fix(dpp): bind unshielding_amount to sighash in client builders

QuantumExplorer · claude · QuantumExplorer · commit 09a2ad7de021 · 2026-03-17T15:52:47.000+07:00
The server-side proof verification (shielded_proof.rs) binds both the
destination and unshielding_amount to the Orchard sighash, but the
client-side builders only bound the destination. This mismatch caused
every Unshield and ShieldedWithdrawal transition built with rs-dpp or
rs-sdk-ffi to fail proof verification on the platform.

Fixed in 4 locations:
- rs-dpp builder: unshield.rs, shielded_withdrawal.rs
- rs-sdk-ffi FFI: bundle_build.rs (unshield + withdrawal paths)

Co-Authored-By: Claude Opus 4.6 (1M context) &lt;noreply@anthropic.com&gt;
diff --git a/packages/rs-dpp/src/shielded/builder/shielded_withdrawal.rs b/packages/rs-dpp/src/shielded/builder/shielded_withdrawal.rs
@@ -88,8 +88,10 @@ pub fn build_shielded_withdrawal_transition<P: OrchardProver>(
 
     let change_amount = total_spent - required;
 
-    // ShieldedWithdrawal extra_data = output_script.as_bytes()
-    let extra_sighash_data = output_script.as_bytes().to_vec();
+    // ShieldedWithdrawal extra_data = output_script || unshielding_amount (le bytes)
+    // Must match server-side sighash in shielded_proof.rs
+    let mut extra_sighash_data = output_script.as_bytes().to_vec();
+    extra_sighash_data.extend_from_slice(&required.to_le_bytes());
 
     let bundle = build_spend_bundle(
         spends,
diff --git a/packages/rs-dpp/src/shielded/builder/unshield.rs b/packages/rs-dpp/src/shielded/builder/unshield.rs
@@ -80,8 +80,10 @@ pub fn build_unshield_transition<P: OrchardProver>(
 
     let change_amount = total_spent - required;
 
-    // Unshield extra_data = output_address.to_bytes()
-    let extra_sighash_data = output_address.to_bytes();
+    // Unshield extra_data = output_address || unshielding_amount (le bytes)
+    // Must match server-side sighash in shielded_proof.rs
+    let mut extra_sighash_data = output_address.to_bytes();
+    extra_sighash_data.extend_from_slice(&required.to_le_bytes());
 
     let bundle = build_spend_bundle(
         spends,
diff --git a/packages/rs-sdk-ffi/src/shielded/crypto/bundle_build.rs b/packages/rs-sdk-ffi/src/shielded/crypto/bundle_build.rs
@@ -844,8 +844,10 @@ pub unsafe extern "C" fn dash_sdk_shielded_build_unshield_bundle(
 
     let change_amount = total_spent - required;
 
-    // Unshield extra_data = output_address.to_bytes()
-    let extra_sighash_data = output_address.to_bytes();
+    // Unshield extra_data = output_address || unshielding_amount (le bytes)
+    // Must match server-side sighash in shielded_proof.rs
+    let mut extra_sighash_data = output_address.to_bytes();
+    extra_sighash_data.extend_from_slice(&required.to_le_bytes());
 
     let sb = match build_spend_bundle_local(
         spends,
@@ -1017,8 +1019,10 @@ pub unsafe extern "C" fn dash_sdk_shielded_build_withdrawal_bundle(
 
     let change_amount = total_spent - required;
 
-    // ShieldedWithdrawal extra_data = output_script.as_bytes()
-    let extra_sighash_data = core_script.as_bytes().to_vec();
+    // ShieldedWithdrawal extra_data = output_script || unshielding_amount (le bytes)
+    // Must match server-side sighash in shielded_proof.rs
+    let mut extra_sighash_data = core_script.as_bytes().to_vec();
+    extra_sighash_data.extend_from_slice(&required.to_le_bytes());
 
     let sb = match build_spend_bundle_local(
         spends,
