From 6b1755e6d14e3f2eeb372f5cc0e3aa000211c8ee Mon Sep 17 00:00:00 2001
From: kongwen686 <chaoqiang.tian01@gmail.com>
Date: Sun, 17 May 2026 01:23:09 +0800
Subject: [PATCH] fix(sdk): use crypto randomness for deploy salts

---
 .../__tests__/ContractDeployer.edge.test.ts   | 20 +++++++++++++++++++
 packages/sdk/src/deployer/ContractDeployer.ts |  5 ++---
 2 files changed, 22 insertions(+), 3 deletions(-)

diff --git a/packages/sdk/src/__tests__/ContractDeployer.edge.test.ts b/packages/sdk/src/__tests__/ContractDeployer.edge.test.ts
index 894a9be..89e6f3a 100644
--- a/packages/sdk/src/__tests__/ContractDeployer.edge.test.ts
+++ b/packages/sdk/src/__tests__/ContractDeployer.edge.test.ts
@@ -550,6 +550,26 @@ describe('ContractDeployer — edge cases', () => {
       expect(Buffer.compare(lastSalt1 ?? Buffer.alloc(0), lastSalt2 ?? Buffer.alloc(1))).not.toBe(0);
     });
 
+    it('generates 32-byte salts with crypto randomness, independent of Math.random', () => {
+      const mathRandom = vi.spyOn(Math, 'random').mockReturnValue(0.5);
+
+      try {
+        const privateDeployer = deployer as unknown as { randomSalt: () => Buffer };
+        const salt1 = privateDeployer.randomSalt();
+        const salt2 = privateDeployer.randomSalt();
+        const mathRandomSalt = Buffer.alloc(32, 128);
+
+        expect(salt1).toHaveLength(32);
+        expect(salt2).toHaveLength(32);
+        expect(salt1.equals(mathRandomSalt)).toBe(false);
+        expect(salt2.equals(mathRandomSalt)).toBe(false);
+        expect(Buffer.compare(salt1, salt2)).not.toBe(0);
+        expect(mathRandom).not.toHaveBeenCalled();
+      } finally {
+        mathRandom.mockRestore();
+      }
+    });
+
     it('different passphrase => hash() called with different passphrase bytes', async () => {
       const { hash: mockHash } = await import('@stellar/stellar-sdk');
       const salt = Buffer.alloc(32, 0x55);
diff --git a/packages/sdk/src/deployer/ContractDeployer.ts b/packages/sdk/src/deployer/ContractDeployer.ts
index 37ff7ca..05598ed 100644
--- a/packages/sdk/src/deployer/ContractDeployer.ts
+++ b/packages/sdk/src/deployer/ContractDeployer.ts
@@ -1,3 +1,4 @@
+import { randomBytes } from 'node:crypto';
 import {
   Keypair,
   TransactionBuilder,
@@ -552,9 +553,7 @@ export class ContractDeployer {
   }
 
   private randomSalt(): Buffer {
-    const buf = Buffer.alloc(32);
-    for (let i = 0; i < 32; i++) buf[i] = Math.floor(Math.random() * 256);
-    return buf;
+    return randomBytes(32);
   }
 }