Address code review feedback: security, fragments, error handling, and manifest upgrades

Co-authored-by: 0xrinegade <[email protected]>

Author: Copilot

extension/extension-build-info.txt

@@ -1,12 +1,12 @@
 SVMSeek Wallet Browser Extensions
 =================================
-Build Date: Mon Aug 11 15:44:03 UTC 2025
+Build Date: Mon Aug 11 18:33:56 UTC 2025
 Extensions Built: Chrome, Firefox, Safari, Edge
 
 Extension Details:
 - chrome: 3.3M (Manifest v3)
-- firefox: 3.3M (Manifest v2)
-- safari: 3.3M (Manifest v2)
+- firefox: 3.3M (Manifest v3)
+- safari: 3.3M (Manifest v3)
 - edge: 3.3M (Manifest v3)
 
 Distribution:

extension/firefox/manifest.json

@@ -1,5 +1,5 @@
 {
-  "manifest_version": 2,
+  "manifest_version": 3,
   "short_name": "SVMSeek Wallet",
   "name": "SVMSeek SPL Token Wallet",
   "description": "Secure Solana wallet for SPL tokens and DeFi applications",
@@ -13,13 +13,14 @@
   "permissions": [
     "activeTab",
     "storage",
-    "tabs",
+    "tabs"
+  ],
+  "host_permissions": [
     "https://*.solana.com/*",
     "https://*.svmseek.com/*"
   ],
   "background": {
-    "scripts": ["background.js"],
-    "persistent": false
+    "service_worker": "background.js"
   },
   "content_scripts": [
     {
@@ -28,7 +29,7 @@
       "run_at": "document_start"
     }
   ],
-  "browser_action": {
+  "action": {
     "default_popup": "index.html",
     "default_title": "SVMSeek Wallet",
     "default_icon": {
@@ -39,9 +40,12 @@
     }
   },
   "web_accessible_resources": [
-    "script.js"
+    {
+      "resources": ["script.js"],
+      "matches": ["<all_urls>"]
+    }
   ],
-  "applications": {
+  "browser_specific_settings": {
     "gecko": {
       "id": "{[email protected]}",
       "strict_min_version": "109.0"

extension/safari/manifest.json

@@ -1,5 +1,5 @@
 {
-  "manifest_version": 2,
+  "manifest_version": 3,
   "short_name": "SVMSeek Wallet",
   "name": "SVMSeek SPL Token Wallet",
   "description": "Secure Solana wallet for SPL tokens and DeFi applications",
@@ -13,13 +13,14 @@
   "permissions": [
     "activeTab",
     "storage",
-    "tabs",
+    "tabs"
+  ],
+  "host_permissions": [
     "https://*.solana.com/*",
     "https://*.svmseek.com/*"
   ],
   "background": {
-    "scripts": ["background.js"],
-    "persistent": false
+    "service_worker": "background.js"
   },
   "content_scripts": [
     {
@@ -28,7 +29,7 @@
       "run_at": "document_start"
     }
   ],
-  "browser_action": {
+  "action": {
     "default_popup": "index.html",
     "default_title": "SVMSeek Wallet",
     "default_icon": {
@@ -39,6 +40,9 @@
     }
   },
   "web_accessible_resources": [
-    "script.js"
+    {
+      "resources": ["script.js"],
+      "matches": ["<all_urls>"]
+    }
   ]
 }

extension/src/contentscript.js

@@ -5,7 +5,8 @@ scriptTag.src = chrome.runtime.getURL('script.js');
 container.insertBefore(scriptTag, container.children[0]);
 container.removeChild(scriptTag);
 
-window.addEventListener('ccai_injected_script_message', (event) => {
+// Store event handler reference for cleanup
+const messageHandler = (event) => {
   chrome.runtime.sendMessage(
     {
       channel: 'ccai_contentscript_background_channel',
@@ -21,4 +22,11 @@ window.addEventListener('ccai_injected_script_message', (event) => {
       );
     },
   );
+};
+
+window.addEventListener('ccai_injected_script_message', messageHandler);
+
+// Cleanup event listener when extension is unloaded
+window.addEventListener('beforeunload', () => {
+  window.removeEventListener('ccai_injected_script_message', messageHandler);
 });

src/components/AddAccountDialog.js

@@ -9,6 +9,7 @@ import FormGroup from '@mui/material/FormGroup';
 import Switch from '@mui/material/Switch';
 import { Account } from '@solana/web3.js';
 import DialogForm from '../pages/Wallet/components/DialogForm';
+import { devLog } from '../utils/logger';
 
 export default function AddAccountDialog({ open, onAdd, onClose }) {
   const [name, setName] = useState('');
@@ -91,7 +92,8 @@ function decodeAccount(privateKey) {
   try {
     const a = new Account(JSON.parse(privateKey));
     return a;
-  } catch (_) {
+  } catch (error) {
+    devLog('Failed to decode private key:', error.message);
     return undefined;
   }
 }

src/components/MergeAccountsDialog.js

@@ -30,6 +30,8 @@ import {
 import { sleep } from '../utils/utils';
 import { useTokenInfosMap, getTokenInfo } from '../utils/tokens/names';
 
+const MERGE_CONFIRMATION_TEXT = 'merge';
+
 export default function MergeAccountsDialog({ open, onClose }) {
   const theme = useTheme();
   const [publicKeys] = useWalletPublicKeys();
@@ -154,7 +156,7 @@ export default function MergeAccountsDialog({ open, onClose }) {
     setMergeCheck('');
     onClose();
   };
-  const disabled = mergeCheck.toLowerCase() !== 'merge';
+  const disabled = mergeCheck.toLowerCase() !== MERGE_CONFIRMATION_TEXT;
 
   return (
     <DialogForm
@@ -239,7 +241,7 @@ export default function MergeAccountsDialog({ open, onClose }) {
               margin="normal"
               value={mergeCheck}
               onChange={(e) => setMergeCheck(e.target.value.trim())}
-              placeholder={'Type "merge" to confirm'}
+              placeholder={`Type "${MERGE_CONFIRMATION_TEXT}" to confirm`}
             />
           </RowContainer>
           <RowContainer padding={'1rem 0'} justify={'space-between'}>

src/components/instructions/TokenInstruction.js

@@ -41,7 +41,7 @@ export default function TokenInstruction({ instruction, onOpenAddress }) {
   };
 
   return (
-    <>
+    <React.Fragment>
       <Title
         variant="subtitle1"
         style={{ fontWeight: 'bold', fontSize: '1.6rem' }}
@@ -66,6 +66,6 @@ export default function TokenInstruction({ instruction, onOpenAddress }) {
             />
           );
         })}
-    </>
+    </React.Fragment>
   );
 }

src/components/instructions/UnknownInstruction.js

@@ -4,7 +4,7 @@ import LabelValue from './LabelValue';
 
 export default function UnknownInstruction({ instruction, onOpenAddress }) {
   return (
-    <>
+    <React.Fragment>
       <Title variant="subtitle1" style={{ fontWeight: 'bold' }} gutterBottom>
         Unknown instruction:
       </Title>
@@ -19,7 +19,7 @@ export default function UnknownInstruction({ instruction, onOpenAddress }) {
       {instruction.accountMetas &&
         instruction.accountMetas.map((accountMeta, index) => {
           return (
-            <>
+            <React.Fragment key={index}>
               <LabelValue
                 key={index + ''}
                 label={'Account #' + (index + 1)}
@@ -30,12 +30,12 @@ export default function UnknownInstruction({ instruction, onOpenAddress }) {
               <Title gutterBottom>
                 Writable: {accountMeta.isWritable.toString()}
               </Title>
-            </>
+            </React.Fragment>
           );
         })}
       <Title style={{ wordBreak: 'break-all' }}>
         Data: {instruction.rawData}
       </Title>
-    </>
+    </React.Fragment>
   );
 }

src/utils/swap/eth.js

@@ -6,6 +6,7 @@ import { useCallAsync } from '../notifications';
 import { VioletButton } from '../../pages/commonStyles';
 import { useTheme } from '@mui/material';
 import { isExtension } from '../utils';
+import { devLog } from '../logger';
 
 const web3 = new Web3(window.ethereum);
 // Change to use estimated gas limit
@@ -198,6 +199,7 @@ export async function withdrawEth(from, withdrawal, callAsync) {
   try {
     await method.estimateGas();
   } catch (e) {
+    devLog('Gas estimation failed for withdrawal:', e.message);
     return;
   }
   pendingNonces.add(nonce);

src/utils/walletProvider/localStorage.js

@@ -29,11 +29,8 @@ export function getAccountFromSeed(
     return new Account(accountData.secretKey);
   } catch (error) {
     logError('getAccountFromSeed failed:', error);
-    // Return a fallback account with a deterministic key based on wallet index
-    const fallbackSeed = new Uint8Array(32);
-    fallbackSeed[0] = (walletIndex || 0) % 256;
-    const fallbackKeyPair = nacl.sign.keyPair.fromSeed(fallbackSeed);
-    return new Account(fallbackKeyPair.secretKey);
+    // Fail securely instead of using weak fallback keys
+    throw new Error('Unable to generate secure account keys. Please unlock wallet again.');
   }
 }
 
@@ -61,9 +58,8 @@ export class LocalStorageWalletProvider {
           if (seed) {
             seedBuffer = Buffer.from(seed, 'hex');
           } else {
-            // Fallback seed if none available
-            seedBuffer = Buffer.alloc(32);
-            logWarn('Using fallback seed for address listing');
+            // Fail securely if no seed available instead of using weak fallback
+            throw new Error('No seed available for secure key generation');
           }
 
           return [...Array(walletCount).keys()].map((walletIndex) => {
@@ -79,17 +75,13 @@ export class LocalStorageWalletProvider {
                 `Failed to generate address for wallet ${walletIndex}:`,
                 error,
               );
-              // Return a fallback address structure
-              return {
-                index: walletIndex,
-                address: null,
-                name: `Wallet ${walletIndex} (Error)`,
-              };
+              // Return error structure instead of weak fallback
+              throw new Error(`Unable to generate secure address for wallet ${walletIndex}`);
             }
           });
         } catch (error) {
           logError('Failed to list addresses:', error);
-          return [];
+          throw new Error('Unable to list addresses securely. Please unlock wallet again.');
         }
       };