Non-custodial means the user holds the keys. In a browser extension that promise is only as strong as where the signing happens. If a private key ever touches a network request, it's game over.

The Manifest V3 constraint

MV3 killed long-lived background pages. Everything now runs in an ephemeral service worker that Chrome can tear down at any moment. That's actually good for security — but it means secrets can't just sit in memory.

  • Keys are derived on demand from an encrypted vault
  • The vault is unlocked by a Protection Encryption Key, never persisted in plaintext
  • The worker auto-locks after inactivity

Signing flow

When a dApp requests a signature, the request is routed to the worker, the vault is unlocked, the transaction is signed with a WASM crypto core, and the key material is zeroed immediately after.

const signed = await wallet.signTransaction(tx);
zeroize(privateKey); // wipe the buffer
return signed.rawTransaction;

> The key exists for microseconds, in one worker, and never crosses a network boundary.

The result: an Ethereum and Tron wallet where signing is provably local. Users can verify it — the network tab never shows a key.