From f507f7786670af2e4ad02ecba6ca9e1b03f26c80 Mon Sep 17 00:00:00 2001
From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com>
Date: Tue, 3 Feb 2026 03:17:36 +0000
Subject: [PATCH 1/2] Initial plan


From 9e3b710ce46bc23f985aa25f63f40da12dc52803 Mon Sep 17 00:00:00 2001
From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com>
Date: Tue, 3 Feb 2026 03:22:32 +0000
Subject: [PATCH 2/2] Secure pubKey cleanup in EVM deriveChild function

Co-authored-by: Corey-Code <37006206+Corey-Code@users.noreply.github.com>
---
 src/lib/crypto/evm.ts | 10 +++++++++-
 1 file changed, 9 insertions(+), 1 deletion(-)

diff --git a/src/lib/crypto/evm.ts b/src/lib/crypto/evm.ts
index 699f2cf..470551a 100644
--- a/src/lib/crypto/evm.ts
+++ b/src/lib/crypto/evm.ts
@@ -49,6 +49,7 @@ function deriveChild(
   let currentIndex = index;
 
   const intermediates: Uint8Array[] = [];
+  let pubKey: Uint8Array | null = null;
 
   try {
     // Retry derivation with subsequent indices if we hit invalid values as per BIP32
@@ -65,7 +66,11 @@ function deriveChild(
         data.set(indexBytes, 33);
       } else {
         // Normal derivation: public key || index
-        const pubKey = secp256k1.getPublicKey(parentKey, true);
+        // Clean up old pubKey if this is a retry
+        if (pubKey !== null) {
+          secureZero(pubKey);
+        }
+        pubKey = secp256k1.getPublicKey(parentKey, true);
         data.set(pubKey, 0);
         const indexBytes = new Uint8Array(4);
         new DataView(indexBytes.buffer).setUint32(0, currentIndex, false);
@@ -106,6 +111,9 @@ function deriveChild(
     throw new Error('Unable to derive valid child key after multiple attempts');
   } finally {
     // Zero out all intermediate data
+    if (pubKey !== null) {
+      secureZero(pubKey);
+    }
     for (const arr of intermediates) {
       if (typeof crypto !== 'undefined' && crypto.getRandomValues) {
         crypto.getRandomValues(arr);