| Version | Supported |
|---|---|
| 1.0.x | ✅ |
We take security seriously. If you discover a security vulnerability, please report it responsibly.
Do NOT open a public issue.
Instead, please email security concerns to: Create a security advisory on GitHub
This extension is designed with security in mind:
- No Private Keys: We never store, transmit, or handle private keys
- Read-Only: All operations are read-only RPC calls
- Local Storage: User data is stored only in browser storage (Firefox Sync)
- No External Dependencies: Minimal attack surface, no external scripts loaded
- CSP Compliant: Content Security Policy compliant code injection
- ❌ Store private keys or seed phrases
- ❌ Sign transactions or messages
- ❌ Execute remote code
- ❌ Collect user data or analytics
- ❌ Make outbound connections except to user-configured RPC endpoints
- ✅ Forward read-only RPC calls to configured endpoints
- ✅ Store user addresses in browser storage
- ✅ Reject all signing requests with user notifications
The extension code is open source and can be audited by anyone. All functionality is contained in the src/ directory.
We appreciate responsible disclosure of security issues.