[Feature] Shielded transaction API security enhancement

[Federico2014]

The current default configuration of java-tron node has security and code quality issues that need to be addressed.

Security Risks

1. Key Exposure Risk: allowShieldedTransactionApi = true is enabled by default, exposing sensitive cryptographic key generation APIs:

   • GetSpendingKey - Random spending key (sk)
   • GetExpandedSpendingKey - Expanded key components (ask, nsk, ovk)
   • GetNewShieldedAddress - Complete shielded address with all secrets

2. Remote Attack Surface: Keys transmitted over network can be intercepted; misconfigured firewalls may expose keys to the internet

3. Bug Bounty False Positives: These endpoints frequently trigger security reports requiring manual investigation

4. No Legitimate Remote Use Case: Key generation should be performed locally

Code Quality Issue

Shielded transaction-related code in ShieldedTRC20ParametersBuilder.java and ZenTransactionBuilder.java uses += and -= arithmetic operators. For overflow-safety and explicit behavior, these should use StrictMathWrapper.addExact/subtractExact which throw ArithmeticException on overflow.

Deprecated File

The sprout-verifying.key file is a leftover from the Sprout circuit implementation, which is no longer used (Sapling only).

Important Note (v4.8.1+)

Starting from v4.8.1, the allowShieldedTransactionApi configuration only affects API endpoint availability. Nodes can still validate and process shielded transactions even when the API is disabled.

Proposed Solution

Specification

Configuration Changes

Actual default value location: The default is set in Args.java when the config key is absent (line ~729), not in CommonParameter.java.

Change the fallback default value of allowShieldedTransactionApi from true to false:

// Args.java - applyConfigParams method
PARAMETER.allowShieldedTransactionApi = false;  // was: true (fallback when config key absent)

# config.conf
# WARNING: Some shielded transaction APIs require sending private keys as parameters.
# Calling these APIs on untrusted or remote nodes may leak your private keys.
# It is recommended to invoke them locally for development and testing.
# allowShieldedTransactionApi = false

Overflow-Safety Code Improvements

Replace arithmetic operators with StrictMathWrapper for explicit overflow detection:

File	Changes
ShieldedTRC20ParametersBuilder.java	5 occurrences: 3 addExact + 2 subtractExact
ZenTransactionBuilder.java	6 occurrences: 4 addExact + 2 subtractExact

Note: Using addExact/subtractExact will throw ArithmeticException on overflow, providing explicit failure mode for value boundary violations.

Cleanup Deprecated File

Delete sprout-verifying.key - deprecated Sprout circuit key file. (Need to verify packaging/release scripts before deletion.)

API Changes

Affected APIs (disabled by default when allowShieldedTransactionApi = false):

The allowShieldedTransactionApi flag gates a broader set of shielded wallet/helper APIs than only the secret-material endpoints. This includes all shielded-related wallet APIs accessible via HTTP/gRPC.

HTTP API examples:

• /wallet/getspendingkey
• /wallet/getexpandedspendingkey
• /wallet/getnewshieldedaddress
• /wallet/getakfromask
• /wallet/getnkfromnsk
• /wallet/getincomingviewingkey
• /wallet/getpaymentaddress
• ... (all shielded wallet helper APIs)

gRPC API examples:

• GetSpendingKey
• GetExpandedSpendingKey
• GetNewShieldedAddress
• GetAkFromAsk
• GetNkFromNsk
• GetIncomingViewingKey
• GetPaymentAddress
• ... (all shielded wallet helper APIs)

Implementation note: Exposed HTTP/gRPC entries are rejected at runtime rather than conditionally unregistered.

Configuration Changes

Users can restore previous behavior by explicitly configuring:

node {
  allowShieldedTransactionApi = true
}

Protocol Changes

None - Shielded transaction validation logic is not affected (API control separated since v4.8.1+)

Scope of Impact

• Core protocol
• API/RPC
• Database
• Network layer
• Smart contracts
• Documentation
• Other: Security configuration, Code quality (overflow-safety)

Breaking Changes

Yes - Nodes relying on the default true value will have shielded APIs disabled after upgrade.

Backward Compatibility

Previous behavior can be restored through explicit configuration:

node {
  allowShieldedTransactionApi = true
}

Implementation

Are you willing to implement this feature?

• Yes, implementation is complete

Estimated Complexity

• Low code complexity, non-trivial compatibility/documentation impact

Regression Test Plan

The following test coverage will be added:

• Default disabled behavior (APIs return error when not explicitly enabled)
• Explicit opt-in via node.allowShieldedTransactionApi = true
• Shielded transaction validation/processing still works when API is disabled
• ArithmeticException is properly handled in overflow scenarios

[waynercheung]

Hi @Federico2014, I support the security direction here.

Based on the current implementation, changing the default of allowShieldedTransactionApi to false should achieve the main secure-by-default goal: the currently exposed shielded wallet/helper APIs would be disabled by default, while shielded transaction validation/processing does not appear to depend on this flag.

That said, I think the issue description could be tightened in a few places:

1. The effective default is set in Args.java when the config key is absent, not in CommonParameter.java. So the actual default change should happen there, plus the default/sample config comment.

2. One scope clarification would help: the existing allowShieldedTransactionApi flag gates a broader set of shielded wallet/helper APIs than only the secret-material endpoints listed above. With the current implementation, exposed HTTP/gRPC entries are rejected at runtime rather than conditionally unregistered. So this change is sufficient for disabling default remote use, but the issue should describe the intended API scope clearly.

3. The arithmetic cleanup makes sense from an overflow-safety / explicit-behavior perspective, but I would frame it that way. The current math-check workflow is about direct java.lang.Math usage; += / -= do not fail that check by themselves. Also, replacing them with addExact / subtractExact may introduce ArithmeticException, so those paths should be normalized into proper user-facing validation errors where appropriate.

4. sprout-verifying.key does look like dead residue from the old Sprout path, but I would still verify packaging/release scripts before deleting it.

5. I would strongly recommend regression coverage for:

   • default disabled behavior
   • explicit opt-in via node.allowShieldedTransactionApi = true
   • shielded transaction validation/processing still working when the API is disabled

So overall, I agree with the direction. I would just describe it as a small code change with non-trivial compatibility/documentation impact, rather than purely "Low complexity".

[Federico2014]

Hi @waynercheung, thank you for the thorough and insightful review!

I agree with all your points. Let me address each one:

1. Default value location

You're absolutely right. The actual default is set in Args.java when the config key is absent. In my implementation:

• CommonParameter.java: Removed the inline comment // clearParam: true (which was misleading)
• Args.java: Changed the fallback from true to false at line 729
• config.conf: Updated the commented example to show # allowShieldedTransactionApi = false with a security warning

2. API scope clarification

Good point. I'll update the issue description to clarify that allowShieldedTransactionApi gates all shielded wallet/helper APIs, not just the secret-material endpoints. The current implementation rejects requests at runtime rather than
conditionally unregistering endpoints.

3. Arithmetic operators framing

This is a valuable suggestion. I'll reframe the arithmetic changes as "overflow-safety improvements" rather than just code quality fixes. The StrictMathWrapper.addExact/subtractExact calls will throw ArithmeticException on overflow, which is the desired behavior for detecting value boundary violations in shielded transactions.

4. sprout-verifying.key deletion

Understood. I'll verify the packaging and release scripts to ensure this file isn't referenced anywhere before finalizing the deletion.

5. Regression tests

Agreed. I plan to add tests covering:

• Default disabled behavior (APIs return error when not explicitly enabled)
• Explicit opt-in via node.allowShieldedTransactionApi = true
• Shielded transaction validation/processing still works when API is disabled

Regarding the complexity assessment: I agree this should be characterized as "low code complexity but non-trivial compatibility/documentation impact" rather than purely "Low complexity". The security direction is sound, but we need to be careful about the migration path for existing node operators.

Thanks again for the detailed feedback!

[waynercheung]

Hi @Federico2014 Thanks for the detailed follow-up. This addresses my main concerns, and the overall direction looks good.

Two small follow-ups from my side:

1. Since CommonParameter.java still uses // clearParam: ... comments for many fields, it may be more consistent to update this one to // clearParam: false rather than removing it entirely, unless you plan to clean up that convention more broadly.

2. Since addExact / subtractExact may surface as ArithmeticException, please make sure the exposed RPC/HTTP paths return a stable and clear user-facing validation error rather than inconsistent generic internal errors, and cover that behavior in tests.

It would also help to make the migration note explicit about the exact opt-in key (node.allowShieldedTransactionApi = true) and the deprecated legacy key for compatibility.

[Federico2014]

Hi @waynercheung, thanks for the detailed review. Will address your points accordingly:

1. clearParam comment: Will update to // clearParam: false rather than removing it, to stay consistent with the existing convention in CommonParameter.java.
2. addExact overflow handling: Will add explicit tests covering the ArithmeticException → ZksnarkException → RPC error path, to verify the overflow surfaces as a stable, user-facing validation error rather than a generic internal one.
3. Migration note: Will update config.conf to explicitly call out the opt-in key (node.allowShieldedTransactionApi = true) and note that node.fullNodeAllowShieldedTransaction is deprecated and should be migrated to the new key.