From ed1e29efddf32da75f78109cdcd95e047684acf9 Mon Sep 17 00:00:00 2001 From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com> Date: Tue, 3 Feb 2026 02:03:38 +0000 Subject: [PATCH 1/2] Initial plan From 6ffa6384fe7d7088372c8a9d97319f525cb1bf91 Mon Sep 17 00:00:00 2001 From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com> Date: Tue, 3 Feb 2026 02:06:14 +0000 Subject: [PATCH 2/2] fix: improve memory safety in deriveBitcoinKeyPairFromSeed by zeroing originals immediately after creating copies Co-authored-by: Corey-Code <37006206+Corey-Code@users.noreply.github.com> --- src/lib/crypto/bitcoin.ts | 12 +++++++++--- 1 file changed, 9 insertions(+), 3 deletions(-) diff --git a/src/lib/crypto/bitcoin.ts b/src/lib/crypto/bitcoin.ts index c39a7d6..5b3ab23 100644 --- a/src/lib/crypto/bitcoin.ts +++ b/src/lib/crypto/bitcoin.ts @@ -415,21 +415,27 @@ export async function deriveBitcoinKeyPairFromSeed( // Generate public key const publicKey = secp256k1.getPublicKey(key, true); - // Create copies for return (originals will be zeroed) - // Use slice() to create proper ArrayBuffer copies + // Create copies for return using slice() to create proper ArrayBuffer copies + // These copies will be returned to the caller const privateKeyCopy = key.slice() as Uint8Array; const publicKeyCopy = new Uint8Array(publicKey) as Uint8Array; + // Immediately zero the originals after creating copies to minimize + // the window where sensitive data exists in memory + secureZero(key); + secureZero(chainCode); + + // Return copies (originals are now zeroed) return { privateKey: privateKeyCopy, publicKey: publicKeyCopy, }; } finally { // Securely zero all intermediate keys + // Note: key and chainCode are already zeroed above, but zeroing again is safe for (const k of keysToZero) { secureZero(k); } - // Zero the final key and chainCode (we returned copies) secureZero(key); secureZero(chainCode); }