From 79dd1a014835d1c3db35cf5c634868dbfe9fef13 Mon Sep 17 00:00:00 2001
From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com>
Date: Tue, 3 Feb 2026 02:03:07 +0000
Subject: [PATCH 1/2] Initial plan


From cb7079f219f232f76393718af3384cda07a7e03d Mon Sep 17 00:00:00 2001
From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com>
Date: Tue, 3 Feb 2026 02:06:27 +0000
Subject: [PATCH 2/2] fix: add cleanup for pubKey in deriveChild to prevent
 memory leak

Co-authored-by: Corey-Code <37006206+Corey-Code@users.noreply.github.com>
---
 src/lib/crypto/bitcoin.ts | 6 +++++-
 1 file changed, 5 insertions(+), 1 deletion(-)

diff --git a/src/lib/crypto/bitcoin.ts b/src/lib/crypto/bitcoin.ts
index c39a7d6..2e48be0 100644
--- a/src/lib/crypto/bitcoin.ts
+++ b/src/lib/crypto/bitcoin.ts
@@ -268,6 +268,7 @@ function deriveChild(
 ): { key: Uint8Array; chainCode: Uint8Array } {
   const data = new Uint8Array(37);
   const intermediates: Uint8Array[] = [];
+  let pubKey: Uint8Array | null = null;
 
   try {
     if (hardened) {
@@ -279,7 +280,7 @@ function deriveChild(
       data.set(indexBytes, 33);
     } else {
       // Normal derivation: public key || index
-      const pubKey = secp256k1.getPublicKey(parentKey, true);
+      pubKey = secp256k1.getPublicKey(parentKey, true);
       data.set(pubKey, 0);
       const indexBytes = new Uint8Array(4);
       new DataView(indexBytes.buffer).setUint32(0, index, false);
@@ -307,6 +308,9 @@ function deriveChild(
   } finally {
     // Zero out intermediate data
     secureZero(data);
+    if (pubKey !== null) {
+      secureZero(pubKey);
+    }
     for (const arr of intermediates) {
       secureZero(arr);
     }