Runtime Security with LavaMoat
Overview
SSP Wallet implements Vite Plugin LavaMoat - a custom-built security framework that provides runtime compartmentalization and protection against supply chain attacks. This advanced security system ensures your wallet remains protected even if dependencies are compromised.
What is LavaMoat?
LavaMoat is a security framework that creates isolated execution environments (compartments) for JavaScript modules. Each module runs with only the minimum permissions it needs, following the principle of least privilege.
Core Principles
Module Compartmentalization: Each dependency runs in its own isolated sandbox
Policy-Based Access Control: Explicit permissions define what each module can access
Defense in Depth: Multiple layers of protection work together
Zero Trust Architecture: No module is trusted by default
Security Features
1. SES Lockdown Runtime
The Secure ECMAScript (SES) lockdown provides fundamental protections:
Blocks dangerous APIs: Prevents use of
eval()andFunctionconstructorPrototype pollution prevention: Locks down object prototypes to prevent tampering
Immutable intrinsics: Protects built-in JavaScript objects from modification
2. Module Compartmentalization
Each of the 70+ packages in SSP Wallet runs in isolated sandboxes:
3. Supply Chain Attack Protection
LavaMoat protects against compromised dependencies:
Without LavaMoat:
With LavaMoat:
4. Granular Permission Controls
Each package receives only the permissions it needs:
Security Verification
Accessing the Security Test Page
SSP Wallet includes a built-in security test interface that anyone can access to verify runtime protections are working:
How to Access:
Open SSP Wallet
Scroll to the footer at the bottom of the page
Click the version number rapidly 5 times within 1 second
The security test page will automatically open
This hidden developer feature allows you to run a comprehensive security audit directly in your browser and verify that all LavaMoat protections are active and functioning correctly.
Available Tests
The security test page runs comprehensive checks:
Function Constructor Test: Verifies
new Function()is blockedEval Test: Confirms
eval()cannot execute arbitrary codePrototype Pollution Test: Validates object prototype protection
Global Property Test: Checks global object immutability
WebAssembly Test: Verifies WASM protections
Import Function Test: Tests dynamic import restrictions
Example Test Results
LavaMoat Policy Management
Static Security Policies
SSP Wallet uses static policies defined in security/vite-lavamoat-policy.json. This approach:
β Predictable: Behavior is consistent across environments
β Auditable: Security team can review exact permissions
β Secure: No runtime policy generation that could be manipulated
β Performant: No overhead from policy generation
Policy Structure
Updating Policies
When adding new dependencies to SSP Wallet:
Production vs Development
Development Mode
For the best developer experience, LavaMoat protections are disabled in development:
No performance overhead during hot module reload
Full access to browser DevTools
Easier debugging and development
Standard error messages and stack traces
Production Mode
In production builds, full security protections are active:
All compartmentalization enforced
Static policies applied to every module
SES lockdown active
Comprehensive runtime protection
Technical Implementation
Vite Plugin Architecture
Runtime Initialization
The LavaMoat runtime initializes before any application code:
Load Policy: Parse security policies from JSON
Apply Lockdown: Enable SES protections
Create Compartments: Set up isolated execution environments
Load Application: Start wallet with full protection
Browser Extension Integration
LavaMoat integrates seamlessly with Chrome extension APIs:
Protected Packages
SSP Wallet protects 70+ packages including:
Cryptography Libraries
@noble/hashes- Cryptographic hash functions@noble/curves- Elliptic curve cryptography@scure/base- Base encoding/decoding@scure/bip32- HD wallet key derivation@scure/bip39- Mnemonic seed phrase generation
Web3 Libraries
viem- Ethereum interactionsethers- Alternative Ethereum library@bitcoinerlab/secp256k1- Bitcoin cryptography
UI Libraries
react- User interface frameworkreact-dom- DOM renderingantd- UI component libraryreact-qr-code- QR code generation
Utility Libraries
axios- HTTP clientbignumber.js- Precision mathbuffer- Node.js Buffer APIAnd many more...
Attack Scenarios Prevented
Scenario 1: Compromised Dependency
Attack: Malicious update to a UI library attempts to steal private keys
LavaMoat Protection:
β UI libraries have no
localStorageaccessβ UI libraries have no
fetchaccessβ Attack automatically blocked
Scenario 2: Prototype Pollution
Attack: Dependency pollutes Object prototype to inject malicious behavior
LavaMoat Protection:
β Prototype modification blocked by SES lockdown
β Object prototypes remain immutable
Scenario 3: Code Injection
Attack: Attacker uses eval to execute arbitrary code
LavaMoat Protection:
β
eval()completely disabledβ
Functionconstructor blockedβ No dynamic code execution possible
Scenario 4: Data Exfiltration
Attack: Analytics library compromised to steal wallet data
LavaMoat Protection:
β Analytics package has no access to wallet storage APIs
β Even with compromised code, cannot access sensitive data
β Compartmentalization prevents data access
Security Benefits
For Users
Peace of Mind: Multiple layers of protection for your assets
Supply Chain Security: Protected even if dependencies are compromised
Transparent Security: Open source implementation you can verify
Continuous Protection: Always active in production builds
For Developers
Secure by Default: No configuration needed for basic protection
Granular Control: Fine-tune permissions when needed
Development Friendly: Disabled in dev for best experience
Auditable: Static policies easy to review
For Security Auditors
Clear Policy Files: All permissions explicitly defined
Deterministic Behavior: Same security across all environments
Compartment Isolation: Easy to verify module boundaries
Open Source: Full code available for review
Best Practices
1. Regular Policy Updates
When updating dependencies:
2. Security Audits
Periodically verify security:
Run the security test page
Review policy changes in pull requests
Audit new dependencies before adding
Monitor for unexpected permission requests
3. Dependency Hygiene
Minimize total number of dependencies
Prefer well-audited, established libraries
Review dependency chains (sub-dependencies)
Keep dependencies up-to-date with security patches
Additional Resources
SSP Wallet Implementation
Vite Plugin LavaMoat Source Code - Complete plugin implementation
LavaMoat Policy File - Security policies for 70+ packages
Security Test Page - Runtime security verification
Documentation
External Resources
Security Testing
Test Page Access: Click version number 5 times rapidly in the wallet footer
Browser Console Check:
window.__lavamoat_security_activeRun Tests Manually:
window.__lavamoat_run_security_tests()
Reporting Security Issues
If you discover a security vulnerability:
Do NOT create a public GitHub issue
Use GitHub Security: Report vulnerability
Responsible Disclosure: Allow time for fixes before public disclosure
Contact Information: Available in repository security policy
Conclusion
LavaMoat runtime security is a critical component of SSP Wallet's defense-in-depth strategy. By compartmentalizing modules, enforcing least-privilege access, and blocking dangerous APIs, LavaMoat provides robust protection against supply chain attacks and code injection vulnerabilities.
Combined with SSP's other security features (2-of-2 multisig, device isolation, encryption), LavaMoat ensures your cryptocurrency assets remain secure even in the face of sophisticated attacks.
Security Status: π‘οΈ PROTECTED Protected Packages: 70+ Last Updated: October 2025 Audit Status: β Halborn Audited
Last updated