security: clear decrypted secrets after use (best-effort)

2026-02-27 11:36:38 -08:00
parent f13cd0fd47
commit eec96f9054
2 changed files with 11 additions and 1 deletions
--- a/src/popup/views/confirmTx.js
+++ b/src/popup/views/confirmTx.js
@@ -334,8 +334,13 @@ function init(ctx) {
                tx = await contract.transfer(pendingTx.to, amount);
            }

+            // Best-effort: clear decrypted secret after use.
+            // Note: JS strings are immutable; this nulls the reference but
+            // the original string may persist in memory until GC.
+            decryptedSecret = null;
            txStatus.showWait(pendingTx, tx.hash);
        } catch (e) {
+            decryptedSecret = null;
            const hash = tx ? tx.hash : null;
            txStatus.showError(pendingTx, hash, e.shortMessage || e.message);
        }