Security

Security Status

We are transparent about how Heldby protects your funds, what audits have been conducted, and how to report issues.

No known vulnerabilities
Last reviewed: May 2026Version: v0.1.0Chain: Ethereum mainnetPlatform: Chrome MV3

Security Architecture

Core security properties built into v0.1.0.

Keys never leave your device

Encryption uses AES-256-GCM with a PBKDF2-derived key. Decryption happens only in the service worker. Nothing is ever transmitted to a server.

Blind signing blocked

Non-standard transactions are refused outright. Raw eth_sign and personal_sign over non-human-readable data are not supported — there is no override.

PIN re-authentication on every send

The wallet opens read-only. PIN verification is required before each transaction signature — no session-level signing permission.

Auto-lock via MV3 service worker

MV3 service workers sleep after ~30 seconds of inactivity, automatically locking the wallet without requiring any user action.

IP privacy proxy

All API calls (Alchemy, CoinGecko) are routed through a Cloudflare Worker proxy. Neither service ever sees your real IP address.

No remote logging

No addresses, balances, transaction data, or user activity is sent to any analytics service. There is no telemetry.

10-second forced delay on contract interactions

Any transaction to a non-EOA (contract) destination has a mandatory 10-second review countdown before the sign button becomes active.

Known Vulnerabilities

Unresolved issues we are aware of and tracking.

None at this time.

Past Incidents

Resolved security issues and post-mortems.

No incidents to date.

Responsible Disclosure

How to report a vulnerability and what to expect.

48 hours

Initial response

14 days

Fix timeline (critical)

Named or anonymous

Credit

If you discover a security vulnerability, please email us at security@heldby.io. Include a description of the issue, steps to reproduce, and your assessment of impact. We will acknowledge receipt within 48 hours and aim to resolve critical issues within 14 days. We are happy to credit researchers by name or handle, or keep reports anonymous — your choice.

Report a vulnerability

Scope

In scope

  • Private key or mnemonic extraction from storage
  • Signing bypass — executing a transaction without PIN re-entry
  • Blind signing bypass — signing non-human-readable data
  • API key exposure via content scripts or network requests
  • Cross-origin data leakage from the extension
  • Phishing or UI spoofing via injected content
  • CSP bypass allowing arbitrary script execution

Out of scope

  • Physical access to the user's device
  • Vulnerabilities in Chrome or V8 itself
  • Social engineering of Heldby team members
  • Rate limiting or denial-of-service
  • Third-party dependency issues without a demonstrated impact path