[Feature]: Bitcoin deposit script validation is missing signer pub key check

[evonide]

(Medium) Bitcoin deposit script validation is missing signer pub key check

1. Description

The block_observer.rs iterates over new Bitcoin blocks and fetches new deposit requests in sbtc/signer/src/block_observer.rs at 033e2cbd2def829a3e30df77bc274b325d68cdbe · stacks-network/sbtc from the Emily API.

These deposit requests contain information such as the Bitcoin txid. It then uses a bitcoin_client to fetch the expected tx from Bitcoin and validates it via validate_tx in sbtc/sbtc/src/deposits.rs at 033e2cbd2def829a3e30df77bc274b325d68cdbe · stacks-network/sbtc.

Note that while the code parses the passed deposit_script and parses it in sbtc/sbtc/src/deposits.rs at 033e2cbd2def829a3e30df77bc274b325d68cdbe · stacks-network/sbtc it currently just returns

    Ok(DepositScriptInputs {
        signers_public_key: XOnlyPublicKey::from_slice(public_key)
            .map_err(Error::InvalidXOnlyPublicKey)?,
        max_fee: u64::from_be_bytes(*max_fee_bytes),
        recipient: stacks_address,
    }

without actually verifying that the signers_public_key is matching the expected signers public key.

Currently, it might be possible to create a deposit script and to specify your own pub key making the deposit non-spendable by the Signers.