Trust & ops

Security

Honest threat model for a browser self-custodial pot app. Read this before using real funds.

What we protect

  • No server holds your seed (there is no custodial backend)
  • Seed encrypted in sessionStorage (AES-GCM + PBKDF2 passcode); plaintext only in memory while unlocked
  • Signing requires an explicit confirm UI
  • Join signatures are verified before save and re-checked on import when messages exist
  • Invite payloads use URL hash fragments (not sent as query to the origin server)
  • Security headers including CSP on all routes
  • No API routes that accept or store secrets

What we do not protect against

RiskWhy it mattersMitigation in app
XSS / malicious extensionCompromised page can still abuse an unlocked sessionSeed encrypted at rest with passcode; CSP headers
Shared devicesSomeone else uses your unlocked tabSign out; show-seed requires passcode; auto-hide seed
Host escrowOn-chain stakes go to the host walletClear UI warnings; not a smart-contract escrow
Invite link leakageLinks carry pot detailsHash fragment (#d=); import confirm; overwrite warn
Dishonest settleHost chooses the recorded resultUI states host authority; social trust only
RPC privacyPublic RPCs see addressesDisclosed in wallet UI and docs

Safe operating practices

  • Use a dedicated browser profile for funded wallets
  • Back up seeds offline; never paste them into chat
  • Only pot with hosts and groups you trust
  • Prefer small stakes while evaluating the product
  • Sign out after shared-computer sessions
  • Treat invite links like private group messages

Report a vulnerability

Do not open a public issue for security bugs. Email splashmediahub@gmail.com with steps to reproduce. Full policy: SECURITY.md.