Skip to content

feat(wallet): Non-EVM support#8471

Draft
FrederikBolding wants to merge 11 commits intofeat/wallet-libraryfrom
fb/multichain-accounts-wallet-lib
Draft

feat(wallet): Non-EVM support#8471
FrederikBolding wants to merge 11 commits intofeat/wallet-libraryfrom
fb/multichain-accounts-wallet-lib

Conversation

@FrederikBolding
Copy link
Copy Markdown
Member

@FrederikBolding FrederikBolding commented Apr 15, 2026

Explanation

References

Checklist

  • I've updated the test suite for new or updated code as appropriate
  • I've updated documentation (JSDoc, Markdown, etc.) for new or updated code as appropriate
  • I've communicated my changes to consumers by updating changelogs for packages I've changed
  • I've introduced breaking changes in this PR and have prepared draft pull requests for clients and consumer packages to resolve them

FrederikBolding and others added 9 commits April 8, 2026 16:01
@FrederikBolding
Initialize wallet package
cde2bc7
@FrederikBolding
Default licensing
73ba897
@FrederikBolding
Add basic support KeyringController and AccountsController
2611140
@FrederikBolding
Filter out overridden configuration
5166160
@FrederikBolding
Add controllers required for signing and submitting transactions
33f8934
@FrederikBolding
Run tests on Sepolia
38d0877
@rekmarks @claude @FrederikBolding
fix(wallet): Fix builds and most lint issues (#8420)
0c6a18a 
Builds and tests pass. All lint issues are fixed except a handful that
are deferred pending future changes.

<!-- CURSOR_SUMMARY -->
---

> [!NOTE]
> **Medium Risk**
> Moderate risk due to new controller dependencies and changes to
initialization wiring/typing that could affect runtime messaging and
controller lifecycle. Test behavior now depends on external
`INFURA_PROJECT_KEY` and mocked timers, which may introduce
CI/environment sensitivity.
> 
> **Overview**
> **Stabilizes wallet builds/tests by wiring in missing controllers and
config.** The wallet package now depends on additional controllers
(accounts/approval/connectivity/network/remote feature
flags/transaction) and updates TS project references accordingly.
> 
> **Improves runtime/test ergonomics.** Jest loads a local `.env` (with
`.env.example` added and `.env` gitignored), `Wallet` exposes stronger
typed `messenger`/`state` and adds `destroy()` to clean up controller
instances; tests are updated to require `INFURA_PROJECT_KEY`, use fake
timers, and properly teardown the wallet.
> 
> **Tightens initialization typing and controller wiring.** Adds
`initialization/defaults.ts` for inferred
`DefaultInstances`/`DefaultActions`/`DefaultEvents`, introduces
`bindMessengerAction` to preserve action typings, and updates controller
initializers (notably `TransactionController` and
`RemoteFeatureFlagController`) to pass required options and bind
messenger actions safely.
> 
> <sup>Reviewed by [Cursor Bugbot](https://cursor.com/bugbot) for commit
a652933. Bugbot is set up for automated
code reviews on this repo. Configure
[here](https://www.cursor.com/dashboard/bugbot).</sup>
<!-- /CURSOR_SUMMARY -->

---------

Co-authored-by: Claude Opus 4.6 <noreply@anthropic.com>
Co-authored-by: Frederik Bolding <frederik.bolding@gmail.com>
@FrederikBolding
feat(wallet): Add MultichainAccountService
2057e73
@FrederikBolding
Partial SnapController implementation
3458af7
@socket-security
Copy link
Copy Markdown

socket-security bot commented Apr 15, 2026
edited
Loading

Review the following changes in direct dependencies. Learn more about Socket for GitHub.

Diff Package Supply Chain
Security		 Vulnerability Quality Maintenance License
Added@​metamask/​snaps-controllers@​20.0.198100769950
Added@​types/​readable-stream@​4.0.231001007583100
Added@​metamask/​snaps-execution-environments@​11.0.299100779780
Added@​metamask/​bitcoin-wallet-snap@​1.10.11001008396100
Addedreadable-stream@​4.7.09910010083100
Added@​metamask/​solana-wallet-snap@​2.8.0891008897100
Added@​metamask/​tron-wallet-snap@​1.25.21001009699100

View full report

@socket-security
Copy link
Copy Markdown

socket-security bot commented Apr 15, 2026
edited
Loading

Caution

MetaMask internal reviewing guidelines:

  • Do not ignore-all
  • Each alert has instructions on how to review if you don't know what it means. If lost, ask your Security Liaison or the supply-chain group
  • Copy-paste ignore lines for specific packages or a group of one kind with a note on what research you did to deem it safe.
    @SocketSecurity ignore npm/PACKAGE@VERSION
Action Severity Alert  (click "▶" to expand/collapse)
Block High
Obfuscated code: npm @metamask/solana-wallet-snap is 91.0% likely obfuscated

Confidence: 0.91

Location: Package overview

From: packages/wallet/package.jsonnpm/@metamask/solana-wallet-snap@2.8.0

ℹ Read more on: This package | This alert | What is obfuscated code?

Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev.

Suggestion: Packages should not obfuscate their code. Consider not using packages with obfuscated code.

Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/@metamask/solana-wallet-snap@2.8.0. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

Block Medium
Network access: npm @metamask/solana-wallet-snap in module globalThis["fetch"]

Module: globalThis["fetch"]

Location: Package overview

From: packages/wallet/package.jsonnpm/@metamask/solana-wallet-snap@2.8.0

ℹ Read more on: This package | This alert | What is network access?

Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev.

Suggestion: Packages should remove all network access that is functionally unnecessary. Consumers should audit network access to ensure legitimate use.

Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/@metamask/solana-wallet-snap@2.8.0. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

Warn Low
Potential code anomaly (AI signal): npm readable-stream is 100.0% likely to have a medium risk anomaly

Notes: No malicious behavior detected. This is a standard, legitimate stream utility implementing pipe semantics with a backward-compatibility shim. The only notable concern is the internal _events manipulation in the prependListener polyfill, which should be revisited for future-proofing, but it does not constitute an immediate security risk.

Confidence: 1.00

Severity: 0.60

From: packages/wallet/package.jsonnpm/readable-stream@4.7.0

ℹ Read more on: This package | This alert | What is an AI-detected potential code anomaly?

Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev.

Suggestion: An AI system found a low-risk anomaly in this package. It may still be fine to use, but you should check that it is safe before proceeding.

Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/readable-stream@4.7.0. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

View full report

rekmarks
rekmarks reviewed Apr 15, 2026
View reviewed changes
Comment thread packages/wallet/src/initialization/instances/keyring-controller.ts
}),
});

// TODO: We only need to delegate here for the SnapKeyring, decide if we wanna do that
Copy link
Copy Markdown
Member

@rekmarks rekmarks Apr 15, 2026
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I don't understand this comment.

@rekmarks rekmarks force-pushed the feat/wallet-library branch 2 times, most recently from 623f9af to 3fb60ee Compare April 16, 2026 21:13
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@rekmarks rekmarks rekmarks left review comments

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@FrederikBolding @rekmarks