Merged
Conversation
![cursor[bot]](https://avatars.githubusercontent.com/in/1210556?s=60&v=4){kind=small}
ccharly
reviewed
Feb 2, 2026
montelaidev
reviewed
Feb 2, 2026
Saingsophea
approved these changes
Feb 2, 2026
montelaidev
approved these changes
Feb 2, 2026
gantunesr
changed the title
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
4 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
The
HdKeyringclass accepts mnemonics during deserialization without validating that they are valid BIP39 mnemonics. This means invalid mnemonics (words not in the BIP39 wordlist or invalid checksums) could be passed in and would fail later in the key derivation process with unclear error messages.This PR adds a
isValidMnemonicprivate method that validates mnemonics usingvalidateMnemonicfrom@metamask/scure-bip39before processing them.Note
Medium Risk
Adds strict BIP39 validation during
deserialize/mnemonic initialization, which can cause previously-accepted (but invalid) secret recovery phrases to fail earlier and may impact restoration flows.Overview
HdKeyringnow validates provided mnemonics against the BIP39 english wordlist and checksum (viavalidateMnemonic) before deriving the seed, throwingEth-Hd-Keyring: Invalid secret recovery phrase providedon failure.Tests were expanded to cover invalid word counts, invalid words, invalid checksums, and mnemonic inputs in
Buffer/Uint8Array/serialized forms; the changelog notes the new enforcement.Written by Cursor Bugbot for commit 5075bae. This will update automatically on new commits. Configure here.