@deserialize/multi-vm-wallet 1.4.2 → 1.5.0

package/utils/vm-validation.ts

@@ -0,0 +1,280 @@
+/**
+ * Validation utilities for VM operations
+ *
+ * Provides validation for wallet indices, derivation paths, seeds, and other
+ * cryptographic inputs to prevent security issues and crashes.
+ */
+
+/**
+ * VM validation utilities
+ */
+export class VMValidation {
+    /**
+     * Validate wallet/account index
+     *
+     * @param index - Index to validate
+     * @param label - Label for error message
+     * @throws Error if index is invalid
+     */
+    static validateIndex(index: number, label: string = 'Index'): void {
+        if (!Number.isInteger(index)) {
+            throw new Error(`${label} must be an integer, got: ${index}`);
+        }
+        if (index < 0) {
+            throw new Error(`${label} must be non-negative, got: ${index}`);
+        }
+        if (index > 0x7FFFFFFF) {
+            throw new Error(`${label} exceeds maximum (2147483647), got: ${index}`);
+        }
+    }
+
+    /**
+     * Validate hex seed string
+     *
+     * @param seed - Seed to validate
+     * @throws Error if seed is invalid
+     */
+    static validateSeed(seed: string): void {
+        if (typeof seed !== 'string') {
+            throw new Error(`Seed must be a string, got: ${typeof seed}`);
+        }
+
+        if (seed.length === 0) {
+            throw new Error('Seed cannot be empty');
+        }
+
+        if (!/^[0-9a-fA-F]+$/.test(seed)) {
+            throw new Error('Seed must be a hex string');
+        }
+
+        // Typical seed length is 64 hex chars (32 bytes)
+        if (seed.length < 32) {
+            throw new Error(`Seed too short: ${seed.length} chars (minimum 32)`);
+        }
+    }
+
+    /**
+     * Validate mnemonic phrase
+     *
+     * @param mnemonic - Mnemonic to validate
+     * @throws Error if mnemonic is invalid
+     */
+    static validateMnemonic(mnemonic: string): void {
+        if (typeof mnemonic !== 'string') {
+            throw new Error(`Mnemonic must be a string, got: ${typeof mnemonic}`);
+        }
+
+        const trimmed = mnemonic.trim();
+        if (trimmed.length === 0) {
+            throw new Error('Mnemonic cannot be empty');
+        }
+
+        const words = trimmed.split(/\s+/);
+        const validWordCounts = [12, 15, 18, 21, 24];
+
+        if (!validWordCounts.includes(words.length)) {
+            throw new Error(
+                `Mnemonic must have 12, 15, 18, 21, or 24 words (BIP-39 standard), got: ${words.length} words`
+            );
+        }
+    }
+
+    /**
+     * Validate BIP-44 derivation path format
+     *
+     * @param path - Derivation path to validate
+     * @param vmType - VM type ('EVM' or 'SVM')
+     * @throws Error if path is invalid
+     */
+    static validateDerivationPath(path: string, vmType?: 'EVM' | 'SVM'): void {
+        if (typeof path !== 'string') {
+            throw new Error(`Derivation path must be a string, got: ${typeof path}`);
+        }
+
+        // Expected format: m/44'/cointype'/account'/change'/addressindex'
+        // Some paths may have all hardened segments (with ')
+        const pathRegex = /^m(\/\d+')+$/;
+
+        if (!pathRegex.test(path)) {
+            throw new Error(
+                `Invalid derivation path format: ${path}. ` +
+                `Expected format: m/44'/cointype'/account'/... (all segments hardened)`
+            );
+        }
+
+        // Extract parts
+        const parts = path.split('/');
+        if (parts.length < 3) {
+            throw new Error(`Derivation path too short: ${path}`);
+        }
+
+        // Check purpose (should be 44' for BIP-44)
+        const purpose = parseInt(parts[1].replace("'", ""));
+        if (purpose !== 44) {
+            console.warn(`Warning: Non-BIP-44 purpose value: ${purpose}`);
+        }
+
+        // Validate coin type if VM type specified
+        if (vmType && parts.length >= 3) {
+            const coinType = parseInt(parts[2].replace("'", ""));
+
+            if (vmType === 'EVM' && coinType !== 60) {
+                throw new Error(
+                    `Invalid coin type for EVM: ${coinType}. Expected 60 (Ethereum).`
+                );
+            }
+
+            if (vmType === 'SVM' && coinType !== 501) {
+                throw new Error(
+                    `Invalid coin type for SVM: ${coinType}. Expected 501 (Solana).`
+                );
+            }
+        }
+
+        // Validate all indices are within range
+        for (let i = 1; i < parts.length; i++) {
+            const indexStr = parts[i].replace("'", "");
+            const index = parseInt(indexStr);
+
+            if (isNaN(index)) {
+                throw new Error(`Invalid index in path segment ${i}: ${parts[i]}`);
+            }
+
+            // Check hardened index range (0x80000000 to 0xFFFFFFFF)
+            // Non-hardened range (0 to 0x7FFFFFFF)
+            if (parts[i].endsWith("'")) {
+                if (index > 0x7FFFFFFF) {
+                    throw new Error(`Hardened index ${index} exceeds maximum`);
+                }
+            } else {
+                if (index > 0x7FFFFFFF) {
+                    throw new Error(`Non-hardened index ${index} exceeds maximum`);
+                }
+            }
+        }
+    }
+
+    /**
+     * Validate password strength
+     *
+     * @param password - Password to validate
+     * @param minLength - Minimum password length (default: 8)
+     * @throws Error if password is weak
+     */
+    static validatePassword(password: string, minLength: number = 8): void {
+        if (typeof password !== 'string') {
+            throw new Error(`Password must be a string, got: ${typeof password}`);
+        }
+
+        if (password.length < minLength) {
+            throw new Error(
+                `Password too short. Minimum length: ${minLength}, got: ${password.length}`
+            );
+        }
+
+        // Check for common weak passwords
+        const weakPasswords = ['password', '12345678', 'qwerty', 'abc123'];
+        if (weakPasswords.includes(password.toLowerCase())) {
+            throw new Error('Password is too weak. Choose a stronger password.');
+        }
+    }
+
+    /**
+     * Validate amount (bigint)
+     *
+     * @param amount - Amount to validate
+     * @param label - Label for error message
+     * @throws Error if amount is invalid
+     */
+    static validateAmount(amount: bigint, label: string = 'Amount'): void {
+        if (typeof amount !== 'bigint') {
+            throw new Error(`${label} must be a bigint, got: ${typeof amount}`);
+        }
+        if (amount <= 0n) {
+            throw new Error(`${label} must be positive, got: ${amount}`);
+        }
+    }
+
+    /**
+     * Validate Ethereum address format
+     *
+     * @param address - Address to validate
+     * @param label - Label for error message
+     * @throws Error if address is invalid
+     */
+    static validateEthereumAddress(address: string, label: string = 'Address'): void {
+        if (typeof address !== 'string') {
+            throw new Error(`${label} must be a string, got: ${typeof address}`);
+        }
+
+        if (!/^0x[a-fA-F0-9]{40}$/.test(address)) {
+            throw new Error(
+                `${label} has invalid format. Expected 0x followed by 40 hex characters, got: ${address}`
+            );
+        }
+    }
+}
+
+/**
+ * Sanitize error messages to remove sensitive data
+ *
+ * @param error - Error to sanitize
+ * @param additionalSensitiveFields - Additional field names to redact
+ * @returns Sanitized error
+ */
+export function sanitizeError(
+    error: any,
+    additionalSensitiveFields: string[] = []
+): Error {
+    const message = error.message || error.toString();
+
+    // Remove common sensitive patterns
+    let sanitized = message
+        .replace(/seed:\s*[0-9a-fA-F]{32,}/gi, 'seed: [REDACTED]')
+        .replace(/password:\s*\S+/gi, 'password: [REDACTED]')
+        .replace(/mnemonic:\s*.+/gi, 'mnemonic: [REDACTED]')
+        .replace(/private\s*key:\s*[0-9a-fA-F]+/gi, 'privateKey: [REDACTED]')
+        .replace(/0x[0-9a-fA-F]{64,}/g, '[PRIVATE_KEY_REDACTED]')
+        .replace(/secret:\s*\S+/gi, 'secret: [REDACTED]');
+
+    // Remove custom sensitive fields
+    additionalSensitiveFields.forEach(field => {
+        const regex = new RegExp(`${field}:\\s*\\S+`, 'gi');
+        sanitized = sanitized.replace(regex, `${field}: [REDACTED]`);
+    });
+
+    const sanitizedError = new Error(sanitized);
+    sanitizedError.stack = error.stack; // Preserve stack trace
+    return sanitizedError;
+}
+
+/**
+ * Safe error logger that redacts sensitive information
+ *
+ * @param message - Error message
+ * @param error - Error object
+ * @param context - Additional context
+ */
+export function logSafeError(
+    message: string,
+    error: any,
+    context?: Record<string, any>
+): void {
+    const sanitized = sanitizeError(error);
+
+    // Filter sensitive data from context
+    const safeContext = context ? { ...context } : {};
+    const sensitiveKeys = ['seed', 'mnemonic', 'privateKey', 'password', 'secret'];
+
+    sensitiveKeys.forEach(key => {
+        if (safeContext[key]) {
+            safeContext[key] = '[REDACTED]';
+        }
+    });
+
+    console.error(message, {
+        error: sanitized.message,
+        stack: sanitized.stack,
+        context: safeContext
+    });
+}

package/utils/vm.ts

@@ -8,6 +8,7 @@ import { EntropyToMnemonic, mnemonicToSeed } from "./walletBip32";
 export abstract class VM<AddressType, PrivateKeyType, ConnectionType> {
     protected seed: string;
     type: vmTypes
+    private disposed: boolean = false;
 
     constructor(seed: string, vm: vmTypes) {
         this.type = vm;
@@ -15,51 +16,237 @@ export abstract class VM<AddressType, PrivateKeyType, ConnectionType> {
     }
     static mnemonicToSeed = mnemonicToSeed
 
+    /**
+     * Clear sensitive data from memory
+     *
+     * IMPORTANT: After calling dispose(), the VM instance should not be used.
+     * JavaScript strings are immutable, so this only clears references.
+     * The actual memory will be cleared by garbage collection.
+     *
+     * @remarks
+     * Call this method when:
+     * - User locks the wallet
+     * - Application goes to background (mobile)
+     * - Extension popup closes (browser extension)
+     * - Session ends
+     *
+     * @example
+     * ```typescript
+     * const vm = EVMVM.fromMnemonic(mnemonic);
+     * // ... use vm ...
+     * vm.dispose();
+     * vm = null; // Remove reference for garbage collection
+     * ```
+     */
+    dispose(): void {
+        if (this.disposed) {
+            return; // Already disposed
+        }
+
+        // Clear seed reference
+        (this as any).seed = '';
+        this.disposed = true;
+    }
+
+    /**
+     * Check if VM has been disposed
+     *
+     * @returns true if dispose() has been called
+     */
+    isDisposed(): boolean {
+        return this.disposed || !this.seed || this.seed === '';
+    }
+
+    /**
+     * Throw error if VM has been disposed
+     *
+     * @throws Error if VM is disposed
+     * @internal
+     */
+    protected checkNotDisposed(): void {
+        if (this.isDisposed()) {
+            throw new Error('VM has been disposed. Create a new instance to perform operations.');
+        }
+    }
+
     static generateSalt(): string {
         return CryptoJS.lib.WordArray.random(16).toString(); // 128-bit salt
     }
 
     static getMnemonicFromEntropy = EntropyToMnemonic
+
+    /**
+     * Derive encryption key using PBKDF2
+     *
+     * @param password - User password
+     * @param salt - Hex salt string
+     * @param iterations - PBKDF2 iterations (default: 600,000 - OWASP recommendation)
+     * @param keySize - Key size in 32-bit words (default: 8 = 256 bits)
+     * @returns Derived key as hex string
+     *
+     * @remarks
+     * OWASP recommends at least 600,000 iterations for PBKDF2-SHA256.
+     * Using fewer iterations is a security risk.
+     *
+     * @security
+     * - 10,000 iterations (old default): INSECURE - deprecated
+     * - 100,000 iterations: Minimum acceptable
+     * - 600,000 iterations: Recommended
+     */
     static deriveKey(
         password: string,
         salt: string,
-        iterations = 10000,
+        iterations = 600000, // ✅ Updated to OWASP recommendation
         keySize = 256 / 32
     ) {
+        // Validate inputs
+        if (!password || password.length < 8) {
+            throw new Error('Password must be at least 8 characters');
+        }
+
+        if (!salt) {
+            throw new Error('Salt is required');
+        }
+
+        // Warn about weak iteration counts
+        if (iterations < 100000) {
+            console.warn(
+                `⚠️ WARNING: Using ${iterations} PBKDF2 iterations is insecure. ` +
+                `Minimum recommended: 100,000. Recommended: 600,000.`
+            );
+        }
+
         return CryptoJS.PBKDF2(password, CryptoJS.enc.Hex.parse(salt), {
             keySize: keySize,
             iterations: iterations,
+            hasher: CryptoJS.algo.SHA256 // Explicitly specify hasher
         }).toString();
     }
-    static encryptSeedPhrase(seedPhrase: string, password: string) {
+
+    /**
+     * Encrypt seed phrase with strong encryption
+     *
+     * @param seedPhrase - Seed phrase to encrypt
+     * @param password - User password (min 8 characters)
+     * @param iterations - PBKDF2 iterations (default: 600,000)
+     * @returns Encrypted data, salt, and iteration count
+     *
+     * @throws Error if inputs are invalid
+     *
+     * @example
+     * ```typescript
+     * const { encrypted, salt, iterations } = VM.encryptSeedPhrase(
+     *   mnemonic,
+     *   userPassword
+     * );
+     * // Store encrypted, salt, and iterations
+     * await storage.save({ encrypted, salt, iterations });
+     * ```
+     */
+    static encryptSeedPhrase(seedPhrase: string, password: string, iterations: number = 600000) {
+        // Validate inputs
+        if (!seedPhrase || seedPhrase.trim().length === 0) {
+            throw new Error('Seed phrase cannot be empty');
+        }
+
+        if (!password || password.length < 8) {
+            throw new Error('Password must be at least 8 characters');
+        }
+
         const salt = this.generateSalt(); // Generate a unique salt for this encryption
-        const key = this.deriveKey(password, salt); // Derive a key using PBKDF2
+        const key = this.deriveKey(password, salt, iterations); // Derive a key using PBKDF2
 
         // Encrypt the seed phrase with AES using the derived key
         const encrypted = CryptoJS.AES.encrypt(seedPhrase, key).toString();
 
-        // Return the encrypted data and the salt (needed for decryption)
-        return { encrypted, salt };
+        // Return the encrypted data, salt, and iterations (needed for decryption)
+        return { encrypted, salt, iterations };
+    }
+
+    /**
+     * Legacy encryption method for backwards compatibility
+     *
+     * @deprecated Use encryptSeedPhrase() instead which returns iteration count
+     */
+    static encryptSeedPhraseLegacy(seedPhrase: string, password: string) {
+        const result = this.encryptSeedPhrase(seedPhrase, password, 10000);
+        return { encrypted: result.encrypted, salt: result.salt };
     }
 
+    /**
+     * Decrypt seed phrase
+     *
+     * @param encryptedSeedPhrase - Encrypted seed phrase
+     * @param password - User password
+     * @param salt - Salt used for encryption
+     * @param iterations - PBKDF2 iterations (default: 600,000)
+     * @returns Decrypted seed phrase or null if failed
+     *
+     * @remarks
+     * If you encrypted with the old default (10,000 iterations), pass iterations=10000.
+     * New encryptions use 600,000 iterations.
+     *
+     * @example
+     * ```typescript
+     * // Decrypt with stored iteration count
+     * const seedPhrase = VM.decryptSeedPhrase(
+     *   encrypted,
+     *   userPassword,
+     *   salt,
+     *   storedIterations || 600000
+     * );
+     * ```
+     */
     static decryptSeedPhrase(
         encryptedSeedPhrase: string,
         password: string,
-        salt: string
-    ) {
+        salt: string,
+        iterations: number = 600000
+    ): string | null {
         try {
-            const key = this.deriveKey(password, salt); // Derive the key using the same salt
+            // Validate inputs
+            if (!encryptedSeedPhrase) {
+                throw new Error('Encrypted seed phrase is required');
+            }
+
+            if (!password || password.length < 8) {
+                throw new Error('Password must be at least 8 characters');
+            }
+
+            if (!salt) {
+                throw new Error('Salt is required');
+            }
+
+            const key = this.deriveKey(password, salt, iterations); // Derive the key using the same salt
             const bytes = CryptoJS.AES.decrypt(encryptedSeedPhrase, key);
             const seedPhrase = bytes.toString(CryptoJS.enc.Utf8);
 
             // Check if decryption was successful
-            if (!seedPhrase) throw new Error("Decryption failed.");
+            if (!seedPhrase || seedPhrase.trim().length === 0) {
+                throw new Error("Decryption failed - invalid password or corrupted data");
+            }
+
             return seedPhrase;
         } catch (e: any) {
-            console.error("Invalid password or corrupted data:", e.message);
+            // Log sanitized error (no password in logs)
+            console.error("Decryption failed:", e.message);
             return null;
         }
     }
+
+    /**
+     * Legacy decryption method for backwards compatibility
+     *
+     * @deprecated Use decryptSeedPhrase() with explicit iterations parameter
+     */
+    static decryptSeedPhraseLegacy(
+        encryptedSeedPhrase: string,
+        password: string,
+        salt: string
+    ): string | null {
+        // Try with old default (10,000 iterations)
+        return this.decryptSeedPhrase(encryptedSeedPhrase, password, salt, 10000);
+    }
     generateSalt = VM.generateSalt
     deriveKey = VM.deriveKey
     encryptSeedPhrase = VM.encryptSeedPhrase

package/utils/walletBip32.ts

@@ -76,6 +76,7 @@ if (typeof window !== 'undefined') {
 import { wordlist } from "./english";
 import { hmac } from "@noble/hashes/hmac";
 import { sha512 } from "@noble/hashes/sha2";
+import { VMValidation } from "./vm-validation";
 
 
 
@@ -121,21 +122,56 @@ export function GenerateSeed(_mnemonic?: string) {
     return seedString;
 }
 //EVM
+/**
+ * Derive EVM child private key using BIP-44
+ *
+ * @param seed - Hex seed string
+ * @param index - Wallet index
+ * @param derivationPath - BIP-44 derivation path (e.g., "m/44'/60'/0'/0/")
+ * @returns Private key and public key
+ * @throws Error if inputs are invalid
+ */
 export function EVMDeriveChildPrivateKey(seed: string, index: number, derivationPath: string) {
-    const path = `${derivationPath}${index}'`
-    const scureNode = HDKey.fromMasterSeed(Buffer.from(seed, "hex"))
+    // Validate inputs
+    VMValidation.validateSeed(seed);
+    VMValidation.validateIndex(index, 'Wallet index');
+    VMValidation.validateDerivationPath(derivationPath + index + "'", 'EVM');
+
+    const path = `${derivationPath}${index}'`;
+    const scureNode = HDKey.fromMasterSeed(Buffer.from(seed, "hex"));
     const child = scureNode.derive(path);
-    const privateKey = Buffer.from(child.privateKey!).toString("hex");
+
+    if (!child.privateKey) {
+        throw new Error(`Failed to derive private key at path: ${path}`);
+    }
+
+    const privateKey = Buffer.from(child.privateKey).toString("hex");
     const publicKey = Buffer.from(child.publicKey!).toString("hex");
     return { privateKey, publicKey };
 }
 
 //SVM
+/**
+ * Derive SVM (Solana) child private key using BIP-44
+ *
+ * @param seed - Hex seed string
+ * @param index - Wallet index
+ * @param derivationPath - BIP-44 derivation path (e.g., "m/44'/501'/0'/")
+ * @returns Solana Keypair
+ * @throws Error if inputs are invalid
+ */
 export function SVMDeriveChildPrivateKey(seed: string, index: number, derivationPath: string) {
+    // Validate inputs
+    VMValidation.validateSeed(seed);
+    VMValidation.validateIndex(index, 'Wallet index');
+    VMValidation.validateDerivationPath(derivationPath + index + "'", 'SVM');
+
     const path = `${derivationPath}${index}'`;
+
     // Derive a seed from the given path
     const derivedSeed = derivePathEclipticCurve(path, Buffer.from(seed, "hex")).key;
     const derivedKeyPair = Keypair.fromSeed(derivedSeed);
+
     return derivedKeyPair;
 }
 

package/dist/IChainWallet.js.map

@@ -1 +0,0 @@
-{"version":3,"file":"IChainWallet.js","sourceRoot":"","sources":["../utils/IChainWallet.ts"],"names":[],"mappings":";;;AAKA,MAAsB,WAAW;IACnB,UAAU,CAAiB;IACrC,MAAM,CAAoB;IAC1B,OAAO,CAAc;IACrB,KAAK,CAAoB;IACzB,UAAU,CAA4B;IAEtC,YAAY,MAAyB,EAAE,UAA0B,EAAE,KAAc;QAC7E,IAAI,CAAC,MAAM,GAAG,MAAM,CAAC;QACrB,IAAI,CAAC,UAAU,GAAG,UAAU,CAAC;QAC7B,IAAI,CAAC,OAAO,GAAG,IAAI,CAAC,eAAe,CAAC,UAAU,CAAC,CAAC;QAChD,IAAI,CAAC,KAAK,GAAG,KAAK,CAAC;IAEvB,CAAC;IAYD,+GAA+G;IAC/G,mEAAmE;IACnE,mFAAmF;IACnF,oDAAoD;IAEpD,UAAU;QACN,OAAO,IAAI,CAAC,OAAO,CAAC;IACxB,CAAC;IACD,oBAAoB;QAChB,OAAO,IAAI,CAAC,MAAM,CAAC;IACvB,CAAC;CAMJ;AAzCD,kCAyCC"}

package/dist/bip32.d.ts

@@ -1,9 +0,0 @@
-import { Keypair } from "@solana/web3.js";
-export declare function GenerateNewMnemonic(): string;
-export declare function ValidateMnemonic(mnemonic: string): true;
-export declare function GenerateSeed(_mnemonic?: string): Uint8Array<ArrayBufferLike>;
-export declare function EVMDeriveChildPrivateKey(seed: string, index: number, derivationPath: string): {
-    privateKey: string;
-    publicKey: string;
-};
-export declare function SVMDeriveChildPrivateKey(seed: string, index: number, derivationPath: string): Keypair;