Slush — A Sui Wallet

Name: Security Analysis: Slush — A Sui Wallet
Item: Slush — A Sui Wallet
Rating: 5
Author: ChromeBoard

🔍 Security Report Available

👥 900K+ users

📦 v26.7.2.1 (568e85b)

💾 11.56MiB

📅 2026-02-20

View on Chrome Web Store

Chrome will indicate if you already have this installed.

Invests in your future self with Slush, a comprehensive wallet for buying and selling tokens that also enables swapping, staking, and DeFi use cases directly within the app. With its enterprise-grade security, users can log in via social login or seed phrase, making it accessible to everyone. Suitable for individuals looking to manage their digital assets across the Sui ecosystem.

Overview

Invest in your future self with Slush (formerly known as Sui Wallet). Buy and sell tokens, then swap, stake, or use them in DeFi—all directly in the app.

Other exciting Slush features:
- Enterprise-grade security
- Log in how you like. You can use a social login or seed phrase
- Send bundles of tokens and NFTs in a link or QR code
- Explore apps across the Sui ecosystem

Privacy Practices

✓ Not being sold to third parties, outside of the approved use cases

✓ Not being used or transferred for purposes that are unrelated to the item's core functionality

✓ Not being used or transferred to determine creditworthiness or for lending purposes

✅ Version v26.7.4.1 was recently scanned.

Version:

Security Analysis — Slush — A Sui Wallet

Analyzed v26.7.4.1 · Feb 28, 2026 · 6 JS files · 21671 KB scanned

Permissions

Code Patterns Detected

External Connections

www.w3.org react.dev reactnative.dev github.com easings.net docs.sentry.io en.wikipedia.org reactnavigation.org accounts.google.com cubic-bezier.com www.rfc-editor.org eprint.iacr.org +8 more

Package Contents 83 files · 32.3MB

▾📁_metadata14KB

{}verified_contents.json14KB

▾📁assets2.9MB

🔤AeonikPro-Bold.d890a2a68da8e9a1508cf2498e2f97d0.otf136KB

🔤AeonikPro-Medium.ed513defc8b4033bde660b17e5fa8a77.otf134KB

🔤AeonikPro-Regular.e77483748f538b4be472ee8a98d5cec3.otf131KB

📄Claim_01.a295dfe81abf14ecbc1744d1da86cb7a.lottie28KB

📄Claim_02.bdc3979dcab92e23f9e867bd655b4048.lottie27KB

📄Claim_03.fbad64a6706040ee0a1d3abcf08b9270.lottie28KB

📄Claim_04.5f93dc162bb689b920c9da3fffb723f5.lottie29KB

📄Deposit_Fail.530f755c1d192f64dbf9cf13ff7891d1.lottie2KB

📄Deposit_Success.41f3950836239a863bc4d6711db54548.lottie2KB

📄InvestLending.710835bdab2ba7d28402d1f7117a6cbd.lottie10KB

📄InvestLiquidStake.11ef0a5c29ea671501aba328cff221b9.lottie5KB

📄InvestNativeStake.eda95fef4883b7b867f37833116345c4.lottie6KB

📄InvestStrategies.1d027090813e9a8b4ce54148c5fdf1f9.lottie6KB

📄InvestVaults.beecd4863cffd9a9b870903901717ebc.lottie6KB

🔤Lateral-UltraCompressedBlack.a7516315c0428970ac1277ad1e71d09c.otf83KB

📄NoCoin.459ef4cb72029f955d46330475fb873d.lottie7KB

📄Onboarding_2FA.47d4e62277b1c19706fa153dc91b6391.lottie21KB

📄Onboarding_Additional_Security.f0b1a8128a9e98b1742fd71c50b235e7.lottie25KB

📄Onboarding_Import_Accounts.77139cc63c7fb488ddb79a9d56c4911c.lottie8KB

📄Onboarding_Passphrase.5c2935ae7ba8d980c589f2080b7557f5.lottie14KB

📄Onboarding_Private_Key.388dfe8bf682fa6f544ac48e1097498f.lottie39KB

📄Send_Fail.06b77fb72c873d0891dbf1e45b1c9650.lottie6KB

📄Send_Success.50e5a2a5e8f6bfc28af28f59deebb2c1.lottie6KB

📄Stake_Fail.3a3ca2f6828ad5a5662a35eaa88d8d7a.lottie5KB

📄Stake_Success.fbebd9423672d326cec80e760ef30866.lottie5KB

📄Swap_Fail.adfe64d0f0fab60baccf68d927620803.lottie14KB

📄Swap_Success.608eb2016f66905d7df271ff70cdbdb5.lottie13KB

📄SyncOnboarding.65ca53801104b27c29af8882a5bcf89b.lottie73KB

📄WelcomeToSlush.0100d2aebc22e41e6aa382a4d9a8d2d4.lottie23KB

📄Withdraw_Fail.530f755c1d192f64dbf9cf13ff7891d1.lottie2KB

📄Withdraw_Success.bbbee41961e4068b1cf55accecae9924.lottie2KB

🖼back-icon-mask.0a328cd9c1afd0afe8e3b1ec5165b1b4.png653B

🖼back-icon.35ba0eaec5a4f5ed12ca16fabeae451d.png207B

🖼clear-icon.c94f6478e7ae0cdd9f15de1fcb9e5e55.png220B

🖼clear-icon.c94f6478e7ae0cdd9f15de1fcb9e5e55@2x.png334B

🖼clear-icon.c94f6478e7ae0cdd9f15de1fcb9e5e55@3x.png502B

🖼clear-icon.c94f6478e7ae0cdd9f15de1fcb9e5e55@4x.png645B

🖼close-icon.808e1b1b9b53114ec2838071a7e6daa7.png141B

🖼close-icon.808e1b1b9b53114ec2838071a7e6daa7@2x.png201B

🖼close-icon.808e1b1b9b53114ec2838071a7e6daa7@3x.png266B

🖼close-icon.808e1b1b9b53114ec2838071a7e6daa7@4x.png332B

🖼defi-strategies-sui-coin.2f72b3b83faf9e18fb5484c6a5042309.svg9KB

📄deposit-tx-success.b483b26746104b35341470cdc5f80f25.mp368KB

📄deposit-withdraw-tx-failure.102d9b815fce2399fc1533b0fa74ec5d.mp349KB

🖼icons-lg.b494fd01c25a32174f9545817b9bed2d.svg21KB

🖼icons-md.3440da7a9585d1b1b96647840a7bab1d.svg20KB

🖼icons-sm.ab5d02c567a8e32d09680709587ebea9.svg20KB

🖼loading_error.04584719b61b24422e6c12f509a795d6.svg1KB

🖼sad_capy.f85d36fe5711a2a3d43f60c29c4acdef.svg40KB

🖼search-icon.286d67d3f74808a60a78d3ebf1a5fb57.png928B

📄setup-complete.a2890d185e167db27cf124ef94a74f56.mp3138KB

🖼slush-fade-lg.7cdf7e02a183289665ec68456f104d24.png430KB

🖼slush-fade-md.9db44cf43c9c330043dd9f936f653079.png287KB

🖼slush-fade-sm.31e3270249111bb85808a07074cc119a.png295KB

🖼slush-logo-blue.0940b476e850ebbc8be21b2574b93aed.png55KB

🖼slush-logo-orange.4290442839a046c0747ccbc3ad222c4b.png54KB

🖼slush-logo-purple.ed99dae1316e3b56531b8e771f2ff3a3.png55KB

🖼slush-logo-yellow.bda169ea1a5dabab5e5f3705037a69cf.png54KB

🖼splash.88684643e8118dec7defd09c382a39d3.png183KB

📄tx-failure.b492e100a4461697cf3e2a9692273c09.mp3101KB

📄tx-success.e7a02af531dcd7c12d4318e9bca85200.mp3109KB

📄withdraw-tx-success.095596b749ccc218a97e62ae5504645c.mp356KB

▾📁expo10.7MB

▾📁static10.7MB

▾📁css58KB

🎨main-unlayered-498ae79858478471e3d95d19a808e877.css27KB

🎨web-87f9eefe047b6dd1e3c799156056d878.css32KB

▾📁js10.7MB

▾📁web10.7MB

📜index-9eedc7d1aeb30bb05060d84ed4bb8aa9.js10.7MBlarge

📜background.js6.3MBlarge

⚙canvaskit.wasm7.6MB

📜content-script.js80KBlarge

📜dapp-interface.js366KBlarge

📜extension-main.js87B

🖼favicon.ico1KB

🖼icon128.png6KB

🖼icon16.png1KB

🖼icon32.png2KB

🖼icon48.png2KB

🖼index-splash.png38KB

🌐index.html3KB

{}manifest.json1KB

{}metadata.json49B

🌐offscreen.html111B

📜offscreen.js3.8MBlarge

🖼slush-opengraph.png511KB

What This Extension Does

Slush (formerly Sui Wallet) is a browser extension that allows users to manage their Sui tokens, including buying, selling, swapping, staking, and using them in DeFi. It's designed for productivity and developer use cases, with features like enterprise-grade security and social login options.

Permissions Explained

storageexpected: This permission allows the extension to store data locally on your device.
Technical: The extension has access to Chrome's storage API, which enables it to save and retrieve user data. This includes sensitive information like token balances and private keys.
tabsexpected: This permission allows the extension to access and interact with your browser tabs.
Technical: The extension has access to Chrome's tab management API, which enables it to switch between tabs, read tab content, and inject scripts into pages.
alarmsexpected: This permission allows the extension to schedule notifications and reminders.
Technical: The extension has access to Chrome's alarm API, which enables it to send notifications and reminders to users. This could potentially be used for phishing or other malicious purposes if compromised.
unlimitedStoragecheck this: This permission allows the extension to store an unlimited amount of data locally on your device.
Technical: The extension has access to Chrome's storage API with elevated permissions, which enables it to store large amounts of user data. This could potentially be used for malicious purposes if compromised. ⚠ 1
identitycheck this: This permission allows the extension to access your Google account information and login credentials.
Technical: The extension has access to Chrome's identity API, which enables it to authenticate users using their Google accounts. This could potentially be used for phishing or other malicious purposes if compromised. ⚠ 1
offscreencheck this: This permission allows the extension to run in the background even when you're not actively using it.
Technical: The extension has access to Chrome's offscreen API, which enables it to continue running in the background and accessing user data. This could potentially be used for malicious purposes if compromised. ⚠ 1

Your Data

The extension accesses your browser storage, tabs, and identity information, and sends data to various domains including www.w3.org, react.dev, and github.com. It also uses the Sentry error tracking service.

Technical Details

The extension contacts the following domains: www.w3.org, react.dev, reactnative.dev, github.com, easings.net, docs.sentry.io, en.wikipedia.org, reactnavigation.org, accounts.google.com, cubic-bezier.com, www.rfc-editor.org, eprint.iacr.org. It uses HTTPS encryption for most requests but may expose sensitive information if compromised.

Code Findings

Dynamic JS ImportMedium

The extension uses dynamic JavaScript imports to load code at runtime, which can make it harder to analyze and debug.

Technical: The extension uses the import() function to dynamically import JavaScript modules. This is a common pattern in modern web development but can also be used for malicious purposes if not properly secured.

💡 Dynamic imports are commonly used in legitimate extensions to load code conditionally or lazily.

String.fromCharCode ObfuscationMedium

The extension uses string manipulation techniques to obfuscate its code, making it harder to analyze and debug.

Technical: The extension uses the String.fromCharCode() function to encode strings in a way that makes them harder to read. This is often used for malicious purposes but can also be used for legitimate reasons like protecting sensitive information.

💡 String manipulation techniques are commonly used in legitimate extensions to protect sensitive information or implement encryption.

charCodeAt ObfuscationMedium

The extension uses character code manipulation techniques to obfuscate its code, making it harder to analyze and debug.

Technical: The extension uses the String.charCodeAt() function to manipulate character codes in a way that makes them harder to read. This is often used for malicious purposes but can also be used for legitimate reasons like protecting sensitive information.

💡 Character code manipulation techniques are commonly used in legitimate extensions to protect sensitive information or implement encryption.

Bottom Line

Overall, the Slush extension has a moderate risk profile due to its access to sensitive user data and use of dynamic imports and obfuscation techniques. While it appears to be designed for legitimate purposes, users should exercise caution when installing and using this extension.