorate(BitGoAPI, { env: 'test' });
-      bitgoTest.safeRegister('tbtc', Tbtc.createInstance);
-      bitgoTest.initializeTestVars();
-      coin = bitgoTest.coin('tbtc') as Tbtc;
-    });
-
-    it('should detect hex spoofing in fanout BUILD_SIGN_SEND', async function (): Promise<void> {
+    it('should detect spoofed fanout to attacker address', async function (): Promise<void> {
       const keyTriple = testutils.getKeyTriple('default');
-      const rootWalletKey = testutils.getDefaultWalletKeys();
-      const [user] = keyTriple;
+      const walletKeys = testutils.getDefaultWalletKeys();
+      const attackerKeys = testutils.getWalletKeysForSeed('attacker');
 
-      const wallet = new Wallet(bitgoTest, coin, {
+      const wallet = new Wallet(defaultBitGo, coin, {
         id: '5b34252f1bf349930e34020a',
         coin: 'tbtc',
         keys: ['user', 'backup', 'bitgo'],
       });
 
-      // originalPsbt is created to show what the legitimate transaction would look like
-      // eslint-disable-next-line @typescript-eslint/no-unused-vars
-      const originalPsbt = constructPsbt(
-        [{ scriptType: 'p2wsh' as const, value: BigInt(10000) }],
-        [{ address: 'tb1qrp33g0q5c5txsp9arysrx4k6zdkfs4nce4xj0gdcccefvpysxf3q0sl5k7', value: BigInt(9000) }],
-        'tbtc',
-        rootWalletKey
-      );
-
+      // The attacker replaces the legitimate wallet address with their own
+      const attackerAddress = getWalletAddress('tbtc', attackerKeys);
       const spoofedPsbt = constructPsbt(
         [{ scriptType: 'p2wsh' as const, value: BigInt(10000) }],
-        [{ address: 'tb1pjgg9ty3s2ztp60v6lhgrw76f7hxydzuk9t9mjsndh3p2gf2ah7gs4850kn', value: BigInt(9000) }],
+        [{ address: attackerAddress, value: BigInt(9000) }],
         'tbtc',
-        rootWalletKey
+        walletKeys // Input uses wallet keys (the funds being stolen)
       );
       const spoofedHex: string = Buffer.from(spoofedPsbt.serialize()).toString('hex');
 
-      // eslint-disable-next-line @typescript-eslint/no-explicit-any
-      const bgUrl: string = (bitgoTest as any)._baseUrl;
-      const nock = require('nock');
-
-      nock(bgUrl)
+      nockBitGo()
         .post(`/api/v2/${wallet.coin()}/wallet/${wallet.id()}/fanoutUnspents`)
         .reply(200, { txHex: spoofedHex, fanoutId: 'test' });
 
-      nock(bgUrl)
+      nockBitGo()
         .post(`/api/v2/${wallet.coin()}/wallet/${wallet.id()}/tx/send`)
         // eslint-disable-next-line @typescript-eslint/no-explicit-any
         .reply((requestBody: any) => {
@@ -143,15 +92,7 @@ describe('Transaction Spoofability Tests', function () {
           return [200, { txid: 'test-txid-123', status: 'signed' }];
         });
 
-      const pubs = keyTriple.map((k) => k.neutered().toBase58());
-      const responses = [
-        { pub: pubs[0], encryptedPrv: encrypt('pass', user.toBase58()) },
-        { pub: pubs[1] },
-        { pub: pubs[2] },
-      ];
-      wallet
-        .keyIds()
-        .forEach((id, i) => nock(bgUrl).get(`/api/v2/${wallet.coin()}/key/${id}`).reply(200, responses[i]));
+      nockWalletKeys(wallet, keyTriple, 'pass');
 
       await assert.rejects(
         wallet.fanoutUnspents({ walletPassphrase: 'pass' }),

modules/abstract-utxo/test/unit/util/address.ts

@@ -0,0 +1,17 @@
+import { fixedScriptWallet, type CoinName } from '@bitgo/wasm-utxo';
+
+const { ChainCode } = fixedScriptWallet;
+
+/**
+ * Generate a wallet address from RootWalletKeys.
+ * Useful for generating both legitimate wallet addresses and attacker addresses from different keys.
+ */
+export function getWalletAddress(
+  coinName: CoinName,
+  walletKeys: fixedScriptWallet.RootWalletKeys,
+  scriptType: fixedScriptWallet.OutputScriptType = 'p2wsh',
+  index = 0
+): string {
+  const chain = ChainCode.value(scriptType, 'external');
+  return fixedScriptWallet.address(walletKeys, chain, index, coinName);
+}

modules/abstract-utxo/test/unit/util/index.ts

@@ -5,3 +5,5 @@ export * from './wallet';
 export * from './unspents';
 export * from './transaction';
 export * from './psbt';
+export * from './address';
+export * from './nockBitGo';

modules/abstract-utxo/test/unit/util/nockBitGo.ts

@@ -1,9 +1,26 @@
 import nock = require('nock');
-import { Environment, Environments } from '@bitgo/sdk-core';
+import { encrypt } from '@bitgo/sdk-api';
+import { Environment, Environments, Wallet } from '@bitgo/sdk-core';
+import { BIP32, Triple } from '@bitgo/wasm-utxo';
 
 import { defaultBitGo } from './utxoCoins';
 
 export function nockBitGo(bitgo = defaultBitGo): nock.Scope {
   const env = Environments[bitgo.getEnv()] as Environment;
   return nock(env.uri);
 }
+
+/**
+ * Mock the key fetching endpoints for a wallet.
+ * Sets up nock to return the key triple with the user key encrypted.
+ */
+export function nockWalletKeys(wallet: Wallet, keyTriple: Triple<BIP32>, userPassphrase: string): void {
+  const [user] = keyTriple;
+  const pubs = keyTriple.map((k) => k.neutered().toBase58());
+  const responses = [
+    { pub: pubs[0], encryptedPrv: encrypt(userPassphrase, user.toBase58()) },
+    { pub: pubs[1] },
+    { pub: pubs[2] },
+  ];
+  wallet.keyIds().forEach((id, i) => nockBitGo().get(`/api/v2/${wallet.coin()}/key/${id}`).reply(200, responses[i]));
+}