Security

We are open about how we protect your funds — what we block, what we audit, and how to report issues. This page is updated with every release.

Version 0.1.0

Chain Ethereum mainnet

Platform Chrome Extension MV3

Security architecture

Keys never leave the device Private keys and seed phrases are encrypted at rest (AES-256-GCM, PBKDF2-derived key) and decrypted only inside the service worker. They are never sent to any server.

Blind signing is blocked, not warned Any transaction with calldata that is not a recognised ERC-20 transfer or approval is refused outright. Raw eth_sign and personal_sign over non-human-readable data are not supported.

PIN re-authentication before every send The PIN is re-verified against the encrypted vault immediately before signing each transaction. A compromised session cannot send funds without the PIN.

Auto-lock via Manifest V3 sleep The service worker holds the decrypted key in memory only. MV3 service workers sleep after ~30 seconds of inactivity, automatically wiping the key without any timer code required.

IP privacy via dedicated proxy All calls to Alchemy (RPC) and CoinGecko (prices) are routed through a Cloudflare Worker proxy. Neither service ever sees user IP addresses or can correlate addresses with identities. The Alchemy API key is stored as a Worker secret and is not present in the extension bundle.

No remote logging No addresses, balances, transaction data, or user activity is sent to any analytics service. No crash reporting. No telemetry of any kind.

10-second forced delay on contract interactions Any transaction sent to a smart contract (non-EOA address) triggers a mandatory 10-second countdown before the user can confirm. This prevents UI-spoofing attacks that rush users into approvals.

Known vulnerabilities

No known vulnerabilities in v0.1.0

Past incidents

No past incidents

Responsible disclosure

If you discover a security vulnerability, please report it privately before disclosing it publicly. We aim to respond within 48 hours and to issue a fix or mitigation within 14 days for critical issues.

We will credit researchers by name (or handle) in this page's incident log unless you prefer to remain anonymous.

security@heldby.io

In scope

Key extraction or decryption without PIN
Transaction signing without PIN re-authentication
Blind signing bypass
Proxy API key extraction from the extension bundle
Cross-origin data leakage (addresses, balances, history)
Phishing / UI spoofing that could trick a user into signing a malicious transaction
Content Security Policy bypass

Out of scope

Attacks requiring physical access to an already-unlocked device
Vulnerabilities in Chrome itself or the V8 engine
Social engineering of Heldby team members
Rate limiting / denial of service against the proxy
Issues in third-party dependencies with no demonstrated impact on Heldby users