Back to home
Trust & Safety

Security

How EightSaf protects your wallet

Our Security Model

EightSaf is non-custodial by design. The only way to access your funds is with your recovery phrase and spending password — both of which only you know and neither of which ever leave your device.

Key Protections

Encrypted local storage

Your recovery phrase is encrypted with AES-256-GCM before being saved to your browser's local storage. The encryption key is derived from your spending password using a key derivation function. Even if an attacker had direct access to your browser storage, they would see only ciphertext.

Spending password authorization

Every transaction requires your spending password. The password is never stored — it is used in memory only to decrypt your wallet for the duration of a signing operation, then immediately discarded.

Brute-force lockout

After 5 consecutive incorrect password attempts, the wallet locks for 5 minutes. This prevents automated brute-force attacks.

Auto session lock

Your wallet automatically locks after a period of inactivity. The unlocked session is held only in Chrome's session storage, which is wiped when the browser closes.

No remote code

The extension contains zero remote code. All JavaScript is bundled and auditable in the package. The Content Security Policy enforces script-src 'self', preventing any injected or external scripts from running.

No telemetry

We collect no analytics, crash reports, or usage data. No information about your wallet or activity is ever sent to our servers.

Responsible Disclosure

Found a vulnerability? Please report it privately before disclosing publicly.

Email:security@eightsaf.io

We will acknowledge your report within 48 hours and aim to release a fix within 7 days for critical issues. We ask for a 30-day coordinated disclosure window.

Please do not open a public GitHub issue for security vulnerabilities.

Best Practices for Users

Write your 24-word recovery phrase on paper and store it offline

Never share your recovery phrase with anyone, including EightSaf staff

Use a strong, unique spending password

Only connect to dApps you trust

Keep the extension updated — updates often contain security patches

Lock your wallet when not in use

Never enter your recovery phrase on any website, including eightsaf.io

EightSaf will never DM you on Telegram, Discord, or Twitter asking for your phrase

© 2026 EightSaf. Built for the Safrochain community.

Back to home →