Non-custodial means the user holds the keys. In a browser extension that promise is only as strong as where the signing happens. If a private key ever touches a network request, it's game over.
The Manifest V3 constraint
MV3 killed long-lived background pages. Everything now runs in an ephemeral service worker that Chrome can tear down at any moment. That's actually good for security — but it means secrets can't just sit in memory.
- Keys are derived on demand from an encrypted vault
- The vault is unlocked by a Protection Encryption Key, never persisted in plaintext
- The worker auto-locks after inactivity
Signing flow
When a dApp requests a signature, the request is routed to the worker, the vault is unlocked, the transaction is signed with a WASM crypto core, and the key material is zeroed immediately after.
const signed = await wallet.signTransaction(tx);
zeroize(privateKey); // wipe the buffer
return signed.rawTransaction;
> The key exists for microseconds, in one worker, and never crosses a network boundary.
The result: an Ethereum and Tron wallet where signing is provably local. Users can verify it — the network tab never shows a key.