EightSaf
Back to home

Trust & safety

Security

How EightSaf protects your wallet and how to report vulnerabilities responsibly.

EightSaf is non-custodial by design. The only way to access your funds is with your recovery phrase and spending password — both of which only you know and neither of which ever leave your device.

Key protections

Encrypted local storage

Your recovery phrase is encrypted with AES-256-GCM before being saved to your browser's local storage. The encryption key is derived from your spending password. Even with direct access to browser storage, an attacker would see only ciphertext.

Spending password authorization

Every transaction requires your spending password. The password is never stored. It is used in memory only to decrypt your wallet for signing, then immediately discarded.

Brute-force lockout

After 5 consecutive incorrect password attempts, the wallet locks for 5 minutes. This prevents automated brute-force attacks.

Auto session lock

Your wallet automatically locks after a period of inactivity. The unlocked session is held only in Chrome's session storage, which is wiped when the browser closes.

No remote code

The extension contains zero remote code. All JavaScript is bundled in the package. The Content Security Policy enforces script-src 'self', preventing injected or external scripts from running.

No telemetry

We collect no analytics, crash reports, or usage data. No information about your wallet or activity is sent to our servers.

Responsible disclosure

Found a vulnerability? Please report it privately before disclosing publicly.

Email security@eightsaf.io

  • We acknowledge reports within 48 hours
  • Critical issues are targeted for a fix within 7 days
  • We ask for a 30-day coordinated disclosure window
  • Do not report security vulnerabilities through public channels or social media

Best practices for users

Do

  • Write your 24-word recovery phrase on paper and store it offline
  • Never share your recovery phrase with anyone, including EightSaf staff
  • Use a strong, unique spending password
  • Only connect to dApps you trust
  • Keep the extension updated — updates often contain security patches
  • Lock your wallet when not in use

Do not

  • Never enter your recovery phrase on any website, including eightsaf.io
  • EightSaf will never DM you on X asking for your phrase

Need help with a non-security issue?

Visit the support page or email support@eightsaf.io.