Missing User Warnings
Medium
- Confidence
- 91% confidence
- Finding
- The example persists the WebAuthn credential object in localStorage without any warning about the security implications. localStorage is readable by any JavaScript running in the origin, so an XSS bug, compromised dependency, or browser extension could expose credential metadata/session state and facilitate unauthorized wallet use or account tracking; in the same example, the stored credential is directly used for creating a smart account and sending sponsored on-chain transfers, increasing the practical risk.
