From 3c1336b9407a44228ebfc626a05b8d6f7cf2d907 Mon Sep 17 00:00:00 2001
From: Tamas <soostamas.hu@gmail.com>
Date: Fri, 27 Feb 2026 11:46:39 +0100
Subject: [PATCH] fix: replace Math.random() with crypto.getRandomValues()
 (WAPI-1127)

Math.random() is not cryptographically secure and should never be used
for security-sensitive values like OTP generation. Replace with
crypto.getRandomValues() which is available in all target runtimes
(Node 20+, modern browsers, React Native).
---
 packages/wallet-client/CHANGELOG.md                           | 1 +
 .../src/handlers/untrusted-connection-handler.ts              | 4 +++-
 2 files changed, 4 insertions(+), 1 deletion(-)

diff --git a/packages/wallet-client/CHANGELOG.md b/packages/wallet-client/CHANGELOG.md
index 4d8f5ef..3f2ab29 100644
--- a/packages/wallet-client/CHANGELOG.md
+++ b/packages/wallet-client/CHANGELOG.md
@@ -9,6 +9,7 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 
 ### Fixed
 
+- Replace `Math.random()` with `crypto.getRandomValues()` for OTP generation
 - Validate peer public keys during session creation ([#70](https://github.com/MetaMask/mobile-wallet-protocol/pull/70))
 - Fix client stuck in CONNECTING state when session creation fails ([#70](https://github.com/MetaMask/mobile-wallet-protocol/pull/70))
 
diff --git a/packages/wallet-client/src/handlers/untrusted-connection-handler.ts b/packages/wallet-client/src/handlers/untrusted-connection-handler.ts
index 2b9e0fd..500a279 100644
--- a/packages/wallet-client/src/handlers/untrusted-connection-handler.ts
+++ b/packages/wallet-client/src/handlers/untrusted-connection-handler.ts
@@ -47,7 +47,9 @@ export class UntrustedConnectionHandler implements IConnectionHandler {
 	 * @returns An object containing the OTP string and its deadline
 	 */
 	private _generateOtpWithDeadline(): { otp: string; deadline: number } {
-		const otp = Math.floor(100000 + Math.random() * 900000).toString();
+		const buf = new Uint32Array(1);
+		globalThis.crypto.getRandomValues(buf);
+		const otp = (100000 + (buf[0] % 900000)).toString();
 		const deadline = Date.now() + this.otpTimeoutMs;
 		return { otp, deadline };
 	}