Trust & ops
Security
Honest threat model for a browser self-custodial pot app. Read this before using real funds.
What we protect
- No server holds your seed (there is no custodial backend)
- Seed encrypted in sessionStorage (AES-GCM + PBKDF2 passcode); plaintext only in memory while unlocked
- Signing requires an explicit confirm UI
- Join signatures are verified before save and re-checked on import when messages exist
- Invite payloads use URL hash fragments (not sent as query to the origin server)
- Security headers including CSP on all routes
- No API routes that accept or store secrets
What we do not protect against
| Risk | Why it matters | Mitigation in app |
|---|---|---|
| XSS / malicious extension | Compromised page can still abuse an unlocked session | Seed encrypted at rest with passcode; CSP headers |
| Shared devices | Someone else uses your unlocked tab | Sign out; show-seed requires passcode; auto-hide seed |
| Host escrow | On-chain stakes go to the host wallet | Clear UI warnings; not a smart-contract escrow |
| Invite link leakage | Links carry pot details | Hash fragment (#d=); import confirm; overwrite warn |
| Dishonest settle | Host chooses the recorded result | UI states host authority; social trust only |
| RPC privacy | Public RPCs see addresses | Disclosed in wallet UI and docs |
Safe operating practices
- Use a dedicated browser profile for funded wallets
- Back up seeds offline; never paste them into chat
- Only pot with hosts and groups you trust
- Prefer small stakes while evaluating the product
- Sign out after shared-computer sessions
- Treat invite links like private group messages
Report a vulnerability
Do not open a public issue for security bugs. Email splashmediahub@gmail.com with steps to reproduce. Full policy: SECURITY.md.