From b270190c8e40ee4b0b88f042ac9ad7c516d907cb Mon Sep 17 00:00:00 2001
From: 0X-SquidSol <david.laszczynski@gmail.com>
Date: Tue, 7 Apr 2026 20:53:21 -0400
Subject: [PATCH] fix: zero temporary key buffers after keypair creation in CSV
 import

During CSV wallet recovery, intermediate buffers from Buffer.from() and
bs58.decode() containing raw private key bytes were left in memory after
Keypair creation. These temporary buffers are now explicitly zeroed with
.fill(0) immediately after use to minimize the window for key material
exposure in process memory.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
---
 electron/services/RecoveryService.ts | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

diff --git a/electron/services/RecoveryService.ts b/electron/services/RecoveryService.ts
index 9311947..758d212 100644
--- a/electron/services/RecoveryService.ts
+++ b/electron/services/RecoveryService.ts
@@ -112,12 +112,15 @@ export function loadCsvFile(csvPath: string): { count: number; path: string } {
       if (line.includes(',')) {
         const hex = line.split(',')[1]?.trim()
         if (!hex) continue
-        kp = Keypair.fromSecretKey(Buffer.from(hex, 'hex'))
+        const keyBuffer = Buffer.from(hex, 'hex')
+        kp = Keypair.fromSecretKey(keyBuffer)
+        keyBuffer.fill(0)
       } else {
         const decoded = bs58.decode(line)
         kp = decoded.length === 64
           ? Keypair.fromSecretKey(decoded)
           : Keypair.fromSeed(decoded.slice(0, 32))
+        decoded.fill(0)
       }
       const pub = kp.publicKey.toBase58()
       if (!keypairs.has(pub)) keypairs.set(pub, kp)