fix(core): pin ethereumjs-util to 7.1.5 for correct personal_sign behavior

[limichange]

Summary

• Pin ethereumjs-util to version 7.1.5 in @onekeyhq/core package to fix referral code binding signature verification failure

Intent & Context

User reported "Invalid signature" error when binding referral codes via HD wallet. The issue only appeared on local builds after v6.1.0, while production App worked correctly. Investigation revealed a dependency hoisting issue causing incorrect signature generation.

Root Cause

PR #10996 (f45b62fdc3 - "add OneKey CLI") introduced a new package that changed yarn's dependency hoisting strategy:

• Before: Root node_modules/ethereumjs-util was 7.1.5
• After: Root node_modules/ethereumjs-util became 5.1.0 (from @starcoin/starcoin)

The behavioral difference between versions:

• ethereumjs-util@7.1.5: toBuffer() throws error for hex strings without 0x prefix
• ethereumjs-util@5.1.0: toBuffer() silently treats them as UTF-8 strings

The autoFixPersonalSignMessage() function relies on toBuffer() throwing an error to detect raw hex and add the 0x prefix. When toBuffer() doesn't throw, the raw hex string gets signed as plain text instead of decoded bytes, causing signature verification to fail on the server.

Design Decisions

• Chosen approach: Add explicit ethereumjs-util@7.1.5 dependency to @onekeyhq/core package
• Rationale: This pins the version for core's imports without affecting other packages that may need different versions (e.g., @starcoin/starcoin uses 5.1.0)
• Alternative considered: Global resolution in root package.json - rejected because it would force all packages to use the same version

Changes Detail

• packages/core/package.json: Added "ethereumjs-util": "7.1.5" to dependencies
• yarn.lock: Updated to reflect the new dependency

Risk Assessment

• Risk Level: Low
• Affected Platforms: All (Extension / Mobile / Desktop / Web)
• Risk Areas: HD wallet personal_sign operations; minimal risk as this restores previous working behavior

Test plan

• Verify node_modules/ethereumjs-util version is 7.1.5 after yarn install
• Test referral code binding flow with HD wallet - should succeed without "Invalid signature" error
• Verify other signing operations still work correctly

---

[revan-zhang]

✅ Snyk checks have passed. No issues have been found so far.

Status	Scan Engine	Critical	High	Medium	Low	Total (0)
✅	Open Source Security	0	0	0	0	0 issues
✅	Licenses	0	0	0	0	0 issues

💻 Catch issues earlier using the plugins for VS Code, JetBrains IDEs, Visual Studio, and Eclipse.

[devin-ai-integration]

✅ Devin Review: No Issues Found

Devin Review analyzed this PR and found no potential bugs to report.

View in Devin Review to see 1 additional finding.

[socket-security]

Review the following changes in direct dependencies. Learn more about Socket for GitHub.

Diff	Package	Supply Chain Security	Vulnerability	Quality	Maintenance	License
	@​onekeyfe/​electron-mac-icloud@​1.2.6
	@​onekeyfe/​cross-inpage-provider-types@​2.2.68
	@​onekeyfe/​cross-inpage-provider-errors@​2.2.68
	@​onekeyfe/​extension-bridge-hosted@​2.2.68
	@​onekeyfe/​hd-shared@​1.1.25
	@​onekeyfe/​cross-inpage-provider-core@​2.2.68
	@​onekeyfe/​cross-inpage-provider-injected@​2.2.68
	@​onekeyfe/​bitcoinforksjs-lib@​7.0.0-rc.0
	@​onekeyfe/​hd-ble-sdk@​1.1.25
	@​onekeyfe/​hd-common-connect-sdk@​1.1.25
	@​onekeyfe/​cardano-coin-selection-asmjs@​1.1.10-alpha.8
	@​onekeyfe/​coinselect@​3.1.17
	@​notifee/​react-native@​9.1.8
	@​onekeyfe/​hd-core@​1.1.25
	@​ngraveio/​bc-ur@​1.1.13
	@​noble/​secp256k1@​1.7.1
	@​nktkas/​hyperliquid@​0.32.2

View full report

[socket-security]

Warning

Review the following alerts detected in dependencies.

According to your organization's Security Policy, it is recommended to resolve "Warn" alerts. Learn more about Socket for GitHub.

Action	Severity	Alert  (click "▶" to expand/collapse)
Warn		Obfuscated code: npm @onekeyfe/cross-inpage-provider-injected is 75.0% likely obfuscated Confidence: 0.75 Location: Package overview From: package.json → npm/@onekeyfe/cross-inpage-provider-injected@2.2.68 ℹ Read more on: This package | This alert | What is obfuscated code? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Packages should not obfuscate their code. Consider not using packages with obfuscated code. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/@onekeyfe/cross-inpage-provider-injected@2.2.68. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Warn		Potentially malicious package (AI signal): npm @onekeyfe/cross-inpage-provider-injected is 66.0% likely malicious Notes: This dependency is not just a standard web3/crypto library: it includes high-signal supply-chain sabotage behavior by globally hijacking React useContext and overriding Object.keys to detect trading/order-like objects and inject builder/fee metadata at runtime, gated by host/session/localStorage conditions. That can silently alter trading/order routing and outcomes. While classic malware exfiltration primitives are not evident in the excerpt, the manipulation technique is itself a serious security risk and should be treated as potentially malicious until verified against known-good upstream source and integrity checks. Confidence: 0.66 Severity: 0.88 From: package.json → npm/@onekeyfe/cross-inpage-provider-injected@2.2.68 ℹ Read more on: This package | This alert | What is AI-detected potential malware? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Given the AI system's identification of this package as malware, extreme caution is advised. It is recommended to avoid downloading or installing this package until the threat is confirmed or flagged as a false positive. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/@onekeyfe/cross-inpage-provider-injected@2.2.68. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

View full report