Security

Local-first. No backend. Your keys never leave your device.

Architecture

Untaxed Wallet is a Chrome extension (Manifest V3) that runs entirely in your browser. There are no backend servers, no databases, and no accounts. Everything happens locally:

Private keys are encrypted and stored in chrome.storage.local
Trades are signed in the extension's service worker
The only external communication is with Solana RPC, Jupiter API, Helius API, and DexScreener API

Key Encryption

All private keys are encrypted at rest using industry-standard cryptography:

Password derivation: Your password is run through PBKDF2 with 100,000 iterations and a random salt to derive an encryption key.
Encryption: The private key is encrypted with AES-256-GCM using the derived key and a random IV (initialization vector).
Storage: The encrypted blob, salt, and IV are stored together in Chrome's local storage. The password is never stored.
Decryption: When you unlock, your password is used to re-derive the key and decrypt. If the password is wrong, decryption fails.

Why PBKDF2 with 100K iterations? It makes brute-force password guessing computationally expensive. Even if someone extracts the encrypted data from Chrome storage, they'd need to try billions of password combinations, each taking time to derive.

Memory Management

When your wallet is unlocked, decrypted private keys are held in the service worker's memory (not in Chrome storage). This memory is:

Process-isolated — Other extensions and web pages cannot access it
Cleared on lock — Auto-lock or manual lock wipes all decrypted keys
Cleared on service worker restart — If Chrome suspends the service worker, keys are gone

Auto-Lock

Configurable inactivity timeout (default: 15 minutes). When triggered:

All decrypted private keys are deleted from memory.
The sidebar switches to the lock screen.
No trades can be executed until you re-enter your password.

Content Security Policy

Extension pages enforce a strict CSP:

script-src 'self' — Only scripts bundled with the extension can execute. No inline scripts, no external scripts.
object-src 'self' — No external plugins or objects.

This prevents XSS attacks, malicious script injection, and code tampering.

Transaction Signing

All transactions are signed locally in the service worker:

The extension builds the transaction (swap, send, limit order, etc.).
The transaction is signed with your decrypted private key in memory.
The signed transaction is sent to the blockchain via your RPC endpoint.
At no point does the unsigned transaction or private key leave the extension's process.

Network Communication

The extension communicates only with these external services:

Solana RPC (Helius or custom) — Balance queries, transaction submission, account info
Jupiter API — Swap quotes, token search, limit order management
Helius API — Transaction history, token metadata, holder verification
Jito Block Engine — Bundle submission (when using Jito engine)
DexScreener API — Token prices, market data, 24h changes
Google Analytics — Optional, anonymized feature usage (opt-out available)

No private keys, seed phrases, or wallet balances are ever sent to any of these services.

Balance Hiding

Toggle the eye icon in the wallet card to hide all balance displays. Useful when:

Screen sharing or streaming
Trading in public
Someone is looking over your shoulder

Best Practices

Use a strong, unique password — at least 8 characters with mixed case and numbers
Back up your private keys immediately after creating or importing a wallet
Set auto-lock to 5 or 15 minutes
Don't share your password or private keys with anyone
Use the balance hiding feature when screen sharing
Keep Chrome and the extension updated for the latest security patches
Consider using separate wallets for trading (small amounts) and storage (large amounts)

Previous← Holder Benefits