@sidhujag/sysweb3-keyring 1.0.544 → 1.0.547

package/src/keyring-manager.ts

@@ -0,0 +1,2698 @@
+import ecc from '@bitcoinerlab/secp256k1';
+import { isHexString } from '@ethersproject/bytes';
+import { HDNode } from '@ethersproject/hdnode';
+import { Wallet } from '@ethersproject/wallet';
+import * as sysweb3 from '@sidhujag/sysweb3-core';
+import {
+  INetwork,
+  INetworkType,
+  getNetworkConfig,
+} from '@sidhujag/sysweb3-network';
+import { BIP32Factory } from 'bip32';
+import * as bjs from 'bitcoinjs-lib';
+import bs58check from 'bs58check';
+import crypto from 'crypto';
+import CryptoJS from 'crypto-js';
+import mapValues from 'lodash/mapValues';
+import omit from 'lodash/omit';
+import * as syscoinjs from 'syscoinjs-lib';
+import * as BIP84 from 'syscoinjs-lib/bip84-replacement';
+
+// Initialize ECC backend for bitcoinjs-lib (required for Taproot/P2TR)
+// Avoids "No ECC Library provided" errors in browser/extension builds
+// eslint-disable-next-line @typescript-eslint/no-explicit-any
+const _bjsAny: any = bjs as any;
+if (typeof _bjsAny.initEccLib === 'function') {
+  _bjsAny.initEccLib(ecc);
+}
+
+import {
+  initialActiveImportedAccountState,
+  initialActiveLedgerAccountState,
+  initialActiveTrezorAccountState,
+} from './initial-state';
+import { LedgerKeyring } from './ledger';
+import { getSyscoinSigners, SyscoinHDSigner } from './signers';
+import { getDecryptedVault, setEncryptedVault } from './storage';
+import { EthereumTransactions, SyscoinTransactions } from './transactions';
+import { TrezorKeyring } from './trezor';
+import {
+  IKeyringAccountState,
+  ISyscoinTransactions,
+  KeyringAccountType,
+  IEthereumTransactions,
+  IKeyringManager,
+} from './types';
+import { getAddressDerivationPath, isEvmCoin } from './utils/derivation-paths';
+
+export interface ISysAccount {
+  address: string;
+  label?: string;
+  xprv?: string;
+  xpub: string;
+}
+
+// Dynamic ETH HD path generation - will be computed as needed
+
+/**
+ * Secure Buffer implementation for sensitive data
+ * Provides explicit memory clearing capability
+ */
+class SecureBuffer {
+  private buffer: Buffer | null;
+  private _isCleared = false;
+
+  constructor(data: string | Buffer) {
+    if (typeof data === 'string') {
+      this.buffer = Buffer.from(data, 'utf8');
+    } else {
+      this.buffer = Buffer.from(data);
+    }
+  }
+
+  get(): Buffer {
+    if (this._isCleared || !this.buffer) {
+      throw new Error('SecureBuffer has been cleared');
+    }
+    return Buffer.from(this.buffer); // Return copy
+  }
+
+  toString(): string {
+    if (this._isCleared || !this.buffer) {
+      throw new Error('SecureBuffer has been cleared');
+    }
+    return this.buffer.toString('utf8');
+  }
+
+  clear(): void {
+    if (!this._isCleared && this.buffer) {
+      // Overwrite with random data first
+      crypto.randomFillSync(this.buffer);
+      // Then fill with zeros
+      this.buffer.fill(0);
+      this.buffer = null;
+      this._isCleared = true;
+    }
+  }
+
+  isCleared(): boolean {
+    return this._isCleared;
+  }
+}
+
+export class KeyringManager implements IKeyringManager {
+  public trezorSigner: TrezorKeyring;
+  public ledgerSigner: LedgerKeyring;
+  // NOTE: activeChain removed - now derived from vault.activeNetwork.kind
+  public initialTrezorAccountState: IKeyringAccountState;
+  public initialLedgerAccountState: IKeyringAccountState;
+  public utf8Error: boolean;
+  //transactions objects
+  public ethereumTransaction: IEthereumTransactions;
+  public syscoinTransaction: ISyscoinTransactions;
+  private storage: any; // Should be IKeyValueDb but import issue - provides deleteItem(), get(), set(), setClient(), setPrefix()
+
+  // Store getter function for accessing Redux state
+  private getVaultState: (() => any) | null = null;
+
+  // Method to inject store getter from Pali side
+  public setVaultStateGetter = (getter: () => any) => {
+    this.getVaultState = getter;
+  };
+
+  // Helper method to get current vault state
+  private getVault = () => {
+    if (!this.getVaultState) {
+      throw new Error(
+        'Vault state getter not configured. Call setVaultStateGetter() first.'
+      );
+    }
+
+    const vault = this.getVaultState();
+
+    // DEFENSIVE CHECK: Ensure vault state is properly structured
+    if (!vault) {
+      throw new Error(
+        'Vault state is undefined. Ensure Redux store is properly initialized with vault state.'
+      );
+    }
+
+    if (!vault.activeNetwork) {
+      throw new Error(
+        'Vault state is missing activeNetwork. Ensure vault state is properly initialized before keyring operations.'
+      );
+    }
+
+    if (!vault.activeAccount) {
+      throw new Error(
+        'Vault state is missing activeAccount. Ensure vault state is properly initialized before keyring operations.'
+      );
+    }
+
+    return vault;
+  };
+
+  // Helper to get active chain from vault state (replaces this.activeChain)
+  private getActiveChain = (): INetworkType => {
+    return this.getVault().activeNetwork.kind;
+  };
+
+  // Secure session data - using Buffers that can be explicitly cleared
+  private sessionPassword: SecureBuffer | null = null;
+  private sessionMnemonic: SecureBuffer | null = null; // can be a mnemonic or a zprv, can be changed to a zprv when using an imported wallet
+
+  constructor() {
+    this.storage = sysweb3.sysweb3Di.getStateStorageDb();
+    // Don't initialize secure buffers in constructor - they're created on unlock
+    this.storage.set('utf8Error', {
+      hasUtf8Error: false,
+    });
+
+    // NOTE: activeChain is now derived from vault state, not stored locally
+    // NOTE: No more persistent signers - use getSigner() for fresh on-demand signers
+
+    this.utf8Error = false;
+    // sessionMnemonic is initialized as null - created on unlock
+    this.initialTrezorAccountState = initialActiveTrezorAccountState;
+    this.initialLedgerAccountState = initialActiveLedgerAccountState;
+    this.trezorSigner = new TrezorKeyring();
+    this.ledgerSigner = new LedgerKeyring();
+
+    // this.syscoinTransaction = SyscoinTransactions();
+    this.syscoinTransaction = new SyscoinTransactions(
+      this.getSigner,
+      this.getReadOnlySigner,
+      this.getAccountsState,
+      this.getAddress,
+      this.ledgerSigner,
+      this.trezorSigner
+    );
+    this.ethereumTransaction = new EthereumTransactions(
+      this.getNetwork,
+      this.getDecryptedPrivateKey,
+      this.getAccountsState,
+      this.ledgerSigner,
+      this.trezorSigner
+    );
+  }
+
+  // Static factory method for creating a fully initialized KeyringManager with slip44 support
+  public static async createInitialized(
+    seed: string,
+    password: string,
+    vaultStateGetter: () => any
+  ): Promise<KeyringManager> {
+    const keyringManager = new KeyringManager();
+
+    // Set the vault state getter
+    keyringManager.setVaultStateGetter(vaultStateGetter);
+
+    // Use the new secure initialization method (eliminates temporary plaintext storage)
+    await keyringManager.initializeWalletSecurely(seed, password);
+
+    // NOTE: Active account management is now handled by vault state/Redux
+    // No need to explicitly set active account - it's managed externally
+
+    return keyringManager;
+  }
+
+  // Convenience method for complete setup after construction
+  public async initialize(
+    seed: string,
+    password: string,
+    network?: INetwork
+  ): Promise<IKeyringAccountState> {
+    // Set the network if provided (this is crucial for proper address derivation)
+    if (network) {
+      await this.setSignerNetwork(network);
+    }
+
+    // Use the new secure initialization method (eliminates temporary plaintext storage)
+    const account = await this.initializeWalletSecurely(seed, password);
+
+    // NOTE: Active account management is now handled by vault state/Redux
+    // No need to explicitly set active account - it's managed externally
+
+    return account;
+  }
+
+  // ===================================== PUBLIC METHODS - KEYRING MANAGER FOR HD - SYS ALL ===================================== //
+
+  public setStorage = (client: any) => this.storage.setClient(client);
+
+  public validateAccountType = (account: IKeyringAccountState) => {
+    return account.isImported === true
+      ? KeyringAccountType.Imported
+      : KeyringAccountType.HDAccount;
+  };
+
+  public isUnlocked = () =>
+    !!this.sessionPassword && !this.sessionPassword.isCleared();
+
+  public lockWallet = () => {
+    // Clear secure session data
+    if (this.sessionPassword) {
+      this.sessionPassword.clear();
+      this.sessionPassword = null;
+    }
+    if (this.sessionMnemonic) {
+      this.sessionMnemonic.clear();
+      this.sessionMnemonic = null;
+    }
+
+    // Clear transaction handlers that may hold HD signers
+    if (this.syscoinTransaction) {
+      // Replace with empty object to clear references
+      this.syscoinTransaction = {} as ISyscoinTransactions;
+    }
+    // NOTE: We intentionally don't clear ethereumTransaction here because
+    // polling needs the web3Provider even when the wallet is locked.
+
+    // Clean up hardware wallet connections
+    if (this.ledgerSigner) {
+      this.ledgerSigner.destroy().catch(() => {
+        // Silently handle cleanup errors to avoid exposing sensitive data
+      });
+    }
+    if (this.trezorSigner) {
+      this.trezorSigner.destroy().catch(() => {
+        // Silently handle cleanup errors to avoid exposing sensitive data
+      });
+    }
+  };
+
+  // Direct secure transfer of session data to another keyring
+  public transferSessionTo = (targetKeyring: IKeyringManager): void => {
+    if (!this.isUnlocked()) {
+      throw new Error('Source keyring must be unlocked to transfer session');
+    }
+
+    // Cast to access the receiveSessionOwnership method
+    const targetKeyringImpl = targetKeyring as unknown as KeyringManager;
+
+    // Transfer ownership of our buffers to the target
+    if (!this.sessionPassword || !this.sessionMnemonic) {
+      throw new Error('Session data is missing during transfer');
+    }
+
+    targetKeyringImpl.receiveSessionOwnership(
+      this.sessionPassword,
+      this.sessionMnemonic
+    );
+
+    // Null out our references (do NOT clear buffers - target owns them now)
+    this.sessionPassword = null;
+    this.sessionMnemonic = null;
+  };
+
+  // Private method for zero-copy transfer - takes ownership of buffers
+  public receiveSessionOwnership = (
+    sessionPassword: SecureBuffer,
+    sessionMnemonic: SecureBuffer
+  ): void => {
+    // Clear any existing data first
+    if (this.sessionPassword) {
+      this.sessionPassword.clear();
+    }
+    if (this.sessionMnemonic) {
+      this.sessionMnemonic.clear();
+    }
+
+    // Take ownership of the actual SecureBuffer objects
+    // No copying - these are the original objects
+    this.sessionPassword = sessionPassword;
+    this.sessionMnemonic = sessionMnemonic;
+  };
+
+  public addNewAccount = async (
+    label?: string
+  ): Promise<IKeyringAccountState> => {
+    // Check if wallet is unlocked
+    if (!this.isUnlocked()) {
+      throw new Error('Wallet must be unlocked to add new accounts');
+    }
+
+    // addNewAccount should only create accounts from the main seed
+    // For importing accounts (including zprvs), use importAccount
+    if (this.getActiveChain() === INetworkType.Syscoin) {
+      return await this.addNewAccountToSyscoinChain(label);
+    } else {
+      // EVM chainType
+      return await this.addNewAccountToEth(label);
+    }
+  };
+
+  public async unlock(password: string): Promise<{
+    canLogin: boolean;
+    needsAccountCreation?: boolean;
+  }> {
+    try {
+      const vaultKeys = await this.storage.get('vault-keys');
+
+      if (!vaultKeys) {
+        return {
+          canLogin: false,
+        };
+      }
+      // FIRST: Validate password against stored hash
+      const { hash, salt } = vaultKeys;
+      const saltedHashPassword = this.encryptSHA512(password, salt);
+
+      if (saltedHashPassword !== hash) {
+        // Password is wrong - return immediately
+        return {
+          canLogin: false,
+        };
+      }
+      // Handle migration from old vault format with currentSessionSalt
+      if (vaultKeys.currentSessionSalt) {
+        console.log(
+          '[KeyringManager] Detected old vault format, handling session migration...'
+        );
+
+        // The old format used currentSessionSalt for session data encryption
+        // We need to use it temporarily to decrypt the mnemonic correctly
+        const oldSessionPassword = this.encryptSHA512(
+          password,
+          vaultKeys.currentSessionSalt
+        );
+
+        // Get the vault and check if mnemonic needs migration
+        const { mnemonic } = await getDecryptedVault(password);
+
+        if (mnemonic) {
+          // Check if mnemonic is double-encrypted (old format behavior)
+          const isLikelyPlainMnemonic =
+            mnemonic.includes(' ') &&
+            (mnemonic.split(' ').length === 12 ||
+              mnemonic.split(' ').length === 24);
+
+          let decryptedMnemonic = mnemonic;
+          if (!isLikelyPlainMnemonic) {
+            try {
+              // Try to decrypt with raw password first (as vault stores it)
+              decryptedMnemonic = CryptoJS.AES.decrypt(
+                mnemonic,
+                password
+              ).toString(CryptoJS.enc.Utf8);
+            } catch (e) {
+              console.warn(
+                '[KeyringManager] Failed to decrypt mnemonic with password, trying old session password'
+              );
+              // If that fails, try with old session password
+              try {
+                decryptedMnemonic = CryptoJS.AES.decrypt(
+                  mnemonic,
+                  oldSessionPassword
+                ).toString(CryptoJS.enc.Utf8);
+              } catch (e2) {
+                // If both fail, assume it's already decrypted
+                decryptedMnemonic = mnemonic;
+              }
+            }
+          }
+
+          // Re-save the vault with properly formatted mnemonic (single encryption)
+          await setEncryptedVault({ mnemonic: decryptedMnemonic }, password);
+          console.log('[KeyringManager] Vault mnemonic format normalized');
+        }
+
+        // Remove currentSessionSalt from vault-keys
+        const migratedVaultKeys = {
+          hash: vaultKeys.hash,
+          salt: vaultKeys.salt,
+        };
+        await this.storage.set('vault-keys', migratedVaultKeys);
+        console.log('[KeyringManager] Old vault format migration completed');
+      }
+
+      // If session data missing or corrupted, recreate from vault
+      if (!this.sessionMnemonic) {
+        await this.recreateSessionFromVault(password, saltedHashPassword);
+      }
+
+      // NOTE: Active account management is now handled by vault state/Redux
+      // No need to explicitly set active account after unlock - it's managed externally
+      const vault = this.getVault();
+      if (vault.activeAccount?.id !== undefined && vault.activeAccount?.type) {
+        // Check if the active account actually exists in the accounts map
+        const accountType = vault.activeAccount.type;
+        const accountId = vault.activeAccount.id;
+        const accountExists = vault.accounts?.[accountType]?.[accountId];
+
+        if (!accountExists) {
+          console.log(
+            `[KeyringManager] Active account ${accountType}:${accountId} not found in accounts map. This may indicate a migration from old vault format.`
+          );
+          // Signal that accounts need to be created after migration
+          return {
+            canLogin: true,
+            needsAccountCreation: true,
+          };
+        }
+
+        console.log(
+          `[KeyringManager] Active account ${vault.activeAccount.id} available after unlock`
+        );
+      }
+
+      return {
+        canLogin: true,
+      };
+    } catch (error) {
+      console.log('ERROR unlock', {
+        error,
+      });
+      return {
+        canLogin: false,
+      };
+    }
+  }
+
+  public getNewChangeAddress = async (): Promise<string> => {
+    const vault = this.getVault();
+    const { accounts, activeAccount } = vault;
+    const account = accounts[activeAccount.type]?.[activeAccount.id];
+    if (!account) {
+      throw new Error('Active account not found');
+    }
+    const { xpub, isImported, address } = account as any;
+    // For imported single-address accounts, always return the single address
+    const looksLikeSingleAddress = isImported && xpub === address;
+    if (looksLikeSingleAddress) return address;
+    return await this.getAddress(xpub, true); // Don't skip increment - get next unused
+  };
+
+  public getChangeAddress = async (id: number): Promise<string> => {
+    const vault = this.getVault();
+    const { accounts, activeAccount } = vault;
+    const account = accounts[activeAccount.type]?.[id];
+    if (!account) {
+      throw new Error(`Account with id ${id} not found`);
+    }
+    const { xpub, isImported, address } = account as any;
+    if (isImported && xpub === address) return address;
+    return await this.getAddress(xpub, true);
+  };
+
+  public getPubkey = async (
+    id: number,
+    isChangeAddress: boolean
+  ): Promise<string> => {
+    const vault = this.getVault();
+    const { accounts, activeAccount } = vault;
+    const account = accounts[activeAccount.type]?.[id];
+    if (!account) {
+      throw new Error(`Account with id ${id} not found`);
+    }
+    const { xpub, isImported, address } = account as any;
+    // Guard: single-address imported are watch-only
+    if (isImported && xpub === address) {
+      throw new Error(
+        'Public key not available for single-address imported accounts'
+      );
+    }
+    // Guard: descriptor/xpub watch-only (no xprv and not hardware)
+    if (this.isWatchOnlyAccount(account as any)) {
+      throw new Error('Public key not available for watch-only accounts');
+    }
+    return await this.getCurrentAddressPubkey(xpub, isChangeAddress);
+  };
+
+  public getBip32Path = async (
+    id: number,
+    isChangeAddress: boolean
+  ): Promise<string> => {
+    const vault = this.getVault();
+    const { accounts, activeAccount } = vault;
+    const account = accounts[activeAccount.type]?.[id];
+    if (!account) {
+      throw new Error(`Account with id ${id} not found`);
+    }
+    const { xpub, isImported, address } = account as any;
+    // Guard: single-address imported are watch-only
+    if (isImported && xpub === address) {
+      throw new Error(
+        'BIP32 path not available for single-address imported accounts'
+      );
+    }
+    // Guard: descriptor/xpub watch-only (no xprv and not hardware)
+    if (this.isWatchOnlyAccount(account as any)) {
+      throw new Error('BIP32 path not available for watch-only accounts');
+    }
+    return await this.getCurrentAddressBip32Path(xpub, isChangeAddress);
+  };
+
+  public updateReceivingAddress = async (): Promise<string> => {
+    const vault = this.getVault();
+    const { accounts, activeAccount } = vault;
+    const account = accounts[activeAccount.type]?.[activeAccount.id];
+    if (!account) {
+      throw new Error('Active account not found');
+    }
+    const { xpub, isImported, address } = account as any;
+    if (isImported && xpub === address) return address;
+    const nextAddress = await this.getAddress(xpub, false);
+    // NOTE: Address updates should be dispatched to Redux store, not updated here
+    // The calling code should handle the Redux dispatch
+    return nextAddress;
+  };
+
+  public getAccountById = (
+    id: number,
+    accountType: KeyringAccountType
+  ): Omit<IKeyringAccountState, 'xprv'> => {
+    const vault = this.getVault();
+    const accounts = vault.accounts[accountType];
+
+    const account = accounts[id];
+
+    if (!account) {
+      throw new Error('Account not found');
+    }
+
+    return omit(account as IKeyringAccountState, 'xprv');
+  };
+
+  public getPrivateKeyByAccountId = async (
+    id: number,
+    accountType: KeyringAccountType,
+    pwd: string
+  ): Promise<string> => {
+    try {
+      // Validate password using vault salt (same pattern as getSeed)
+      if (!this.sessionPassword) {
+        throw new Error('Unlock wallet first');
+      }
+
+      // Get vault salt for password validation
+      const vaultKeys = await this.storage.get('vault-keys');
+      if (!vaultKeys || !vaultKeys.salt) {
+        throw new Error('Vault keys not found');
+      }
+
+      const genPwd = this.encryptSHA512(pwd, vaultKeys.salt);
+      if (this.getSessionPasswordString() !== genPwd) {
+        throw new Error('Invalid password');
+      }
+
+      const vault = this.getVault();
+      const account = vault.accounts[accountType][id];
+      if (!account) {
+        throw new Error('Account not found');
+      }
+
+      // Decrypt the stored private key using secure method
+      const decryptedPrivateKey = this.withSecureData((sessionPwd) => {
+        const decrypted = CryptoJS.AES.decrypt(
+          (account as IKeyringAccountState).xprv,
+          sessionPwd
+        ).toString(CryptoJS.enc.Utf8);
+
+        if (!decrypted) {
+          throw new Error(
+            'Failed to decrypt private key. Invalid password or corrupted data.'
+          );
+        }
+
+        return decrypted;
+      });
+
+      // NOTE: Returning decrypted private key as string is necessary for compatibility
+      // Callers should handle this sensitive data carefully
+      return decryptedPrivateKey;
+    } catch (error) {
+      this.validateAndHandleErrorByMessage(error.message);
+      throw error;
+    }
+  };
+
+  public getActiveAccount = (): {
+    activeAccount: Omit<IKeyringAccountState, 'xprv'>;
+    activeAccountType: KeyringAccountType;
+  } => {
+    const vault = this.getVault();
+    const { accounts, activeAccount } = vault;
+    const activeAccountId = activeAccount.id;
+    const activeAccountType = activeAccount.type;
+
+    return {
+      activeAccount: omit(
+        accounts[activeAccountType][activeAccountId] as IKeyringAccountState,
+        'xprv'
+      ),
+      activeAccountType,
+    };
+  };
+
+  private isDescriptor = (s: string): boolean =>
+    /^(addr|pkh|wpkh|sh|wsh|tr|combo|multi|sortedmulti)\s*\(/i.test(s || '');
+
+  private isXpubLike = (s: string): boolean =>
+    /^(xpub|tpub|zpub|vpub)/i.test(s || '');
+
+  private isWatchOnlyAccount(a: IKeyringAccountState): boolean {
+    if (a.isLedgerWallet || a.isTrezorWallet) return false;
+    if (!a.xprv || a.xprv === '') {
+      if (a.xpub === a.address) return true; // single-address imported
+      if (this.isXpubLike(a.xpub) || this.isDescriptor(a.xpub)) return true; // xpub/descriptor watch-only
+    }
+    return false;
+  }
+
+  public getEncryptedXprv = (hd: SyscoinHDSigner) => {
+    return this.withSecureData((sessionPwd) => {
+      return CryptoJS.AES.encrypt(
+        this.getSysActivePrivateKey(hd),
+        sessionPwd
+      ).toString();
+    });
+  };
+
+  public getSeed = async (pwd: string) => {
+    if (!this.sessionPassword) {
+      throw new Error('Unlock wallet first');
+    }
+
+    // Get vault salt for password validation (consistent with getPrivateKeyByAccountId)
+    const vaultKeys = await this.storage.get('vault-keys');
+    if (!vaultKeys || !vaultKeys.salt) {
+      throw new Error('Vault keys not found');
+    }
+
+    const genPwd = this.encryptSHA512(pwd, vaultKeys.salt);
+    if (this.getSessionPasswordString() !== genPwd) {
+      throw new Error('Invalid password');
+    }
+    let { mnemonic } = await getDecryptedVault(pwd);
+
+    if (!mnemonic) {
+      throw new Error('Mnemonic not found in vault or is empty');
+    }
+
+    // Try to detect if mnemonic is encrypted or plain text
+    const isLikelyPlainMnemonic =
+      mnemonic.includes(' ') &&
+      (mnemonic.split(' ').length === 12 || mnemonic.split(' ').length === 24);
+
+    if (!isLikelyPlainMnemonic) {
+      try {
+        mnemonic = CryptoJS.AES.decrypt(mnemonic, pwd).toString(
+          CryptoJS.enc.Utf8
+        );
+      } catch (decryptError) {
+        // If decryption fails, assume mnemonic is already decrypted
+        console.warn(
+          'Mnemonic decryption failed in getSeed, using as-is:',
+          decryptError.message
+        );
+      }
+    }
+
+    if (!mnemonic) {
+      throw new Error(
+        'Failed to decrypt mnemonic or mnemonic is empty after decryption'
+      );
+    }
+
+    return mnemonic;
+  };
+
+  public setSignerNetwork = async (
+    network: INetwork
+  ): Promise<{
+    activeChain?: INetworkType;
+    success: boolean;
+  }> => {
+    // With multi-keyring architecture, each keyring is dedicated to specific slip44
+    if (
+      INetworkType.Ethereum !== network.kind &&
+      INetworkType.Syscoin !== network.kind
+    ) {
+      throw new Error('Unsupported chain');
+    }
+
+    // Validate network/chain type compatibility
+    if (
+      network.kind === INetworkType.Ethereum &&
+      this.getActiveChain() === INetworkType.Syscoin
+    ) {
+      throw new Error('Cannot use Ethereum chain type with Syscoin network');
+    }
+    if (
+      network.kind === INetworkType.Syscoin &&
+      this.getActiveChain() === INetworkType.Ethereum
+    ) {
+      throw new Error('Cannot use Syscoin chain type with Ethereum network');
+    }
+
+    // CRITICAL: Prevent UTXO-to-UTXO network switching within same keyring
+    // Each UTXO network should have its own KeyringManager instance based on slip44
+    const vault = this.getVault();
+    if (this.getActiveChain() === INetworkType.Syscoin && vault.activeNetwork) {
+      const currentSlip44 = vault.activeNetwork.slip44;
+      const newSlip44 = network.slip44;
+
+      if (currentSlip44 !== newSlip44) {
+        throw new Error(
+          `Cannot switch between different UTXO networks within the same keyring. ` +
+            `Current network uses slip44=${currentSlip44}, target network uses slip44=${newSlip44}. ` +
+            `Each UTXO network requires a separate KeyringManager instance.`
+        );
+      }
+    }
+
+    try {
+      // With multi-keyring architecture:
+      // - UTXO: Each keyring is dedicated to one network (slip44), so this is only called during initialization
+      // - EVM: All EVM networks share slip44=60, so network can change within the same keyring
+
+      if (network.kind === INetworkType.Syscoin) {
+        // For UTXO networks: validate that active account exists (accounts should be created via addNewAccount/initialize)
+        const accountId = vault.activeAccount.id || 0;
+        const accountType =
+          vault.activeAccount.type || KeyringAccountType.HDAccount;
+        const accounts = vault.accounts[accountType];
+
+        if (!accounts[accountId] || !accounts[accountId].xpub) {
+          throw new Error(
+            `Active account ${accountType}:${accountId} does not exist. Create accounts using addNewAccount() or initializeWalletSecurely() first.`
+          );
+        }
+
+        // No additional setup needed - on-demand signers will be created when needed
+      } else if (network.kind === INetworkType.Ethereum) {
+        // For EVM networks: validate that active account exists
+        const accountId = vault.activeAccount.id || 0;
+        const accountType =
+          vault.activeAccount.type || KeyringAccountType.HDAccount;
+        const accounts = vault.accounts[accountType];
+
+        if (!accounts[accountId] || !accounts[accountId].xpub) {
+          throw new Error(
+            `Active account ${accountType}:${accountId} does not exist. Create accounts using addNewAccount() or initializeWalletSecurely() first.`
+          );
+        }
+
+        // Set up EVM provider for network switching
+        await this.setSignerEVM(network);
+      }
+
+      return {
+        success: true,
+      };
+    } catch (err) {
+      console.log('ERROR setSignerNetwork', {
+        err,
+      });
+
+      this.validateAndHandleErrorByMessage(err.message);
+
+      //Rollback to previous values
+      console.error('Set Signer Network failed with', err);
+      return { success: false };
+    }
+  };
+
+  public forgetMainWallet = async (pwd: string) => {
+    const vaultKeys = await this.storage.get('vault-keys');
+    if (!vaultKeys || !vaultKeys.salt) {
+      throw new Error('Vault keys not found');
+    }
+    const genPwd = this.encryptSHA512(pwd, vaultKeys.salt);
+    if (!this.sessionPassword) {
+      throw new Error('Unlock wallet first');
+    } else if (this.getSessionPasswordString() !== genPwd) {
+      throw new Error('Invalid password');
+    }
+
+    await this.clearTemporaryLocalKeys(pwd);
+  };
+
+  public importWeb3Account = (mnemonicOrPrivKey: string) => {
+    // Check if it's a hex string (Ethereum private key)
+    if (isHexString(mnemonicOrPrivKey)) {
+      return new Wallet(mnemonicOrPrivKey);
+    }
+
+    // Check if it's a zprv/tprv (Syscoin private key)
+    const zprvPrefixes = ['zprv', 'tprv', 'vprv', 'xprv'];
+    if (zprvPrefixes.some((prefix) => mnemonicOrPrivKey.startsWith(prefix))) {
+      throw new Error(
+        'Syscoin extended private keys (zprv/tprv) should be imported using importAccount, not importWeb3Account'
+      );
+    }
+
+    // Otherwise, assume it's a mnemonic
+    const account = Wallet.fromMnemonic(mnemonicOrPrivKey);
+
+    return account;
+  };
+
+  public getAccountXpub = (): string => {
+    const vault = this.getVault();
+    const { activeAccount } = vault;
+    const account = vault.accounts[activeAccount.type]?.[activeAccount.id];
+    if (!account) {
+      throw new Error('Active account not found');
+    }
+    return account.xpub;
+  };
+
+  public isSeedValid = (seedPhrase: string) =>
+    BIP84.validateMnemonic(seedPhrase);
+
+  public createNewSeed = (wordCount?: number) => {
+    // Map BIP39 word counts to entropy strength
+    const wordCountToStrength: Record<number, number> = {
+      12: 128,
+      15: 160,
+      18: 192,
+      21: 224,
+      24: 256,
+    };
+    const strength = wordCount ? wordCountToStrength[wordCount] : 128;
+    return strength
+      ? BIP84.generateMnemonic(strength)
+      : BIP84.generateMnemonic();
+  };
+
+  public getUTXOState = () => {
+    const vault = this.getVault();
+    if (vault.activeNetwork.kind !== INetworkType.Syscoin) {
+      throw new Error('Cannot get state in a ethereum network');
+    }
+
+    const utxOAccounts = mapValues(vault.accounts.HDAccount, (value) =>
+      omit(value, 'xprv')
+    );
+
+    return {
+      ...vault,
+      accounts: {
+        [KeyringAccountType.HDAccount]: utxOAccounts,
+        [KeyringAccountType.Imported]: {},
+        [KeyringAccountType.Trezor]: {},
+        [KeyringAccountType.Ledger]: {},
+      },
+    };
+  };
+
+  public async importTrezorAccount(label?: string) {
+    const vault = this.getVault();
+    const currency = vault.activeNetwork.currency;
+    if (!currency) {
+      throw new Error('Active network currency is not defined');
+    }
+
+    // Use getNextAccountId to filter out placeholder accounts
+    const nextIndex = this.getNextAccountId(
+      vault.accounts[KeyringAccountType.Trezor]
+    );
+
+    const importedAccount = await this._createTrezorAccount(
+      currency,
+      vault.activeNetwork.slip44,
+      nextIndex
+    );
+    importedAccount.label = label ? label : `Trezor ${importedAccount.id + 1}`;
+
+    // NOTE: Account creation should be dispatched to Redux store, not updated here
+    // The calling code should handle the Redux dispatch
+    // Return the created account for Pali to add to store
+    return importedAccount;
+  }
+
+  public async importLedgerAccount(label?: string) {
+    try {
+      const vault = this.getVault();
+      const currency = vault.activeNetwork.currency;
+      if (!currency) {
+        throw new Error('Active network currency is not defined');
+      }
+
+      // Use getNextAccountId to filter out placeholder accounts
+      const nextIndex = this.getNextAccountId(
+        vault.accounts[KeyringAccountType.Ledger]
+      );
+
+      const importedAccount = await this._createLedgerAccount(
+        currency,
+        vault.activeNetwork.slip44,
+        nextIndex
+      );
+      importedAccount.label = label
+        ? label
+        : `Ledger ${importedAccount.id + 1}`;
+
+      // NOTE: Account creation should be dispatched to Redux store, not updated here
+      // The calling code should handle the Redux dispatch
+      // Return the created account for Pali to add to store
+      return importedAccount;
+    } catch (error) {
+      console.log({ error });
+      throw error;
+    }
+  }
+
+  public getActiveUTXOAccountState = () => {
+    const vault = this.getVault();
+    const { activeAccount } = vault;
+    return {
+      ...vault.accounts.HDAccount[activeAccount.id],
+      xprv: undefined,
+    };
+  };
+
+  public getNetwork = () => this.getVault().activeNetwork;
+
+  public createEthAccount = (privateKey: string) => new Wallet(privateKey);
+
+  // Helper to get current account data from backend
+  private fetchCurrentAccountData = async (
+    xpub: string,
+    isChangeAddress: boolean
+  ) => {
+    const vault = this.getVault();
+    const { activeNetwork } = vault;
+
+    // Use read-only signer for backend calls - works for all account types including hardware wallets
+    const { main } = this.getReadOnlySigner();
+    const options = 'tokens=used&details=tokens';
+
+    const { tokens } = await syscoinjs.utils.fetchBackendAccount(
+      main.blockbookURL,
+      xpub,
+      options,
+      true,
+      undefined
+    );
+
+    const { receivingIndex, changeIndex } =
+      this.setLatestIndexesFromXPubTokens(tokens);
+
+    // Get network configuration for BIP84 using network-provided pub type macros
+    const networkConfig = getNetworkConfig(
+      activeNetwork.slip44,
+      activeNetwork.currency
+    );
+
+    const pubTypes = networkConfig?.types?.zPubType;
+    if (!pubTypes) {
+      throw new Error('Missing zPubType in network configuration');
+    }
+    const networks = networkConfig.networks;
+
+    const currentAccount = new BIP84.fromZPub(xpub, pubTypes, networks);
+
+    const addressIndex = isChangeAddress ? changeIndex : receivingIndex;
+
+    return {
+      currentAccount,
+      addressIndex,
+      main,
+    };
+  };
+
+  public getAddress = async (xpub: string, isChangeAddress: boolean) => {
+    const { currentAccount, addressIndex } = await this.fetchCurrentAccountData(
+      xpub,
+      isChangeAddress
+    );
+
+    const address = currentAccount.getAddress(
+      addressIndex,
+      isChangeAddress,
+      84
+    ) as string;
+
+    return address;
+  };
+
+  public getCurrentAddressPubkey = async (
+    xpub: string,
+    isChangeAddress: boolean
+  ): Promise<string> => {
+    const { currentAccount, addressIndex } = await this.fetchCurrentAccountData(
+      xpub,
+      isChangeAddress
+    );
+
+    // BIP84 returns the public key as a hex string directly
+    return currentAccount.getPublicKey(addressIndex, isChangeAddress);
+  };
+
+  public getCurrentAddressBip32Path = async (
+    xpub: string,
+    isChangeAddress: boolean
+  ): Promise<string> => {
+    const vault = this.getVault();
+    const { activeAccount, activeNetwork } = vault;
+
+    const { addressIndex } = await this.fetchCurrentAccountData(
+      xpub,
+      isChangeAddress
+    );
+
+    // Use the utility function to generate the proper derivation path
+    const coinShortcut = activeNetwork.currency.toLowerCase(); // e.g., 'sys', 'btc'
+    const path = getAddressDerivationPath(
+      coinShortcut,
+      activeNetwork.slip44,
+      activeAccount.id,
+      isChangeAddress,
+      addressIndex
+    );
+
+    return path;
+  };
+
+  public logout = () => {
+    this.lockWallet();
+  };
+
+  public async importAccount(
+    privKey: string,
+    label?: string,
+    options?: { utxoAddressType?: 'p2wpkh' | 'p2pkh' | 'p2tr' }
+  ) {
+    // Check if wallet is unlocked
+    if (!this.isUnlocked()) {
+      throw new Error('Wallet must be unlocked to import accounts');
+    }
+
+    const importedAccount = await this._getPrivateKeyAccountInfos(
+      privKey,
+      label,
+      options
+    );
+
+    // NOTE: Account creation should be dispatched to Redux store, not updated here
+    // The calling code should handle the Redux dispatch
+    // Return the created account for Pali to add to store
+    return importedAccount;
+  }
+
+  // Import a WIF on UTXO networks and force legacy P2PKH address/type.
+  // Keeps it as a single-address Imported account, storing the address in both xpub and address.
+
+  public async importWatchOnly(identifier: string, label?: string) {
+    // Validate via Blockbook and create a watch-only Imported account
+    const vault = this.getVault();
+    const { accounts, activeNetwork } = vault;
+
+    if (!identifier || typeof identifier !== 'string') {
+      throw new Error('Identifier is required');
+    }
+
+    const isXpub = this.isXpubLike(identifier);
+    const isDesc = this.isDescriptor(identifier);
+    const isAddress = !isXpub && !isDesc;
+
+    // Compute address field
+    let addressToStore = identifier;
+    if (isXpub) {
+      try {
+        addressToStore = await this.getAddress(identifier, false);
+      } catch (e) {
+        // Fallback to identifier if derivation fails (e.g., non-BIP84)
+        addressToStore = identifier;
+      }
+    }
+
+    // Validate duplicates
+    const existsInImported = Object.values(
+      accounts[KeyringAccountType.Imported] as IKeyringAccountState[]
+    ).some((a) => a.address === addressToStore);
+    const existsInHD = Object.values(
+      accounts[KeyringAccountType.HDAccount] as IKeyringAccountState[]
+    ).some((a) => a.address === addressToStore);
+    if (existsInImported || existsInHD) {
+      throw new Error('Account already exists on your Wallet.');
+    }
+    // Confirm with Blockbook
+    const options = 'details=basic';
+    // Validate against Blockbook directly to capture precise error details (e.g., checksum mismatch)
+    const baseUrl = activeNetwork.url.replace(/\/$/, '');
+    const path = isXpub || isDesc ? '/api/v2/xpub/' : '/api/v2/address/';
+    const url = `${baseUrl}${path}${encodeURIComponent(identifier)}?${options}`;
+    let res: any = null;
+    try {
+      const response = await fetch(url);
+      if (!response.ok) {
+        let errorText = response.statusText || 'Request failed';
+        try {
+          const bodyText = await response.text();
+          if (bodyText) {
+            try {
+              const json = JSON.parse(bodyText);
+              if (json && json.error) {
+                errorText = json.error;
+              } else {
+                errorText = bodyText;
+              }
+            } catch {
+              errorText = bodyText;
+            }
+          }
+        } catch (parseError) {
+          // ignore body parse error; fall back to statusText
+        }
+        throw new Error(errorText);
+      }
+      res = await response.json();
+    } catch (e: any) {
+      throw new Error(e?.message || 'Identifier validation failed');
+    }
+    if (!res) {
+      throw new Error('Identifier not found on the active network');
+    }
+
+    const id = this.getNextAccountId(accounts[KeyringAccountType.Imported]);
+    const defaultLabel = label || `Watch-only ${id + 1}`;
+
+    const balances = { syscoin: 0, ethereum: 0 };
+
+    const watchOnlyAccount = {
+      ...initialActiveImportedAccountState,
+      address: addressToStore,
+      label: defaultLabel,
+      id,
+      balances,
+      isImported: true,
+      xprv: '',
+      xpub: isAddress ? addressToStore : identifier,
+      assets: {
+        syscoin: [],
+        ethereum: [],
+      },
+    } as IKeyringAccountState;
+
+    return watchOnlyAccount;
+  }
+
+  public validateZprv(zprv: string, targetNetwork?: INetwork) {
+    // Use the active network if targetNetwork is not provided
+    const networkToValidateAgainst =
+      targetNetwork || this.getVault().activeNetwork;
+
+    if (!networkToValidateAgainst) {
+      throw new Error('No network available for validation');
+    }
+
+    try {
+      // Check if it looks like an extended key based on known prefixes
+      const knownExtendedKeyPrefixes = [
+        'xprv',
+        'xpub',
+        'yprv',
+        'ypub',
+        'zprv',
+        'zpub',
+        'tprv',
+        'tpub',
+        'uprv',
+        'upub',
+        'vprv',
+        'vpub',
+      ];
+      const prefix = zprv.substring(0, 4);
+      const looksLikeExtendedKey = knownExtendedKeyPrefixes.includes(prefix);
+
+      // Only check prefix validity if it looks like an extended key
+      if (looksLikeExtendedKey) {
+        const validBip84Prefixes = ['zprv', 'vprv']; // zprv for mainnet, vprv for testnet
+        if (!validBip84Prefixes.includes(prefix)) {
+          throw new Error(
+            `Invalid key prefix '${prefix}'. Only BIP84 keys (zprv/vprv) are supported for UTXO imports. BIP44 keys (xprv/tprv) are not supported.`
+          );
+        }
+      } else {
+        // Not an extended key format
+        throw new Error('Not an extended private key');
+      }
+
+      const bip32 = BIP32Factory(ecc);
+      const decoded = bs58check.decode(zprv);
+
+      if (decoded.length !== 78) {
+        throw new Error('Invalid length for a BIP-32 key');
+      }
+
+      // Get network configuration for the target network
+      const { networks, types } = getNetworkConfig(
+        networkToValidateAgainst.slip44,
+        networkToValidateAgainst.currency || 'Bitcoin'
+      );
+
+      // For BIP84 (zprv/zpub), we need to use the correct magic bytes from zPubType
+      // Determine key type: zprv = mainnet key, vprv = testnet key
+      const keyIsTestnet = prefix === 'vprv';
+
+      // Determine target network type: testnet networks typically have slip44 1
+      const targetIsTestnet = networkToValidateAgainst.slip44 === 1;
+
+      // Cross-network validation: reject if key type doesn't match target network
+      if (keyIsTestnet && !targetIsTestnet) {
+        throw new Error(
+          `Extended private key is not compatible with ${networkToValidateAgainst.label}. ` +
+            `This appears to be a testnet key (${prefix}) but the target network is mainnet.`
+        );
+      }
+
+      if (!keyIsTestnet && targetIsTestnet) {
+        throw new Error(
+          `Extended private key is not compatible with ${networkToValidateAgainst.label}. ` +
+            `This appears to be a mainnet key (${prefix}) but the target network is testnet.`
+        );
+      }
+
+      const pubTypes = keyIsTestnet
+        ? (types.zPubType as any).testnet
+        : types.zPubType.mainnet;
+      const baseNetwork = keyIsTestnet ? networks.testnet : networks.mainnet;
+
+      const network = {
+        ...baseNetwork,
+        bip32: {
+          public: parseInt(pubTypes.vpub || pubTypes.zpub, 16),
+          private: parseInt(pubTypes.vprv || pubTypes.zprv, 16),
+        },
+      };
+
+      // Validate that the key prefix matches the expected network format
+      // This ensures the key was generated for a compatible network
+      const expectedPrefixes = ['zprv', 'vprv', 'xprv', 'yprv']; // Accept various BIP32/84 formats
+      if (!expectedPrefixes.includes(prefix)) {
+        throw new Error(
+          `Invalid extended private key prefix: ${prefix}. Expected one of: ${expectedPrefixes.join(
+            ', '
+          )}`
+        );
+      }
+
+      // Strict network matching - only allow keys that match the target network
+      let node;
+      try {
+        node = bip32.fromBase58(zprv, network);
+      } catch (e) {
+        throw new Error(
+          `Extended private key is not compatible with ${networkToValidateAgainst.label}. Please use a key generated for this specific network.`
+        );
+      }
+
+      if (!node.privateKey) {
+        throw new Error('Private key not found in extended private key');
+      }
+      if (!ecc.isPrivate(node.privateKey)) {
+        throw new Error('Invalid private key for secp256k1 curve');
+      }
+
+      return {
+        isValid: true,
+        node,
+        network,
+        message: 'The extended private key is valid for this network.',
+      };
+    } catch (error) {
+      return { isValid: false, message: error.message };
+    }
+  }
+
+  public validateWif(wif: string, targetNetwork?: INetwork) {
+    // Use the active network if targetNetwork is not provided
+    const networkToValidateAgainst =
+      targetNetwork || this.getVault().activeNetwork;
+
+    if (!networkToValidateAgainst) {
+      throw new Error('No network available for validation');
+    }
+
+    try {
+      // Get bitcoinjs network for the target network (Syscoin/BTC etc.)
+      const { networks } = getNetworkConfig(
+        networkToValidateAgainst.slip44,
+        networkToValidateAgainst.currency || 'Bitcoin'
+      );
+
+      const isTestnet = networkToValidateAgainst.slip44 === 1;
+      const bitcoinNetwork = isTestnet ? networks.testnet : networks.mainnet;
+
+      // Try to parse the WIF for the given network
+      const keyPair = (syscoinjs.utils as any).bitcoinjs.ECPair.fromWIF(
+        wif,
+        bitcoinNetwork
+      );
+      if (!keyPair || !keyPair.privateKey)
+        throw new Error('Invalid WIF private key');
+
+      // Derive an address based on network capability
+      // Try different address types to ensure the key can derive addresses
+      let address: string | undefined;
+      try {
+        // Try P2TR (Taproot) first if bech32 is supported
+        if ((bitcoinNetwork as any).bech32) {
+          try {
+            address = bjs.payments.p2wpkh({
+              pubkey: keyPair.publicKey,
+              network: bitcoinNetwork,
+            }).address as string | undefined;
+          } catch (e) {
+            // P2TR might not be supported, try P2WPKH
+          }
+        }
+        if (!address) {
+          address = bjs.payments.p2pkh({
+            pubkey: keyPair.publicKey,
+            network: bitcoinNetwork,
+          }).address as string | undefined;
+        }
+      } catch (e) {
+        // ignore and handle below
+      }
+      if (!address) throw new Error('Failed to derive address from WIF');
+
+      return { isValid: true };
+    } catch (error) {
+      return { isValid: false, message: error.message };
+    }
+  }
+
+  /**
+   * PRIVATE METHODS
+   */
+
+  // ===================================== AUXILIARY METHOD - FOR TRANSACTIONS CLASSES ===================================== //
+  private getDecryptedPrivateKey = (): {
+    address: string;
+    decryptedPrivateKey: string;
+  } => {
+    try {
+      const vault = this.getVault();
+      const { accounts, activeAccount } = vault;
+      const activeAccountId = activeAccount.id;
+      const activeAccountType = activeAccount.type;
+      const isLedger = activeAccountType === KeyringAccountType.Ledger;
+      const isTrezor = activeAccountType === KeyringAccountType.Trezor;
+
+      const isHardwareWallet = isTrezor || isLedger;
+
+      if (!this.sessionPassword)
+        throw new Error('Wallet is locked cant proceed with transaction');
+
+      const activeAccountData = accounts[activeAccountType][activeAccountId];
+      if (!activeAccountData) {
+        throw new Error(
+          `Active account (${activeAccountType}:${activeAccountId}) not found. Account switching may be in progress.`
+        );
+      }
+
+      const { xprv, address } = activeAccountData;
+
+      if (isHardwareWallet) {
+        return {
+          address,
+          decryptedPrivateKey: '',
+        };
+      }
+
+      if (!xprv) {
+        throw new Error(
+          `Private key not found for account ${activeAccountType}:${activeAccountId}. Account may not be fully initialized.`
+        );
+      }
+
+      let decryptedPrivateKey: string;
+      try {
+        decryptedPrivateKey = this.withSecureData((sessionPwd) => {
+          return CryptoJS.AES.decrypt(xprv, sessionPwd).toString(
+            CryptoJS.enc.Utf8
+          );
+        });
+      } catch (decryptError) {
+        throw new Error(
+          `Failed to decrypt private key for account ${activeAccountType}:${activeAccountId}. The wallet may be locked or corrupted.`
+        );
+      }
+
+      if (!decryptedPrivateKey) {
+        throw new Error(
+          `Decrypted private key is empty for account ${activeAccountType}:${activeAccountId}. Invalid password or corrupted data.`
+        );
+      }
+
+      // For EVM accounts, validate that the derived address matches the stored address
+      // This helps catch account switching race conditions early
+      if (this.getActiveChain() === INetworkType.Ethereum) {
+        try {
+          const derivedWallet = new Wallet(decryptedPrivateKey);
+          if (derivedWallet.address.toLowerCase() !== address.toLowerCase()) {
+            throw new Error(
+              `Address mismatch for account ${activeAccountType}:${activeAccountId}. Expected ${address} but derived ${derivedWallet.address}. Account switching may be in progress.`
+            );
+          }
+        } catch (ethersError) {
+          throw new Error(
+            `Failed to validate EVM address for account ${activeAccountType}:${activeAccountId}: ${ethersError.message}`
+          );
+        }
+      }
+
+      return {
+        address,
+        decryptedPrivateKey,
+      };
+    } catch (error) {
+      const vaultForLogging = this.getVault();
+      console.error('ERROR getDecryptedPrivateKey', {
+        error: error.message,
+        activeChain: this.getActiveChain(),
+        vault: {
+          activeAccountId: vaultForLogging?.activeAccount?.id,
+          activeAccountType: vaultForLogging?.activeAccount?.type,
+        },
+      });
+      this.validateAndHandleErrorByMessage(error.message);
+      throw error;
+    }
+  };
+
+  private getSigner = (): {
+    hd: any; // SyscoinHDSigner or WIFSigner wrapper with sign(psbt)
+    main: any; // syscoinjs-lib Syscoin instance
+  } => {
+    if (!this.sessionPassword) {
+      throw new Error('Wallet is locked cant proceed with transaction');
+    }
+    if (this.getActiveChain() !== INetworkType.Syscoin) {
+      throw new Error('Switch to UTXO chain');
+    }
+
+    const vault = this.getVault();
+    const { activeAccount } = vault;
+    const accountId = activeAccount.id;
+    const accountType = activeAccount.type;
+
+    // Determine signer type: HD or WIF single-address
+    let signerForUse: any;
+    if (accountType === KeyringAccountType.HDAccount) {
+      signerForUse = this.createOnDemandUTXOSigner(accountId);
+    } else if (accountType === KeyringAccountType.Imported) {
+      // Decrypt stored key material
+      const decrypted = this.withSecureData((sessionPwd) => {
+        const account = vault.accounts[KeyringAccountType.Imported][accountId];
+        const res = CryptoJS.AES.decrypt(account.xprv, sessionPwd).toString(
+          CryptoJS.enc.Utf8
+        );
+        if (!res) throw new Error('Failed to decrypt imported account key');
+        return res;
+      });
+
+      if (this.isZprv(decrypted)) {
+        signerForUse = this.createFreshUTXOSigner(decrypted, accountId);
+      } else {
+        // Treat as WIF single-address signer wrapper exposing sign(psbt)
+        const network = vault.activeNetwork;
+        const { networks } = getNetworkConfig(network.slip44, network.currency);
+        const isTestnet = network.slip44 === 1;
+        const bitcoinjsNetwork = isTestnet
+          ? networks.testnet
+          : networks.mainnet;
+
+        signerForUse = {
+          sign: async (psbt: any) => {
+            return await (syscoinjs.utils as any).signWithWIF(
+              psbt,
+              decrypted,
+              bitcoinjsNetwork
+            );
+          },
+        };
+      }
+    } else {
+      throw new Error(
+        `Unsupported account type for UTXO signing: ${accountType}`
+      );
+    }
+
+    // Create syscoinjs instance with current network (no need to attach signer for signing flow)
+    const network = vault.activeNetwork;
+    const networkConfig = getNetworkConfig(network.slip44, network.currency);
+
+    const syscoinMainSigner = new syscoinjs.SyscoinJSLib(
+      null,
+      network.url,
+      networkConfig?.networks?.mainnet || undefined
+    );
+
+    return {
+      hd: signerForUse,
+      main: syscoinMainSigner,
+    };
+  };
+
+  // Read-only version that works when wallet is locked
+  private getReadOnlySigner = (): {
+    main: any; // syscoinjs-lib Syscoin instance (read-only)
+  } => {
+    if (this.getActiveChain() !== INetworkType.Syscoin) {
+      throw new Error('Switch to UTXO chain');
+    }
+
+    // Create syscoinjs instance without HD signer for read-only operations
+    const vault = this.getVault();
+    const network = vault.activeNetwork;
+    const networkConfig = getNetworkConfig(network.slip44, network.currency);
+
+    const syscoinMainSigner = new syscoinjs.SyscoinJSLib(
+      null, // No HD signer needed for read-only operations
+      network.url,
+      networkConfig?.networks?.mainnet || undefined
+    );
+
+    return {
+      main: syscoinMainSigner,
+    };
+  };
+
+  private validateAndHandleErrorByMessage(message: string) {
+    const utf8ErrorMessage = 'Malformed UTF-8 data';
+    if (
+      message.includes(utf8ErrorMessage) ||
+      message.toLowerCase().includes(utf8ErrorMessage.toLowerCase())
+    ) {
+      this.storage.set('utf8Error', { hasUtf8Error: true });
+    }
+  }
+
+  private getAccountsState = () => {
+    const vault = this.getVault();
+    const { accounts, activeAccount, activeNetwork } = vault;
+    return {
+      activeAccountId: activeAccount.id,
+      accounts,
+      activeAccountType: activeAccount.type,
+      activeNetwork,
+    };
+  };
+
+  /**
+   *
+   * @param password
+   * @param salt
+   * @returns hash: string
+   */
+  private encryptSHA512 = (password: string, salt: string) =>
+    crypto.createHmac('sha512', salt).update(password).digest('hex');
+
+  private getSysActivePrivateKey = (hd: SyscoinHDSigner) => {
+    if (hd === null) throw new Error('No HD Signer');
+
+    const accountIndex = hd.Signer.accountIndex;
+
+    // Verify the account exists now
+    if (!hd.Signer.accounts.has(accountIndex)) {
+      throw new Error(`Account at index ${accountIndex} could not be created`);
+    }
+
+    return hd.Signer.accounts.get(accountIndex).getAccountPrivateKey();
+  };
+
+  private getInitialAccountData = ({
+    label,
+    signer,
+    sysAccount,
+    xprv,
+  }: {
+    label?: string;
+    signer: any;
+    sysAccount: ISysAccount;
+    xprv: string;
+  }) => {
+    const { address, xpub } = sysAccount;
+
+    return {
+      id: signer.Signer.accountIndex,
+      label: label || `Account ${signer.Signer.accountIndex + 1}`,
+      xpub,
+      xprv,
+      address,
+      isTrezorWallet: false,
+      isLedgerWallet: false,
+      isImported: false,
+    };
+  };
+
+  private async _createTrezorAccount(
+    coin: string,
+    slip44: number,
+    index: number,
+    label?: string
+  ) {
+    const vault = this.getVault();
+    const { accounts } = vault;
+    let xpub, balance;
+
+    // For EVM networks, Trezor expects 'eth' regardless of the network's currency
+    const trezorCoin = slip44 === 60 ? 'eth' : coin;
+
+    try {
+      const { descriptor, balance: _balance } =
+        await this.trezorSigner.getAccountInfo({
+          coin: trezorCoin,
+          slip44,
+          index,
+        });
+      xpub = descriptor;
+      balance = _balance;
+    } catch (e) {
+      throw new Error(e);
+    }
+    let ethPubKey = '';
+
+    const isEVM = isEvmCoin(coin, slip44);
+
+    // For EVM networks, we need to get the actual address from Trezor
+    let address: string;
+    if (isEVM) {
+      // For EVM, the descriptor from getAccountInfo is the address
+      address = xpub;
+
+      // Get the public key for EVM
+      const response = await this.trezorSigner.getPublicKey({
+        coin: trezorCoin,
+        slip44,
+        index: +index,
+      });
+      ethPubKey = response.publicKey;
+    } else {
+      // For UTXO, use the xpub to derive the address
+      address = await this.getAddress(xpub, false);
+    }
+
+    const accountAlreadyExists =
+      Object.values(
+        accounts[KeyringAccountType.Ledger] as IKeyringAccountState[]
+      ).some((account) => account.address === address) ||
+      Object.values(
+        accounts[KeyringAccountType.Trezor] as IKeyringAccountState[]
+      ).some((account) => account.address === address) ||
+      Object.values(
+        accounts[KeyringAccountType.HDAccount] as IKeyringAccountState[]
+      ).some((account) => account.address === address) ||
+      Object.values(
+        accounts[KeyringAccountType.Imported] as IKeyringAccountState[]
+      ).some((account) => account.address === address);
+
+    if (accountAlreadyExists)
+      throw new Error('Account already exists on your Wallet.');
+    if (!xpub || !address)
+      throw new Error(
+        'Something wrong happened. Please, try again or report it'
+      );
+
+    // Use getNextAccountId to properly handle placeholder accounts
+    const id = this.getNextAccountId(accounts[KeyringAccountType.Trezor]);
+
+    // Convert balance from satoshis to SYS safely
+    // Using string manipulation to avoid precision loss
+    let syscoinBalance = 0;
+    if (!isEVM && balance) {
+      const balanceStr = balance.toString();
+      // Handle conversion without division to preserve precision
+      if (balanceStr.length > 8) {
+        // Has whole SYS part
+        const wholePart = balanceStr.slice(0, -8);
+        const decimalPart = balanceStr.slice(-8);
+        syscoinBalance = parseFloat(`${wholePart}.${decimalPart}`);
+      } else {
+        // Less than 1 SYS
+        const paddedBalance = balanceStr.padStart(8, '0');
+        syscoinBalance = parseFloat(`0.${paddedBalance}`);
+      }
+    }
+
+    const trezorAccount = {
+      ...this.initialTrezorAccountState,
+      balances: {
+        syscoin: isEVM ? 0 : syscoinBalance,
+        ethereum: 0,
+      },
+      address,
+      label: label ? label : `Trezor ${id + 1}`,
+      id,
+      xprv: '',
+      xpub: isEVM ? ethPubKey : xpub,
+      assets: {
+        syscoin: [],
+        ethereum: [],
+      },
+    } as IKeyringAccountState;
+
+    return trezorAccount;
+  }
+
+  private async _createLedgerAccount(
+    coin: string,
+    slip44: number,
+    index: number,
+    label?: string
+  ) {
+    const vault = this.getVault();
+    const { accounts } = vault;
+    let xpub;
+    let address = '';
+    if (isEvmCoin(coin, slip44)) {
+      const { address: ethAddress, publicKey } =
+        await this.ledgerSigner.evm.getEvmAddressAndPubKey({
+          accountIndex: index,
+        });
+      address = ethAddress;
+      xpub = publicKey;
+    } else {
+      try {
+        const ledgerXpub = await this.ledgerSigner.utxo.getXpub({
+          index: index,
+          coin,
+          slip44,
+        });
+        xpub = ledgerXpub;
+        // Use the generic getAddress method like Trezor does - no need to query device again
+        address = await this.getAddress(xpub, false);
+      } catch (e) {
+        throw new Error(e);
+      }
+    }
+
+    const accountAlreadyExists =
+      Object.values(
+        accounts[KeyringAccountType.Ledger] as IKeyringAccountState[]
+      ).some((account) => account.address === address) ||
+      Object.values(
+        accounts[KeyringAccountType.Trezor] as IKeyringAccountState[]
+      ).some((account) => account.address === address) ||
+      Object.values(
+        accounts[KeyringAccountType.HDAccount] as IKeyringAccountState[]
+      ).some((account) => account.address === address) ||
+      Object.values(
+        accounts[KeyringAccountType.Imported] as IKeyringAccountState[]
+      ).some((account) => account.address === address);
+
+    if (accountAlreadyExists)
+      throw new Error('Account already exists on your Wallet.');
+    if (!xpub || !address)
+      throw new Error(
+        'Something wrong happened. Please, try again or report it'
+      );
+
+    // Use getNextAccountId to properly handle placeholder accounts
+    const id = this.getNextAccountId(accounts[KeyringAccountType.Ledger]);
+
+    const currentBalances = { syscoin: 0, ethereum: 0 };
+
+    const ledgerAccount = {
+      ...this.initialLedgerAccountState,
+      balances: currentBalances,
+      address,
+      label: label ? label : `Ledger ${id + 1}`,
+      id,
+      xprv: '',
+      xpub,
+      assets: {
+        syscoin: [],
+        ethereum: [],
+      },
+    } as IKeyringAccountState;
+
+    return ledgerAccount;
+  }
+
+  private getFormattedBackendAccount = async ({
+    signer,
+  }: {
+    signer: SyscoinHDSigner;
+  }): Promise<ISysAccount> => {
+    // MUCH SIMPLER: Just use the signer directly - no BIP84 needed!
+    // Get address directly from the signer (always correct for current network)
+    const address = signer.createAddress(0, false, 84) as string;
+    const xpub = signer.getAccountXpub();
+
+    return {
+      address,
+      xpub,
+    };
+  };
+  private setLatestIndexesFromXPubTokens = function (tokens) {
+    let changeIndexInternal = -1,
+      receivingIndexInternal = -1;
+    if (tokens) {
+      tokens.forEach((token) => {
+        if (!token.transfers || !token.path) {
+          return {
+            changeIndex: changeIndexInternal + 1,
+            receivingIndex: receivingIndexInternal + 1,
+          };
+        }
+        const transfers = parseInt(token.transfers, 10);
+        if (token.path && transfers > 0) {
+          const splitPath = token.path.split('/');
+          if (splitPath.length >= 6) {
+            const change = parseInt(splitPath[4], 10);
+            const index = parseInt(splitPath[5], 10);
+            if (change === 1) {
+              if (index > changeIndexInternal) {
+                changeIndexInternal = index;
+              }
+            } else if (index > receivingIndexInternal) {
+              receivingIndexInternal = index;
+            }
+          }
+        }
+      });
+    }
+    return {
+      changeIndex: changeIndexInternal + 1,
+      receivingIndex: receivingIndexInternal + 1,
+    };
+  };
+
+  // Common helper method for UTXO account creation
+  private async createUTXOAccountAtIndex(accountId: number, label?: string) {
+    try {
+      // Create fresh signer just for this account creation operation
+      const freshHDSigner = this.createOnDemandUTXOSigner(accountId);
+
+      const sysAccount = await this.getFormattedBackendAccount({
+        signer: freshHDSigner,
+      });
+
+      const encryptedXprv = this.getEncryptedXprv(freshHDSigner);
+
+      // Generate network-aware label if none provided
+      const vault = this.getVault();
+      const network = vault.activeNetwork;
+      const defaultLabel = this.generateNetworkAwareLabel(accountId, network);
+
+      return {
+        ...this.getInitialAccountData({
+          label: label || defaultLabel,
+          signer: freshHDSigner,
+          sysAccount,
+          xprv: encryptedXprv,
+        }),
+        balances: { syscoin: 0, ethereum: 0 },
+      } as IKeyringAccountState;
+    } catch (error) {
+      console.log('ERROR createUTXOAccountAtIndex', {
+        error,
+      });
+      this.validateAndHandleErrorByMessage(error.message);
+      throw error;
+    }
+  }
+
+  private async addNewAccountToSyscoinChain(label?: string) {
+    try {
+      // Get next available account ID
+      const vault = this.getVault();
+      const accounts = vault.accounts[KeyringAccountType.HDAccount];
+      const nextId = this.getNextAccountId(accounts);
+
+      return await this.createUTXOAccountAtIndex(nextId, label);
+    } catch (error) {
+      console.log('ERROR addNewAccountToSyscoinChain', {
+        error,
+      });
+      this.validateAndHandleErrorByMessage(error.message);
+      throw error;
+    }
+  }
+
+  private async addNewAccountToEth(label?: string) {
+    try {
+      // Get next available account ID
+      const vault = this.getVault();
+      const accounts = vault.accounts[KeyringAccountType.HDAccount];
+      const nextId = this.getNextAccountId(accounts);
+
+      // EVM accounts should use generic labels since they work across all EVM networks
+      const defaultLabel = `Account ${nextId + 1}`;
+
+      const newAccount = await this.setDerivedWeb3Accounts(
+        nextId,
+        label || defaultLabel
+      );
+
+      return newAccount;
+    } catch (error) {
+      console.log('ERROR addNewAccountToEth', {
+        error,
+      });
+      this.validateAndHandleErrorByMessage(error.message);
+      throw error;
+    }
+  }
+
+  // Helper method to get next available account ID - fills gaps when accounts are deleted
+  private getNextAccountId(accounts: any): number {
+    const existingIds = Object.values(accounts)
+      .filter((account: any) => {
+        // Only count accounts that have been properly initialized
+        // Placeholder accounts have empty addresses/xprv/xpub
+        return account && account.address && account.xpub;
+      })
+      .map((account: any) => account.id)
+      .filter((id) => !isNaN(id))
+      .sort((a, b) => a - b); // Sort to find gaps efficiently
+
+    if (existingIds.length === 0) {
+      return 0;
+    }
+
+    // Find the first gap in the sequence
+    for (let i = 0; i < existingIds.length; i++) {
+      if (existingIds[i] !== i) {
+        // Found a gap at position i
+        return i;
+      }
+    }
+
+    // No gaps found, return next sequential ID
+    return existingIds.length;
+  }
+
+  private getBasicWeb3AccountInfo = (id: number, label?: string) => {
+    return {
+      id,
+      isTrezorWallet: false,
+      isLedgerWallet: false,
+      label: label ? label : `Account ${id + 1}`,
+    };
+  };
+
+  private setDerivedWeb3Accounts = async (
+    id: number,
+    label: string
+  ): Promise<IKeyringAccountState> => {
+    try {
+      // For account creation, derive from mnemonic (since account doesn't exist yet)
+      const mnemonic = this.getDecryptedMnemonic();
+      const hdNode = HDNode.fromMnemonic(mnemonic);
+      const derivationPath = getAddressDerivationPath('eth', 60, 0, false, id);
+      const derivedAccount = hdNode.derivePath(derivationPath);
+
+      const basicAccountInfo = this.getBasicWeb3AccountInfo(id, label);
+
+      const createdAccount = {
+        address: derivedAccount.address,
+        xpub: derivedAccount.publicKey,
+        xprv: this.withSecureData((sessionPwd) => {
+          return CryptoJS.AES.encrypt(
+            derivedAccount.privateKey,
+            sessionPwd
+          ).toString();
+        }),
+        isImported: false,
+        ...basicAccountInfo,
+        balances: { syscoin: 0, ethereum: 0 },
+      };
+
+      // NOTE: Account creation should be dispatched to Redux store, not stored here
+      // Return the account data for Pali to add to store
+      return createdAccount;
+    } catch (error) {
+      console.log('ERROR setDerivedWeb3Accounts', {
+        error,
+      });
+      this.validateAndHandleErrorByMessage(error.message);
+      throw error;
+    }
+  };
+
+  private setSignerEVM = async (network: INetwork): Promise<void> => {
+    const abortController = new AbortController();
+    try {
+      // With multi-keyring architecture, this is only called on EVM keyrings
+      this.ethereumTransaction.setWeb3Provider(network);
+      abortController.abort();
+    } catch (error) {
+      abortController.abort();
+      throw new Error(`SetSignerEVM: Failed with ${error}`);
+    }
+  };
+
+  private clearTemporaryLocalKeys = async (pwd: string) => {
+    // Clear the vault completely (set empty mnemonic)
+    await setEncryptedVault(
+      {
+        mnemonic: '',
+      },
+      pwd
+    );
+
+    // Remove vault-keys from storage so no vault exists at all
+    await this.storage.deleteItem('vault-keys');
+
+    console.log('[KeyringManager] Temporary local keys cleared');
+    this.logout();
+  };
+
+  private async recreateSessionFromVault(
+    password: string,
+    saltedHashPassword: string
+  ): Promise<void> {
+    try {
+      const { mnemonic } = await getDecryptedVault(password);
+
+      if (!mnemonic) {
+        throw new Error('Mnemonic not found in vault');
+      }
+
+      // Encrypt session data with sessionPassword hash for consistency
+      // This allows keyring manager to decrypt with this.sessionPassword
+      this.sessionPassword = new SecureBuffer(saltedHashPassword);
+      // Encrypt the mnemonic with session password for consistency with the rest of the code
+      const encryptedMnemonic = CryptoJS.AES.encrypt(
+        mnemonic,
+        saltedHashPassword
+      ).toString();
+      this.sessionMnemonic = new SecureBuffer(encryptedMnemonic);
+      console.log('[KeyringManager] Session data recreated from vault');
+    } catch (error) {
+      console.error('ERROR recreateSessionFromVault', { error });
+      throw error;
+    }
+  }
+
+  private async _getPrivateKeyAccountInfos(
+    privKey: string,
+    label?: string,
+    options?: { utxoAddressType?: 'p2wpkh' | 'p2pkh' | 'p2tr' }
+  ) {
+    const vault = this.getVault();
+    const { accounts } = vault;
+    let importedAccountValue: {
+      address: string;
+      privateKey: string;
+      publicKey: string;
+    } | null = null;
+
+    const balances = {
+      syscoin: 0,
+      ethereum: 0,
+    };
+
+    // Try to validate as extended private key first
+    const networkToUse = vault.activeNetwork;
+    const zprvValidation = this.validateZprv(privKey, networkToUse);
+
+    // Check if we're on an EVM network (slip44 = 60) or UTXO network
+    const isEvmNetwork = networkToUse.slip44 === 60;
+
+    if (zprvValidation.isValid) {
+      // This is a valid UTXO extended private key
+      if (isEvmNetwork) {
+        throw new Error(
+          'Cannot import UTXO private key on EVM network. Please switch to a UTXO network (Bitcoin/Syscoin) first.'
+        );
+      }
+      const { node, network } = zprvValidation;
+
+      if (!node || !network) {
+        throw new Error('Failed to validate extended private key');
+      }
+
+      // Always use index 0 for consistency
+      const nodeChild = node.derivePath(`0/0`);
+      if (!nodeChild) {
+        throw new Error('Failed to derive child node');
+      }
+
+      // Choose address type based on options or default to p2wpkh
+      let addrObj;
+      if (options?.utxoAddressType === 'p2pkh') {
+        addrObj = bjs.payments.p2pkh({
+          pubkey: nodeChild.publicKey,
+          network,
+        });
+      } else if (options?.utxoAddressType === 'p2tr') {
+        // For taproot, use x-only public key (32 bytes instead of 33)
+        const xOnly =
+          nodeChild.publicKey.length === 33
+            ? nodeChild.publicKey.slice(1, 33)
+            : nodeChild.publicKey;
+        addrObj = bjs.payments.p2tr({
+          internalPubkey: xOnly,
+          network,
+        });
+      } else {
+        // Default to SegWit (p2wpkh)
+        addrObj = bjs.payments.p2wpkh({
+          pubkey: nodeChild.publicKey,
+          network,
+        });
+      }
+
+      const { address } = addrObj;
+      if (!address) {
+        throw new Error('Failed to generate address');
+      }
+
+      importedAccountValue = {
+        address,
+        publicKey: node.neutered().toBase58(),
+        privateKey: privKey,
+      };
+
+      balances.syscoin = 0;
+    } else {
+      // If not a valid zprv/vprv, on UTXO networks try WIF
+      const isEvmNetwork = networkToUse.slip44 === 60;
+      let handledAsUtxo = false;
+      if (!isEvmNetwork) {
+        const wifValidation = this.validateWif(privKey, networkToUse);
+        if (wifValidation.isValid) {
+          // Create address from WIF and treat as single-address imported account
+          const { networks } = getNetworkConfig(
+            networkToUse.slip44,
+            networkToUse.currency || 'Bitcoin'
+          );
+          const isTestnet = networkToUse.slip44 === 1;
+          const bitcoinNetwork = isTestnet
+            ? networks.testnet
+            : networks.mainnet;
+
+          const keyPair = (syscoinjs.utils as any).bitcoinjs.ECPair.fromWIF(
+            privKey,
+            bitcoinNetwork
+          );
+          // Choose address type based on options or default behavior
+          let addrObj;
+          if (options?.utxoAddressType === 'p2pkh') {
+            addrObj = bjs.payments.p2pkh({
+              pubkey: keyPair.publicKey,
+              network: bitcoinNetwork,
+            });
+          } else if (options?.utxoAddressType === 'p2tr') {
+            // For taproot, use x-only public key (32 bytes instead of 33)
+            const xOnly =
+              keyPair.publicKey.length === 33
+                ? keyPair.publicKey.slice(1, 33)
+                : keyPair.publicKey;
+            addrObj = bjs.payments.p2tr({
+              internalPubkey: xOnly,
+              network: bitcoinNetwork,
+            });
+          } else {
+            // Default to SegWit (p2wpkh)
+            addrObj = bjs.payments.p2wpkh({
+              pubkey: keyPair.publicKey,
+              network: bitcoinNetwork,
+            });
+          }
+          const address = addrObj.address;
+          if (!address) {
+            throw new Error('Failed to generate address from WIF');
+          }
+
+          importedAccountValue = {
+            address,
+            // For single-address WIF accounts, store xpub as the address marker
+            publicKey: address,
+            privateKey: privKey,
+          };
+
+          // Set UTXO balance bucket
+          balances.syscoin = 0;
+          handledAsUtxo = true;
+
+          // Proceed to account creation below
+        } else if (!isEvmNetwork && wifValidation.message) {
+          // Provide useful feedback on UTXO network if WIF was attempted and failed
+          // Continue to EVM handling only if actually EVM network
+        }
+      }
+
+      // Check if the validation failed due to network mismatch
+      if (
+        zprvValidation.message &&
+        zprvValidation.message.includes('Network mismatch')
+      ) {
+        throw new Error(zprvValidation.message);
+      }
+
+      // Check if the validation failed due to invalid key prefix (only for known extended key formats)
+      if (
+        zprvValidation.message &&
+        zprvValidation.message.includes('Invalid key prefix')
+      ) {
+        throw new Error(zprvValidation.message);
+      }
+
+      // Check if it failed parsing as an extended key
+      if (
+        zprvValidation.message &&
+        zprvValidation.message.includes('Failed to parse extended private key')
+      ) {
+        throw new Error(zprvValidation.message);
+      }
+
+      // Check if it looks like an extended key that failed validation
+      const knownExtendedKeyPrefixes = [
+        'xprv',
+        'xpub',
+        'yprv',
+        'ypub',
+        'zprv',
+        'zpub',
+        'tprv',
+        'tpub',
+        'uprv',
+        'upub',
+        'vprv',
+        'vpub',
+      ];
+      const prefix = privKey.substring(0, 4);
+      const looksLikeExtendedKey = knownExtendedKeyPrefixes.includes(prefix);
+
+      if (looksLikeExtendedKey) {
+        // This looks like a UTXO extended key, but it failed validation
+        // Don't try to import it as an EVM key
+        if (isEvmNetwork) {
+          throw new Error(
+            'Cannot import UTXO private key on EVM network. Please switch to a UTXO network (Bitcoin/Syscoin) first.'
+          );
+        }
+        // For UTXO networks, throw the original validation error
+        throw new Error(
+          zprvValidation.message || 'Invalid extended private key'
+        );
+      }
+
+      // If it's not an extended key and not a valid WIF, treat it as an Ethereum private key
+      // But first check if we're on an EVM network
+      if (!isEvmNetwork && !handledAsUtxo) {
+        throw new Error(
+          'Cannot import EVM private key on UTXO network. Please switch to an EVM network first.'
+        );
+      }
+
+      if (!handledAsUtxo) {
+        const hexPrivateKey =
+          privKey.slice(0, 2) === '0x' ? privKey : `0x${privKey}`;
+
+        // Validate it's a valid hex string (32 bytes = 64 hex chars)
+        if (
+          !/^0x[0-9a-fA-F]{64}$/.test(hexPrivateKey) &&
+          !/^[0-9a-fA-F]{64}$/.test(privKey)
+        ) {
+          throw new Error(
+            'Invalid private key format. Expected 32-byte hex string or extended private key.'
+          );
+        }
+
+        importedAccountValue =
+          this.ethereumTransaction.importAccount(hexPrivateKey);
+
+        balances.ethereum = 0;
+      }
+    }
+
+    if (!importedAccountValue) {
+      throw new Error(
+        'Invalid private key format. Expected WIF, extended private key, or 32-byte hex.'
+      );
+    }
+
+    const { address, publicKey, privateKey } = importedAccountValue;
+
+    //Validate if account already exists
+    const accountAlreadyExists =
+      (accounts[KeyringAccountType.Imported] &&
+        Object.values(
+          accounts[KeyringAccountType.Imported] as IKeyringAccountState[]
+        ).some((account) => account.address === address)) ||
+      Object.values(
+        accounts[KeyringAccountType.HDAccount] as IKeyringAccountState[]
+      ).some((account) => account.address === address); //Find a way to verify if private Key is not par of seed wallet derivation path
+
+    if (accountAlreadyExists)
+      throw new Error(
+        'Account already exists, try again with another Private Key.'
+      );
+
+    const id = this.getNextAccountId(accounts[KeyringAccountType.Imported]);
+    const defaultLabel: string = label || `Imported ${id + 1}`;
+    return {
+      ...initialActiveImportedAccountState,
+      address,
+      label: defaultLabel,
+      id,
+      balances,
+      isImported: true,
+      xprv: this.withSecureData((sessionPwd) => {
+        return CryptoJS.AES.encrypt(privateKey, sessionPwd).toString();
+      }),
+      xpub: publicKey,
+      assets: {
+        syscoin: [],
+        ethereum: [],
+      },
+    } as IKeyringAccountState;
+  }
+
+  // NEW: On-demand signer creation methods
+
+  /**
+   * Common method to decrypt mnemonic from session
+   * Eliminates code duplication across multiple methods
+   */
+  private getDecryptedMnemonic(): string {
+    if (!this.sessionMnemonic || !this.sessionPassword) {
+      throw new Error('Session information not available');
+    }
+
+    const mnemonic = this.withSecureData((sessionPwd, sessionMnemonic) => {
+      const decrypted = CryptoJS.AES.decrypt(
+        sessionMnemonic,
+        sessionPwd
+      ).toString(CryptoJS.enc.Utf8);
+
+      if (!decrypted) {
+        throw new Error('Failed to decrypt mnemonic');
+      }
+
+      return decrypted;
+    });
+
+    return mnemonic;
+  }
+
+  /**
+   * Creates network RPC config from current active network without making RPC calls
+   * Common utility for all on-demand signer creation
+   */
+  private createNetworkRpcConfig() {
+    const network = this.getVault().activeNetwork;
+
+    return {
+      formattedNetwork: network,
+      networkConfig: getNetworkConfig(network.slip44, network.currency),
+    };
+  }
+
+  /**
+   * Common signer creation logic - takes decrypted mnemonic/zprv and creates fresh signer
+   * OPTIMIZED: No RPC call needed - uses network config directly
+   */
+  private createFreshUTXOSigner(
+    mnemonicOrZprv: string,
+    accountId: number
+  ): SyscoinHDSigner {
+    // Create signer using network config directly (no RPC call)
+    const rpcConfig = this.createNetworkRpcConfig();
+    // Type assertion to match getSyscoinSigners expected interface
+    const { hd } = getSyscoinSigners({
+      mnemonic: mnemonicOrZprv,
+      rpc: rpcConfig as any,
+    });
+
+    // Create account at the specified index and set it as active
+    // Note: createAccountAtIndex is synchronous despite TypeScript types
+    hd.createAccountAtIndex(accountId, 84);
+
+    // Verify the account was created correctly
+    if (!hd.Signer.accounts.has(accountId)) {
+      throw new Error(`Failed to create account at index ${accountId}`);
+    }
+
+    // Verify the correct account is active
+    if (hd.Signer.accountIndex !== accountId) {
+      throw new Error(
+        `Account index mismatch: expected ${accountId}, got ${hd.Signer.accountIndex}`
+      );
+    }
+
+    return hd;
+  }
+
+  /**
+   * Creates a fresh UTXO signer for HD accounts derived from the main seed
+   * OPTIMIZED: No RPC call needed - uses network config directly
+   */
+  private createOnDemandUTXOSigner(accountId: number): SyscoinHDSigner {
+    // Use common method to avoid code duplication
+    const mnemonic = this.getDecryptedMnemonic();
+    return this.createFreshUTXOSigner(mnemonic, accountId);
+  }
+
+  // NEW: Helper methods for HD signer management
+  private isZprv(key: string): boolean {
+    const zprvPrefixes = ['zprv', 'tprv', 'vprv', 'xprv'];
+    return zprvPrefixes.some((prefix) => key.startsWith(prefix));
+  }
+  // NEW: Separate session initialization from account creation
+  public initializeSession = async (
+    seedPhrase: string,
+    password: string
+  ): Promise<void> => {
+    // Validate inputs first
+    if (!BIP84.validateMnemonic(seedPhrase)) {
+      throw new Error('Invalid Seed');
+    }
+
+    let foundVaultKeys = true;
+    let salt = '';
+    const vaultKeys = await this.storage.get('vault-keys');
+    if (!vaultKeys || !vaultKeys.salt) {
+      foundVaultKeys = false;
+      salt = crypto.randomBytes(16).toString('hex');
+    } else {
+      salt = vaultKeys.salt;
+    }
+
+    const sessionPasswordSaltedHash = this.encryptSHA512(password, salt);
+    if (!foundVaultKeys) {
+      // Store vault-keys using the storage abstraction
+      await this.storage.set('vault-keys', {
+        hash: sessionPasswordSaltedHash,
+        salt,
+      });
+    }
+
+    // Check if already initialized with the same password (idempotent behavior)
+    if (this.sessionPassword) {
+      if (sessionPasswordSaltedHash === this.getSessionPasswordString()) {
+        // Same password - check if it's the same mnemonic to ensure full idempotency
+        try {
+          const currentMnemonic = this.withSecureData(
+            (sessionPwd, sessionMnemonic) => {
+              return CryptoJS.AES.decrypt(sessionMnemonic, sessionPwd).toString(
+                CryptoJS.enc.Utf8
+              );
+            }
+          );
+
+          if (currentMnemonic === seedPhrase) {
+            // Same mnemonic and password - already initialized
+            return;
+          }
+        } catch (error) {
+          // If we can't decrypt, fall through to error
+        }
+      }
+
+      // Different password or mnemonic - this is not a simple re-initialization
+      throw new Error(
+        'Wallet already initialized with different parameters. Create a new keyring instance for different parameters.'
+      );
+    }
+
+    // Encrypt and store vault (mnemonic storage) - now uses single vault for all networks
+    await setEncryptedVault(
+      {
+        mnemonic: seedPhrase, // Store plain mnemonic - setEncryptedVault will encrypt the entire vault
+      },
+      password
+    );
+
+    await this.recreateSessionFromVault(password, sessionPasswordSaltedHash);
+  };
+
+  // NEW: Create first account without signer setup
+  public createFirstAccount = async (
+    label?: string
+  ): Promise<IKeyringAccountState> => {
+    if (!this.sessionPassword || !this.sessionMnemonic) {
+      throw new Error(
+        'Session must be initialized first. Call initializeSession.'
+      );
+    }
+
+    const vault = this.getVault();
+    const network = vault.activeNetwork;
+
+    if (network.kind === INetworkType.Syscoin) {
+      // UTXO accounts get network-aware labels since each network has separate keyrings
+      const defaultLabel = label || this.generateNetworkAwareLabel(0, network);
+
+      // Create UTXO account using on-demand signer
+      const freshHDSigner = this.createOnDemandUTXOSigner(0);
+
+      const sysAccount = await this.getFormattedBackendAccount({
+        signer: freshHDSigner,
+      });
+
+      const encryptedXprv = this.getEncryptedXprv(freshHDSigner);
+
+      return {
+        ...this.getInitialAccountData({
+          label: defaultLabel,
+          signer: freshHDSigner,
+          sysAccount,
+          xprv: encryptedXprv,
+        }),
+        balances: { syscoin: 0, ethereum: 0 },
+      } as IKeyringAccountState;
+    } else {
+      // EVM accounts get generic labels since they work across all EVM networks
+      const defaultLabel = label || 'Account 1';
+      return await this.setDerivedWeb3Accounts(0, defaultLabel);
+    }
+  };
+
+  public initializeWalletSecurely = async (
+    seedPhrase: string,
+    password: string
+  ): Promise<IKeyringAccountState> => {
+    // Use new separated approach
+    await this.initializeSession(seedPhrase, password);
+    return await this.createFirstAccount();
+  };
+  // Helper methods for secure buffer operations
+  private getSessionPasswordString(): string {
+    if (!this.sessionPassword || this.sessionPassword.isCleared()) {
+      throw new Error('Session password not available');
+    }
+    // WARNING: This exposes sensitive data as a string
+    // Use only for CryptoJS operations that require string input
+    return this.sessionPassword.toString();
+  }
+
+  private getSessionMnemonicString(): string {
+    if (!this.sessionMnemonic || this.sessionMnemonic.isCleared()) {
+      throw new Error('Session mnemonic not available');
+    }
+    // WARNING: This exposes sensitive data as a string
+    // Use only for CryptoJS operations that require string input
+    return this.sessionMnemonic.toString();
+  }
+
+  // Secure method to perform cryptographic operations without exposing strings
+  private withSecureData<T>(
+    operation: (password: string, mnemonic: string) => T
+  ): T {
+    if (!this.sessionPassword || !this.sessionMnemonic) {
+      throw new Error('Session data not available');
+    }
+
+    // Perform operation with minimal exposure
+    const result = operation(
+      this.getSessionPasswordString(),
+      this.getSessionMnemonicString()
+    );
+
+    // Clear any temporary variables if needed
+    return result;
+  }
+
+  private generateNetworkAwareLabel(
+    accountId: number,
+    network: INetwork
+  ): string {
+    // Generate concise network-specific labels using actual network config
+    const { label, chainId, kind, currency } = network;
+
+    // Create a shortened network identifier based on actual network configurations
+    let networkPrefix = '';
+
+    if (kind === INetworkType.Syscoin) {
+      // UTXO networks (slip44 = 57 for mainnet, 1 for testnet)
+      if (chainId === 57) {
+        networkPrefix = 'SYS'; // Syscoin UTXO Mainnet
+      } else if (chainId === 5700) {
+        networkPrefix = 'SYS-T'; // Syscoin UTXO Testnet (slip44=1)
+      } else {
+        // Other UTXO networks - use currency shortcut (e.g., "btc" -> "BTC")
+        if (currency) {
+          networkPrefix = currency.toUpperCase();
+        } else {
+          // Fallback to first word from label if no currency
+          const firstWord = label.split(' ')[0];
+          networkPrefix =
+            firstWord.length > 6 ? firstWord.substring(0, 6) : firstWord;
+        }
+      }
+    } else {
+      // EVM networks (all use slip44=60)
+      if (chainId === 1) {
+        networkPrefix = 'ETH'; // Ethereum Mainnet
+      } else if (chainId === 11155111) {
+        networkPrefix = 'ETH-T'; // Ethereum Sepolia Testnet
+      } else if (chainId === 137) {
+        networkPrefix = 'POLY'; // Polygon Mainnet
+      } else if (chainId === 80001) {
+        networkPrefix = 'POLY-T'; // Polygon Mumbai Testnet
+      } else if (chainId === 57) {
+        networkPrefix = 'NEVM'; // Syscoin NEVM Mainnet
+      } else if (chainId === 5700) {
+        networkPrefix = 'NEVM-T'; // Syscoin NEVM Testnet
+      } else if (chainId === 570) {
+        networkPrefix = 'ROLLUX'; // Rollux Mainnet
+      } else if (chainId === 57000) {
+        networkPrefix = 'ROLLUX-T'; // Rollux Testnet
+      } else {
+        // Other EVM networks - use currency shortcut if available
+        if (currency) {
+          // Check if it's a testnet network
+          if (
+            label.toLowerCase().includes('testnet') ||
+            label.toLowerCase().includes('test')
+          ) {
+            networkPrefix = `${currency.toUpperCase()}-T`;
+          } else {
+            networkPrefix = currency.toUpperCase();
+          }
+        } else {
+          // Fallback to extracting meaningful prefix from label
+          const firstWord = label.split(' ')[0];
+          if (
+            firstWord.toLowerCase().includes('testnet') ||
+            firstWord.toLowerCase().includes('test')
+          ) {
+            const baseWord = label.split(' ')[0];
+            networkPrefix = `${baseWord.substring(0, 4).toUpperCase()}-T`;
+          } else {
+            networkPrefix =
+              firstWord.length > 6
+                ? firstWord.substring(0, 6).toUpperCase()
+                : firstWord.toUpperCase();
+          }
+        }
+      }
+    }
+
+    return `${networkPrefix} ${accountId + 1}`;
+  }
+
+  /**
+   * Clean up all resources
+   */
+  public async destroy(): Promise<void> {
+    this.lockWallet();
+
+    // Clear any remaining references
+    this.ethereumTransaction = {} as EthereumTransactions;
+    this.syscoinTransaction = {} as SyscoinTransactions;
+  }
+}