Built for the paste moment, without touching your wallet keys.
ZAFU protects crypto-address pastes in the browser. It does not sign transactions, request seed phrases, custody funds, or change wallet approvals.
Permissions
| Permission | Why ZAFU uses it |
|---|---|
| storage | Stores trusted contacts, saved wallets, user settings, local risk indexes, and optional sync state. |
| tabs | Opens the full address book page and detects page context for wallet and exchange workflows. |
| alarms | Refreshes community signals on a schedule without requiring a page to stay open. |
| identity | Enables optional Google Sign-In so you can back up and restore trusted contacts. |
What stays local
- Trusted address indexes generated from your history stay in Chrome local storage.
- Suspicion lists generated from received transactions stay local.
- API keys, metrics, community cache, prices, and install IDs are not account-synced.
- Seed phrases and private keys are never requested and never visible to ZAFU.
Optional sync boundary
Google Sign-In is optional. When enabled, ZAFU syncs only contacts-oriented data: saved wallets, trusted contacts, labels, notes, descriptions, favorites, and deletion markers. Generated threat indexes and local operational data are excluded.
External checks
ZAFU can call blockchain and threat-intelligence providers when you ask it to fetch history, check an address, or report a community signal. These checks are for address risk only. ZAFU does not send wallet credentials because it never has them.
Community warnings use thresholded risk labels, not blanket "confirmed malicious" language. Read the Community Signals methodology for the current label states and dispute model.
Verification
The Chrome extension source is auditable, and releases include a fingerprint workflow so users can compare the package contents against the expected file list.
Local-first