From cdcc50da084c6410970c8571ae700ba3bcfae03a Mon Sep 17 00:00:00 2001
From: Chris Duncan <chris@zoso.dev>
Date: Tue, 14 Apr 2026 12:26:52 -0700
Subject: [PATCH] Ensure private key copy is zeroed out if signing from block
 fails.

---
 src/lib/block.ts | 10 +++++++---
 1 file changed, 7 insertions(+), 3 deletions(-)

diff --git a/src/lib/block.ts b/src/lib/block.ts
index 34964c8..e74d04c 100644
--- a/src/lib/block.ts
+++ b/src/lib/block.ts
@@ -413,9 +413,13 @@ export class Block {
 			try {
 				if (typeof input === 'string' && /^[A-F0-9]{64}$/i.test(input)) {
 					const prv = hex.toBytes(input)
-					const pub = nano25519_derive(prv)
-					const signature = nano25519_sign(hex.toBytes(this.hash), new Uint8Array([...prv, ...pub]))
-					this.signature = bytes.toHex(signature)
+					try {
+						const pub = nano25519_derive(prv)
+						const signature = nano25519_sign(hex.toBytes(this.hash), new Uint8Array([...prv, ...pub]))
+						this.signature = bytes.toHex(signature)
+					} finally {
+						prv.fill(0)
+					}
 				} else if (input instanceof Wallet && typeof index === 'number'
 					&& (frontier === undefined || frontier instanceof (this.constructor as typeof Block))
 				) {
-- 
2.47.3