| Version | Supported |
|---|---|
| 0.1.x | Yes |
If you discover a security vulnerability in @ocash/sdk, please report it responsibly:
- Do NOT open a public GitHub issue
- Email security concerns to: tc@polyhedra.network
- Include a description of the vulnerability, steps to reproduce, and potential impact
- You will receive an acknowledgment within 48 hours
This SDK handles cryptographic operations including:
- BabyJubjub key derivation
- Poseidon2 hashing for commitments and nullifiers
- zk-SNARK proof generation (via Go WASM)
- ECDH key exchange and NaCl memo encryption
- JS BigInt immutability: Secret keys stored as BigInt cannot be securely zeroed in memory. The SDK nullifies references on
wallet.close(), but actual clearing depends on garbage collection. - Worker key transport: The proof worker receives secret key material via
postMessage(structured clone). This is a JS platform limitation with no practical alternative in browser environments. - WASM execution: The Go WASM bridge uses
new Function()to execute the downloadedwasm_exec.jsruntime. Ensure asset URLs are trusted.
- Always serve WASM/circuit assets over HTTPS from trusted origins
- Set appropriate CSP headers when using the browser entry point
- Use
wallet.close()when done to release key material references - Consider
maxOperationson persistent stores to limit stored data