From 125b3909c0313e6ee71829dffc878b661147e965 Mon Sep 17 00:00:00 2001
From: Chris Duncan <chris@zoso.dev>
Date: Thu, 3 Jul 2025 14:11:20 -0700
Subject: [PATCH] Remove redundant success variable. Always zero out password
 bytes regardless of lock or unlock result.

---
 src/lib/account.ts        |  4 ++++
 src/lib/wallets/wallet.ts | 31 ++++++++++++++++---------------
 2 files changed, 20 insertions(+), 15 deletions(-)

diff --git a/src/lib/account.ts b/src/lib/account.ts
index 01bd615..f74c950 100644
--- a/src/lib/account.ts
+++ b/src/lib/account.ts
@@ -151,6 +151,8 @@ export class Account {
 		} catch (err) {
 			console.error(`Failed to lock account ${this.address}`, err)
 			return false
+		} finally {
+			password.fill(0)
 		}
 		this.#prv = null
 		return true
@@ -172,6 +174,8 @@ export class Account {
 		} catch (err) {
 			console.error(`Failed to unlock account ${this.address}`, err)
 			return false
+		} finally {
+			password.fill(0)
 		}
 		return true
 	}
diff --git a/src/lib/wallets/wallet.ts b/src/lib/wallets/wallet.ts
index 474a8ba..c69bd9f 100644
--- a/src/lib/wallets/wallet.ts
+++ b/src/lib/wallets/wallet.ts
@@ -232,7 +232,6 @@ export abstract class Wallet {
 		if (password == null || password.constructor.name !== 'Uint8Array') {
 			throw new Error('Failed to unlock wallet')
 		}
-		let success = true
 		try {
 			const data: { id: string, mnemonic: string | null, seed: string | null } = {
 				id: this.id,
@@ -245,23 +244,25 @@ export abstract class Wallet {
 			if (typeof this.#seed === 'string') {
 				data.seed = this.#seed
 			}
-			success &&= await this.#poolSafe.assign({
+			const res = await this.#poolSafe.assign({
 				method: 'put',
 				name: this.id,
 				password,
 				data
 			})
+			const success = res[0].result
+			if (!success) {
+				throw null
+			}
 			const promises = []
 			for (const account of this.#accounts) {
 				promises.push(account.lock(password))
 			}
 			await Promise.all(promises)
-			password.fill(0)
-			if (!success) {
-				throw null
-			}
 		} catch (err) {
 			throw new Error('Failed to lock wallet')
+		} finally {
+			password.fill(0)
 		}
 		this.#locked = true
 		this.#mnemonic = null
@@ -283,31 +284,31 @@ export abstract class Wallet {
 			throw new Error('Failed to unlock wallet')
 		}
 		try {
-			const data = await this.#poolSafe.assign({
+			const res = await this.#poolSafe.assign({
 				method: 'get',
 				name: this.id,
 				password
 			})
-			console.log(data[0].result)
-			const { id, mnemonic, seed } = data[0].result
+			const { id, mnemonic, seed } = res[0].result
 			if (id !== this.id) {
 				throw null
 			}
-			const promises = []
-			for (const account of this.#accounts) {
-				promises.push(account.unlock(password))
-			}
-			await Promise.all(promises)
-			password.fill(0)
 			if (mnemonic != null) {
 				this.#mnemonic = await Bip39Mnemonic.fromPhrase(mnemonic)
 			}
 			if (seed != null) {
 				this.#seed = seed
 			}
+			const promises = []
+			for (const account of this.#accounts) {
+				promises.push(account.unlock(password))
+			}
+			await Promise.all(promises)
 			this.#locked = false
 		} catch (err) {
 			throw new Error('Failed to unlock wallet')
+		} finally {
+			password.fill(0)
 		}
 		return true
 	}
-- 
2.47.3