refactor(abstract-utxo): reduce test boilerplate

- util/address.ts: Extract getWalletAddress helper from psbt.ts for
  generating addresses from RootWalletKeys, enabling dynamic address
  generation in tests instead of hardcoded values

- util/nockBitGo.ts: Add nockWalletKeys helper to encapsulate the
  repeated pattern of mocking wallet key fetch endpoints, reducing
  10+ lines of boilerplate per test to a single function call

- util/index.ts: Export nockBitGo and address utilities so they're
  accessible from the central util import

- postProcessPrebuild.ts: Use getUtxoCoin('tbtc') instead of manual
  TestBitGo setup, and generate output address dynamically instead
  of hardcoding

- testSpoofTransaction.ts: Replace hardcoded addresses with dynamically
  generated ones using wallet keys vs attacker keys, making the test
  intent clearer. Use nockBitGo() and nockWalletKeys() to eliminate
  URL extraction and key mocking boilerplate

Co-authored-by: Cursor <cursoragent@cursor.com>

TICKET: BTC-2650

Author: OttoAllmendinger

modules/abstract-utxo/test/unit/postProcessPrebuild.ts

@@ -1,34 +1,23 @@
 import 'should';
 
-import { type TestBitGoAPI, TestBitGo } from '@bitgo/sdk-test';
-import { BitGoAPI } from '@bitgo/sdk-api';
 import { fixedScriptWallet } from '@bitgo/wasm-utxo';
 import * as testutils from '@bitgo/wasm-utxo/testutils';
 
-import { Tbtc } from '../../src/impl/btc';
-
-import { constructPsbt } from './util';
+import { constructPsbt, getWalletAddress, getUtxoCoin } from './util';
 
 const { BitGoPsbt } = fixedScriptWallet;
 
 describe('Post Build Validation', function () {
-  let bitgo: TestBitGoAPI;
-  let coin: Tbtc;
-
-  before(function () {
-    bitgo = TestBitGo.decorate(BitGoAPI, { env: 'test' });
-    bitgo.safeRegister('tbtc', Tbtc.createInstance);
-    bitgo.initializeTestVars();
-    coin = bitgo.coin('tbtc') as Tbtc;
-  });
+  const coin = getUtxoCoin('tbtc');
 
   it('should not modify locktime on postProcessPrebuild', async function () {
     const walletKeys = testutils.getDefaultWalletKeys();
+    const walletAddress = getWalletAddress('tbtc', walletKeys);
 
     // Create a PSBT with lockTime=0 and sequence=0xffffffff
     const psbt = constructPsbt(
       [{ scriptType: 'p2wsh' as const, value: BigInt(100000) }],
-      [{ address: 'tb1qrp33g0q5c5txsp9arysrx4k6zdkfs4nce4xj0gdcccefvpysxf3q0sl5k7', value: BigInt(90000) }],
+      [{ address: walletAddress, value: BigInt(90000) }],
       'tbtc',
       walletKeys,
       { lockTime: 0, sequence: 0xffffffff }

modules/abstract-utxo/test/unit/recovery/backupKeyRecovery.ts

@@ -8,11 +8,11 @@ import { BIP32, ECPair, fixedScriptWallet } from '@bitgo/wasm-utxo';
 import { AbstractUtxoCoin, backupKeyRecoveryWithWalletUnspents } from '../../../src';
 import type { WalletUnspent } from '../../../src/unspent';
 import {
+  createWasmWalletKeys,
   getDefaultWasmWalletKeys,
   getFixture,
   getNormalTestnetCoin,
   getWalletAddress,
-  getWalletKeys,
   toUnspent,
   utxoCoins,
 } from '../util';
@@ -48,7 +48,7 @@ function run(
   const defaultFeeRateSatB = 100;
 
   describe(`Backup Key Recovery PSBT [${[coin.getChain(), ...tags].join(',')}]`, function () {
-    const externalWallet = getWalletKeys('external');
+    const { walletKeys: externalWallet } = createWasmWalletKeys('external');
     const recoveryDestination = getWalletAddress(coin.name, externalWallet);
     const fixtureCoin = getNormalTestnetCoin(coin);
     // Get xpubs from wallet keys

modules/abstract-utxo/test/unit/recovery/backupKeyRecoveryUnspentGathering.ts

@@ -13,12 +13,12 @@ import {
 } from '../../../src';
 import type { Unspent } from '../../../src/unspent';
 import {
+  createWasmWalletKeys,
   defaultBitGo,
   encryptKeychain,
   getDefaultWasmWalletKeys,
   getMinUtxoCoins,
   getWalletAddress,
-  getWalletKeys,
   keychainsBase58,
   toUnspentWithPrevTx,
   WalletUnspentWithPrevTx,
@@ -79,7 +79,7 @@ describe('Backup Key Recovery - Unspent Gathering', function () {
 
   getMinUtxoCoins().forEach((coin) => {
     describe(`Unspent Gathering [${coin.getChain()}]`, function () {
-      const externalWallet = getWalletKeys('external');
+      const { walletKeys: externalWallet } = createWasmWalletKeys('external');
       const recoveryDestination = getWalletAddress(coin.name, externalWallet);
 
       before('mock', function () {

modules/abstract-utxo/test/unit/recovery/formatBackupKeyRecoveryResult.ts

@@ -10,10 +10,10 @@ import {
 } from '../../../src';
 import type { WalletUnspent } from '../../../src/unspent';
 import {
+  createWasmWalletKeys,
   getDefaultWasmWalletKeys,
   getFixture,
   getWalletAddress,
-  getWalletKeys,
   shouldEqualJSON,
   toUnspent,
   utxoCoins,
@@ -52,7 +52,7 @@ function clonePsbt(psbt: fixedScriptWallet.BitGoPsbt): fixedScriptWallet.BitGoPs
 }
 
 describe('formatBackupKeyRecoveryResult', function () {
-  const externalWallet = getWalletKeys('external');
+  const { walletKeys: externalWallet } = createWasmWalletKeys('external');
   const recoveryDestination = getWalletAddress(coin.name, externalWallet);
   const feeRateSatVB = 100;
 

modules/abstract-utxo/test/unit/testSpoofTransaction.ts

@@ -1,62 +1,40 @@
 import assert from 'assert';
 
-import { type TestBitGoAPI, TestBitGo } from '@bitgo/sdk-test';
-import { BitGoAPI, encrypt } from '@bitgo/sdk-api';
 import * as testutils from '@bitgo/wasm-utxo/testutils';
 import { Wallet } from '@bitgo/sdk-core';
 
-import { Tbtc } from '../../src/impl/btc';
-
-import { constructPsbt } from './util';
+import { constructPsbt, getWalletAddress, getUtxoCoin, defaultBitGo, nockBitGo, nockWalletKeys } from './util';
 
 describe('Transaction Spoofability Tests', function () {
-  describe('Unspent management spoofability - Consolidation (BUILD_SIGN_SEND)', function () {
-    let coin: Tbtc;
-    let bitgoTest: TestBitGoAPI;
-
-    before(function () {
-      bitgoTest = TestBitGo.decorate(BitGoAPI, { env: 'test' });
-      bitgoTest.safeRegister('tbtc', Tbtc.createInstance);
-      bitgoTest.initializeTestVars();
-      coin = bitgoTest.coin('tbtc') as Tbtc;
-    });
+  const coin = getUtxoCoin('tbtc');
 
-    it('should detect hex spoofing in BUILD_SIGN_SEND', async function (): Promise<void> {
+  describe('Unspent management spoofability - Consolidation (BUILD_SIGN_SEND)', function () {
+    it('should detect spoofed consolidation to attacker address', async function (): Promise<void> {
       const keyTriple = testutils.getKeyTriple('default');
-      const rootWalletKey = testutils.getDefaultWalletKeys();
-      const [user] = keyTriple;
+      const walletKeys = testutils.getDefaultWalletKeys();
+      const attackerKeys = testutils.getWalletKeysForSeed('attacker');
 
-      const wallet = new Wallet(bitgoTest, coin, {
+      const wallet = new Wallet(defaultBitGo, coin, {
         id: '5b34252f1bf349930e34020a',
         coin: 'tbtc',
         keys: ['user', 'backup', 'bitgo'],
       });
 
-      // originalPsbt is created to show what the legitimate transaction would look like
-      // eslint-disable-next-line @typescript-eslint/no-unused-vars
-      const originalPsbt = constructPsbt(
-        [{ scriptType: 'p2wsh' as const, value: BigInt(10000) }],
-        [{ address: 'tb1qrp33g0q5c5txsp9arysrx4k6zdkfs4nce4xj0gdcccefvpysxf3q0sl5k7', value: BigInt(9000) }],
-        'tbtc',
-        rootWalletKey
-      );
+      // The attacker replaces the legitimate wallet address with their own
+      const attackerAddress = getWalletAddress('tbtc', attackerKeys);
       const spoofedPsbt = constructPsbt(
         [{ scriptType: 'p2wsh' as const, value: BigInt(10000) }],
-        [{ address: 'tb1pjgg9ty3s2ztp60v6lhgrw76f7hxydzuk9t9mjsndh3p2gf2ah7gs4850kn', value: BigInt(9000) }],
+        [{ address: attackerAddress, value: BigInt(9000) }],
         'tbtc',
-        rootWalletKey
+        walletKeys // Input uses wallet keys (the funds being stolen)
       );
       const spoofedHex: string = Buffer.from(spoofedPsbt.serialize()).toString('hex');
 
-      // eslint-disable-next-line @typescript-eslint/no-explicit-any
-      const bgUrl: string = (bitgoTest as any)._baseUrl;
-      const nock = require('nock');
-
-      nock(bgUrl)
+      nockBitGo()
         .post(`/api/v2/${wallet.coin()}/wallet/${wallet.id()}/consolidateUnspents`)
         .reply(200, { txHex: spoofedHex, consolidateId: 'test' });
 
-      nock(bgUrl)
+      nockBitGo()
         .post(`/api/v2/${wallet.coin()}/wallet/${wallet.id()}/tx/send`)
         // eslint-disable-next-line @typescript-eslint/no-explicit-any
         .reply((requestBody: any) => {
@@ -66,15 +44,7 @@ describe('Transaction Spoofability Tests', function () {
           return [200, { txid: 'test-txid-123', status: 'signed' }];
         });
 
-      const pubs = keyTriple.map((k) => k.neutered().toBase58());
-      const responses = [
-        { pub: pubs[0], encryptedPrv: encrypt('pass', user.toBase58()) },
-        { pub: pubs[1] },
-        { pub: pubs[2] },
-      ];
-      wallet
-        .keyIds()
-        .forEach((id, i) => nock(bgUrl).get(`/api/v2/${wallet.coin()}/key/${id}`).reply(200, responses[i]));
+      nockWalletKeys(wallet, keyTriple, 'pass');
 
       await assert.rejects(
         wallet.consolidateUnspents({ walletPassphrase: 'pass' }),
@@ -87,53 +57,32 @@ describe('Transaction Spoofability Tests', function () {
   });
 
   describe('Unspent management spoofability - Fanout (BUILD_SIGN_SEND)', function () {
-    let coin: Tbtc;
-    let bitgoTest: TestBitGoAPI;
-
-    before(function () {
-      bitgoTest = TestBitGo.decorate(BitGoAPI, { env: 'test' });
-      bitgoTest.safeRegister('tbtc', Tbtc.createInstance);
-      bitgoTest.initializeTestVars();
-      coin = bitgoTest.coin('tbtc') as Tbtc;
-    });
-
-    it('should detect hex spoofing in fanout BUILD_SIGN_SEND', async function (): Promise<void> {
+    it('should detect spoofed fanout to attacker address', async function (): Promise<void> {
       const keyTriple = testutils.getKeyTriple('default');
-      const rootWalletKey = testutils.getDefaultWalletKeys();
-      const [user] = keyTriple;
+      const walletKeys = testutils.getDefaultWalletKeys();
+      const attackerKeys = testutils.getWalletKeysForSeed('attacker');
 
-      const wallet = new Wallet(bitgoTest, coin, {
+      const wallet = new Wallet(defaultBitGo, coin, {
         id: '5b34252f1bf349930e34020a',
         coin: 'tbtc',
         keys: ['user', 'backup', 'bitgo'],
       });
 
-      // originalPsbt is created to show what the legitimate transaction would look like
-      // eslint-disable-next-line @typescript-eslint/no-unused-vars
-      const originalPsbt = constructPsbt(
-        [{ scriptType: 'p2wsh' as const, value: BigInt(10000) }],
-        [{ address: 'tb1qrp33g0q5c5txsp9arysrx4k6zdkfs4nce4xj0gdcccefvpysxf3q0sl5k7', value: BigInt(9000) }],
-        'tbtc',
-        rootWalletKey
-      );
-
+      // The attacker replaces the legitimate wallet address with their own
+      const attackerAddress = getWalletAddress('tbtc', attackerKeys);
       const spoofedPsbt = constructPsbt(
         [{ scriptType: 'p2wsh' as const, value: BigInt(10000) }],
-        [{ address: 'tb1pjgg9ty3s2ztp60v6lhgrw76f7hxydzuk9t9mjsndh3p2gf2ah7gs4850kn', value: BigInt(9000) }],
+        [{ address: attackerAddress, value: BigInt(9000) }],
         'tbtc',
-        rootWalletKey
+        walletKeys // Input uses wallet keys (the funds being stolen)
       );
       const spoofedHex: string = Buffer.from(spoofedPsbt.serialize()).toString('hex');
 
-      // eslint-disable-next-line @typescript-eslint/no-explicit-any
-      const bgUrl: string = (bitgoTest as any)._baseUrl;
-      const nock = require('nock');
-
-      nock(bgUrl)
+      nockBitGo()
         .post(`/api/v2/${wallet.coin()}/wallet/${wallet.id()}/fanoutUnspents`)
         .reply(200, { txHex: spoofedHex, fanoutId: 'test' });
 
-      nock(bgUrl)
+      nockBitGo()
         .post(`/api/v2/${wallet.coin()}/wallet/${wallet.id()}/tx/send`)
         // eslint-disable-next-line @typescript-eslint/no-explicit-any
         .reply((requestBody: any) => {
@@ -143,15 +92,7 @@ describe('Transaction Spoofability Tests', function () {
           return [200, { txid: 'test-txid-123', status: 'signed' }];
         });
 
-      const pubs = keyTriple.map((k) => k.neutered().toBase58());
-      const responses = [
-        { pub: pubs[0], encryptedPrv: encrypt('pass', user.toBase58()) },
-        { pub: pubs[1] },
-        { pub: pubs[2] },
-      ];
-      wallet
-        .keyIds()
-        .forEach((id, i) => nock(bgUrl).get(`/api/v2/${wallet.coin()}/key/${id}`).reply(200, responses[i]));
+      nockWalletKeys(wallet, keyTriple, 'pass');
 
       await assert.rejects(
         wallet.fanoutUnspents({ walletPassphrase: 'pass' }),

modules/abstract-utxo/test/unit/util/address.ts

@@ -0,0 +1,24 @@
+import * as utxolib from '@bitgo/utxo-lib';
+import { fixedScriptWallet, type CoinName } from '@bitgo/wasm-utxo';
+
+const { ChainCode } = fixedScriptWallet;
+
+type UtxolibRootWalletKeys = utxolib.bitgo.RootWalletKeys;
+type WasmRootWalletKeys = fixedScriptWallet.RootWalletKeys;
+type RootWalletKeys = UtxolibRootWalletKeys | WasmRootWalletKeys;
+
+const defaultChain = ChainCode.value('p2sh', 'external');
+
+/**
+ * Generate a wallet address from RootWalletKeys.
+ * Supports both utxolib and wasm-utxo RootWalletKeys.
+ * Utxolib keys are converted to wasm-utxo keys for address generation.
+ */
+export function getWalletAddress(
+  coinName: CoinName,
+  walletKeys: RootWalletKeys,
+  chain = defaultChain,
+  index = 0
+): string {
+  return fixedScriptWallet.address(walletKeys, chain, index, coinName);
+}

modules/abstract-utxo/test/unit/util/index.ts

@@ -5,3 +5,5 @@ export * from './wallet';
 export * from './unspents';
 export * from './transaction';
 export * from './psbt';
+export * from './address';
+export * from './nockBitGo';

modules/abstract-utxo/test/unit/util/keychains.ts

@@ -1,7 +1,7 @@
 import { Triple } from '@bitgo/sdk-core';
 import { encrypt } from '@bitgo/sdk-api';
 import { getSeed } from '@bitgo/sdk-test';
-import { bip32, BIP32Interface, bitgo, testutil } from '@bitgo/utxo-lib';
+import { bip32, BIP32Interface, bitgo } from '@bitgo/utxo-lib';
 import { BIP32 as WasmBIP32, fixedScriptWallet } from '@bitgo/wasm-utxo';
 
 type RootWalletKeys = bitgo.RootWalletKeys;
@@ -93,13 +93,16 @@ export function getWalletKeys(seed: string): RootWalletKeys {
 
 /**
  * Create test wallet keys from a seed string.
- * Returns xpubs and xprivs as base58 strings.
+ * Uses the same seed generation as getWalletKeys (getSeed('seed/i'))
+ * to ensure compatibility with existing test fixtures.
  */
 export function createTestWalletKeys(seed: string): {
   xpubs: Triple<string>;
   xprivs: Triple<string>;
 } {
-  const keys = testutil.getKeyTriple(seed);
+  const keys = Array.from({ length: 3 }).map((_, i) =>
+    bip32.fromSeed(getSeed(`${seed}/${i}`))
+  ) as Triple<BIP32Interface>;
   return {
     xpubs: keys.map((k) => k.neutered().toBase58()) as Triple<string>,
     xprivs: keys.map((k) => k.toBase58()) as Triple<string>,

modules/abstract-utxo/test/unit/util/nockBitGo.ts

@@ -1,9 +1,26 @@
 import nock = require('nock');
-import { Environment, Environments } from '@bitgo/sdk-core';
+import { encrypt } from '@bitgo/sdk-api';
+import { Environment, Environments, Wallet } from '@bitgo/sdk-core';
+import { BIP32, Triple } from '@bitgo/wasm-utxo';
 
 import { defaultBitGo } from './utxoCoins';
 
 export function nockBitGo(bitgo = defaultBitGo): nock.Scope {
   const env = Environments[bitgo.getEnv()] as Environment;
   return nock(env.uri);
 }
+
+/**
+ * Mock the key fetching endpoints for a wallet.
+ * Sets up nock to return the key triple with the user key encrypted.
+ */
+export function nockWalletKeys(wallet: Wallet, keyTriple: Triple<BIP32>, userPassphrase: string): void {
+  const [user] = keyTriple;
+  const pubs = keyTriple.map((k) => k.neutered().toBase58());
+  const responses = [
+    { pub: pubs[0], encryptedPrv: encrypt(userPassphrase, user.toBase58()) },
+    { pub: pubs[1] },
+    { pub: pubs[2] },
+  ];
+  wallet.keyIds().forEach((id, i) => nockBitGo().get(`/api/v2/${wallet.coin()}/key/${id}`).reply(200, responses[i]));
+}