Security model

Built for address confidence, without touching your wallet keys.

ZAFU keeps trusted address memory local-first, preserves narrow source evidence, and runs Transfer Check in the browser. It does not sign transactions, request seed phrases, custody funds, or change wallet approvals.

What does ZAFU access? ZAFU needs browser permissions to store your local address book, observe crypto-address paste events in wallet and exchange contexts, keep recent address-only source evidence, run scheduled community report refreshes, and optionally sign you in for backup. It never has access to private keys, seed phrases, wallet passwords, or transaction signing.

WalletNo key access

Private keys, seed phrases, wallet passwords, and signing credentials are never visible to ZAFU.

ControlNo signing

ZAFU cannot approve, broadcast, reverse, or initiate transactions.

MemoryLocal-first

Trusted contacts, protected wallets, and review context live on your device unless you opt into backup.

SourceInspectable

The extension source and release fingerprints are public for package verification.

Permissions

storage

Stores trusted contacts, saved wallets, user settings, local risk indexes, and optional sync state.

alarms

Refreshes community report data on a schedule without requiring a page to stay open.

identity

Enables optional Google Sign-In so you can back up and restore trusted contacts.

Why Chrome shows a broad website warning

Chrome may say ZAFU can "read and change all your data on all websites" because the extension's content script can run where you paste crypto addresses. That capability is necessary to stop a poisoned or hijacked address before it reaches the destination field. ZAFU does not request tabs or activeTab, does not read browser history, does not run advertising analytics, and gates protection logic to crypto-address paste events plus user-initiated Telegram Web address copies used for local source matching.

What stays local

Trusted address indexes generated from your history stay in Chrome local storage.
Suspicion lists generated from received transactions stay local.
API keys, local metrics, Network Mode aggregate counters, community cache, prices, and install IDs are not account-synced.
Seed phrases and private keys are never requested and never visible to ZAFU.

Optional sync boundary

Google Sign-In is optional. When enabled, ZAFU syncs only contacts-oriented data: saved wallets, trusted contacts, labels, notes, descriptions, favorites, and deletion markers. Generated threat indexes and local operational data are excluded.

External checks

ZAFU can call blockchain and threat-intelligence providers when you ask it to fetch history, check an address, or report a suspected attacker address. These checks are for address risk only. ZAFU does not send wallet credentials because it never has them.

Community warnings use thresholded risk labels, not blanket "confirmed malicious" language. Community-reported means high risk; stronger labels require team review or trusted external confirmation.

Verification

The Chrome extension source is auditable at github.com/jimozo/zafu-extension, and public releases include a fingerprint workflow so users can compare the package contents against the expected file list.

Local-first