fix: PRT-1203: Reduce critical Snyk errors on GitHub (#1536)

* Close security issue #104

* Close security issue #90

* Close security issue lavanet#30

* Close security issue #88

* Close security issue lavanet#50

* Fix breaking changes in new btcd version

ecosystem/lava-sdk/package.json

@@ -36,8 +36,8 @@
     "@types/seedrandom": "^3.0.6",
     "http-server": "^14.1.1",
     "typescript": "^4.8.4",
-    "webpack": "^5.74.0",
-    "webpack-cli": "^4.10.0"
+    "webpack": "^5.92.1",
+    "webpack-cli": "^5.1.4"
   },
   "dependencies": {
     "@cosmjs/amino": "^0.29.4",
@@ -65,7 +65,7 @@
     "long": "^5.2.1",
     "lru-cache": "^10.0.1",
     "prettier": "^2.8.0",
-    "protobufjs": "^7.1.2",
+    "protobufjs": "7.2.5",
     "protoc-gen-js": "^3.21.2",
     "random": "3.0.4",
     "rxjs": "^7.5.7",

go.mod

@@ -4,14 +4,14 @@ go 1.20
 
 require (
 	github.com/99designs/keyring v1.2.1 // indirect
-	github.com/btcsuite/btcd v0.22.2
+	github.com/btcsuite/btcd v0.23.2
 	github.com/cometbft/cometbft v0.37.4
 	github.com/cometbft/cometbft-db v0.8.0
 	github.com/confio/ics23/go v0.9.0 // indirect
 	github.com/cosmos/cosmos-sdk v0.47.10
-	github.com/cosmos/ibc-go/v7 v7.3.1
+	github.com/cosmos/ibc-go/v7 v7.4.0
 	github.com/ethereum/go-ethereum v1.10.18
-	github.com/gofiber/fiber/v2 v2.50.0
+	github.com/gofiber/fiber/v2 v2.52.5
 	github.com/gofiber/websocket/v2 v2.0.22
 	github.com/gogo/protobuf v1.3.3
 	github.com/gorilla/mux v1.8.0
@@ -61,9 +61,16 @@ require (
 	cosmossdk.io/log v1.3.1 // indirect
 	cosmossdk.io/tools/rosetta v0.2.1 // indirect
 	github.com/99designs/go-keychain v0.0.0-20191008050251-8e49817e8af4 // indirect
+	github.com/aead/siphash v1.0.1 // indirect
 	github.com/aws/aws-sdk-go v1.44.203 // indirect
 	github.com/bgentry/go-netrc v0.0.0-20140422174119-9fd32a8b3d3d // indirect
 	github.com/btcsuite/btcd/btcec/v2 v2.3.2 // indirect
+	github.com/btcsuite/btcd/btcutil v1.1.2 // indirect
+	github.com/btcsuite/btcd/chaincfg/chainhash v1.0.1 // indirect
+	github.com/btcsuite/btclog v0.0.0-20170628155309-84c8d2346e9f // indirect
+	github.com/btcsuite/go-socks v0.0.0-20170105172521-4720035b7bfd // indirect
+	github.com/btcsuite/websocket v0.0.0-20150119174127-31079b680792 // indirect
+	github.com/btcsuite/winsvc v1.0.0 // indirect
 	github.com/bufbuild/protocompile v0.4.0 // indirect
 	github.com/cenkalti/backoff/v4 v4.1.3 // indirect
 	github.com/chzyer/readline v1.5.1 // indirect
@@ -75,7 +82,9 @@ require (
 	github.com/cosmos/ics23/go v0.10.0 // indirect
 	github.com/cosmos/rosetta-sdk-go v0.10.0 // indirect
 	github.com/creachadair/taskgroup v0.4.2 // indirect
+	github.com/decred/dcrd/crypto/blake256 v1.0.0 // indirect
 	github.com/decred/dcrd/dcrec/secp256k1/v4 v4.1.0 // indirect
+	github.com/decred/dcrd/lru v1.0.0 // indirect
 	github.com/getsentry/sentry-go v0.23.0 // indirect
 	github.com/go-logr/logr v1.2.4 // indirect
 	github.com/go-logr/stdr v1.2.2 // indirect
@@ -85,7 +94,7 @@ require (
 	github.com/google/flatbuffers v1.12.1 // indirect
 	github.com/google/go-cmp v0.6.0 // indirect
 	github.com/google/s2a-go v0.1.7 // indirect
-	github.com/google/uuid v1.4.0 // indirect
+	github.com/google/uuid v1.5.0 // indirect
 	github.com/googleapis/enterprise-certificate-proxy v0.3.2 // indirect
 	github.com/googleapis/gax-go/v2 v2.12.0 // indirect
 	github.com/hashicorp/go-cleanhttp v0.5.2 // indirect
@@ -94,7 +103,10 @@ require (
 	github.com/hashicorp/go-version v1.6.0 // indirect
 	github.com/huandu/skiplist v1.2.0 // indirect
 	github.com/iancoleman/orderedmap v0.2.0 // indirect
+	github.com/jessevdk/go-flags v1.4.0 // indirect
 	github.com/jmespath/go-jmespath v0.4.0 // indirect
+	github.com/jrick/logrotate v1.0.0 // indirect
+	github.com/kkdai/bstream v0.0.0-20161212061736-f391b8402d23 // indirect
 	github.com/kr/pretty v0.3.1 // indirect
 	github.com/kr/text v0.2.0 // indirect
 	github.com/linxGnu/grocksdb v1.7.16 // indirect
@@ -171,7 +183,7 @@ require (
 	github.com/improbable-eng/grpc-web v0.15.0
 	github.com/inconshreveable/mousetrap v1.1.0 // indirect
 	github.com/jmhodges/levigo v1.0.0 // indirect
-	github.com/klauspost/compress v1.16.7 // indirect
+	github.com/klauspost/compress v1.17.0 // indirect
 	github.com/lib/pq v1.10.7 // indirect
 	github.com/libp2p/go-buffer-pool v0.1.0 // indirect
 	github.com/magiconair/properties v1.8.7 // indirect
@@ -205,7 +217,7 @@ require (
 	github.com/tklauser/go-sysconf v0.3.10 // indirect
 	github.com/tklauser/numcpus v0.4.0 // indirect
 	github.com/valyala/bytebufferpool v1.0.0 // indirect
-	github.com/valyala/fasthttp v1.50.0 // indirect
+	github.com/valyala/fasthttp v1.51.0 // indirect
 	github.com/valyala/tcplisten v1.0.0 // indirect
 	github.com/zondax/hid v0.9.2 // indirect
 	go.etcd.io/bbolt v1.3.7 // indirect

protocol/badgegenerator/server.go

@@ -11,7 +11,7 @@ import (
 
 	"google.golang.org/grpc/metadata"
 
-	btcSecp256k1 "github.com/btcsuite/btcd/btcec"
+	btcSecp256k1 "github.com/btcsuite/btcd/btcec/v2"
 	"github.com/lavanet/lava/protocol/badgegenerator/grpc"
 	"github.com/lavanet/lava/protocol/lavasession"
 	"github.com/lavanet/lava/utils"
@@ -271,7 +271,7 @@ func (s *Server) addPairingListToResponse(request *pairingtypes.GenerateBadgeReq
 // note this update the signature of the response
 func signTheResponse(privateKeyString string, response *pairingtypes.GenerateBadgeResponse) error {
 	privateKeyBytes, _ := hex.DecodeString(privateKeyString)
-	privateKey, _ := btcSecp256k1.PrivKeyFromBytes(btcSecp256k1.S256(), privateKeyBytes)
+	privateKey, _ := btcSecp256k1.PrivKeyFromBytes(privateKeyBytes)
 	signature, err := sigs.Sign(privateKey, *response.Badge)
 	if err != nil {
 		return err

protocol/badgeserver/server.go

@@ -9,7 +9,7 @@ import (
 
 	"google.golang.org/grpc/metadata"
 
-	btcSecp256k1 "github.com/btcsuite/btcd/btcec"
+	btcSecp256k1 "github.com/btcsuite/btcd/btcec/v2"
 	"github.com/cosmos/cosmos-sdk/client"
 	"github.com/lavanet/lava/protocol/chainlib"
 	"github.com/lavanet/lava/protocol/lavasession"

protocol/lavaprotocol/request_builder.go

@@ -5,7 +5,7 @@ import (
 	"context"
 	"encoding/binary"
 
-	"github.com/btcsuite/btcd/btcec"
+	"github.com/btcsuite/btcd/btcec/v2"
 	"github.com/lavanet/lava/protocol/common"
 	"github.com/lavanet/lava/protocol/lavasession"
 	"github.com/lavanet/lava/utils"

protocol/lavaprotocol/response_builder.go

@@ -6,7 +6,7 @@ import (
 
 	"github.com/goccy/go-json"
 
-	btcSecp256k1 "github.com/btcsuite/btcd/btcec"
+	btcSecp256k1 "github.com/btcsuite/btcd/btcec/v2"
 	sdk "github.com/cosmos/cosmos-sdk/types"
 	"github.com/lavanet/lava/utils"
 	"github.com/lavanet/lava/utils/lavaslices"

protocol/rpcconsumer/rpcconsumer_server.go

@@ -9,7 +9,7 @@ import (
 	"time"
 
 	sdkerrors "cosmossdk.io/errors"
-	"github.com/btcsuite/btcd/btcec"
+	"github.com/btcsuite/btcd/btcec/v2"
 	sdk "github.com/cosmos/cosmos-sdk/types"
 	"github.com/lavanet/lava/protocol/chainlib"
 	"github.com/lavanet/lava/protocol/chainlib/chainproxy/rpcclient"

protocol/rpcprovider/rpcprovider.go

@@ -10,7 +10,7 @@ import (
 	"sync"
 	"time"
 
-	"github.com/btcsuite/btcd/btcec"
+	"github.com/btcsuite/btcd/btcec/v2"
 	"github.com/cosmos/cosmos-sdk/client"
 	"github.com/cosmos/cosmos-sdk/client/config"
 	"github.com/cosmos/cosmos-sdk/client/flags"

protocol/rpcprovider/rpcprovider_server.go

@@ -10,7 +10,7 @@ import (
 	"github.com/goccy/go-json"
 
 	sdkerrors "cosmossdk.io/errors"
-	"github.com/btcsuite/btcd/btcec"
+	"github.com/btcsuite/btcd/btcec/v2"
 	sdk "github.com/cosmos/cosmos-sdk/types"
 	"github.com/gogo/status"
 	"github.com/lavanet/lava/protocol/chainlib"

utils/sigs/sigs.go

@@ -10,15 +10,14 @@
 package sigs
 
 import (
-	"crypto/ecdsa"
-	"crypto/elliptic"
 	"encoding/binary"
 	"errors"
 	"fmt"
 	"io"
 	"math/rand"
 
-	btcSecp256k1 "github.com/btcsuite/btcd/btcec"
+	btcSecp256k1 "github.com/btcsuite/btcd/btcec/v2"
+	btcSecp256k1Ecdsa "github.com/btcsuite/btcd/btcec/v2/ecdsa"
 	tendermintcrypto "github.com/cometbft/cometbft/crypto"
 	"github.com/cosmos/cosmos-sdk/client"
 	"github.com/cosmos/cosmos-sdk/crypto"
@@ -62,7 +61,7 @@ func Sign(pkey *btcSecp256k1.PrivateKey, data Signable) ([]byte, error) {
 		msgData = HashMsg(msgData)
 	}
 
-	sig, err := btcSecp256k1.SignCompact(btcSecp256k1.S256(), pkey, msgData, false)
+	sig, err := btcSecp256k1Ecdsa.SignCompact(pkey, msgData, false)
 	if err != nil {
 		return nil, err
 	}
@@ -95,7 +94,7 @@ func RecoverPubKey(data Signable) (secp256k1.PubKey, error) {
 	}
 
 	// Recover public key from signature
-	recPub, _, err := btcSecp256k1.RecoverCompact(btcSecp256k1.S256(), sig, msgData)
+	recPub, _, err := btcSecp256k1Ecdsa.RecoverCompact(sig, msgData)
 	if err != nil {
 		return secp256k1.PubKey{}, utils.LavaFormatError("RecoverCompact", err,
 			utils.Attribute{Key: "sigLen", Value: len(sig)},
@@ -153,7 +152,7 @@ func GetPrivKey(clientCtx client.Context, keyName string) (*btcSecp256k1.Private
 		return nil, errors.New("incompatible private key algorithm")
 	}
 
-	priv, _ := btcSecp256k1.PrivKeyFromBytes(btcSecp256k1.S256(), privKey.Bytes())
+	priv, _ := btcSecp256k1.PrivKeyFromBytes(privKey.Bytes())
 	return priv, nil
 }
 
@@ -167,7 +166,7 @@ func GenerateFloatingKey() (secretKey *btcSecp256k1.PrivateKey, addr sdk.AccAddr
 	sk := secp256k1.GenPrivKey()
 	PubKey := sk.PubKey()
 	addr = sdk.AccAddress(PubKey.Address())
-	secretKey, _ = btcSecp256k1.PrivKeyFromBytes(btcSecp256k1.S256(), sk.Bytes())
+	secretKey, _ = btcSecp256k1.PrivKeyFromBytes(sk.Bytes())
 	return
 }
 
@@ -211,15 +210,7 @@ func GenerateDeterministicFloatingKey(rand io.Reader) (acc Account) {
 	acc.PubKey = acc.sk.PubKey()
 	acc.Addr = sdk.AccAddress(acc.PubKey.Address())
 	acc.ConsKey = ed25519.GenPrivKeyFromSecret(privkeySeed)
-	acc.SK, _ = btcSecp256k1.PrivKeyFromBytes(btcSecp256k1.S256(), acc.sk.Bytes())
+	acc.SK, _ = btcSecp256k1.PrivKeyFromBytes(acc.sk.Bytes())
 
 	return
 }
-
-func DeterministicNewPrivateKey(curve elliptic.Curve, rand io.Reader) (*btcSecp256k1.PrivateKey, error) {
-	key, err := ecdsa.GenerateKey(curve, rand)
-	if err != nil {
-		return nil, err
-	}
-	return (*btcSecp256k1.PrivateKey)(key), nil
-}