Open 0x9060 opened 4 years ago
Hm. HDWalletProvider needs private key information, so your thought to provide just public key would be insufficient.
You can add mnemonics that use a password, but nothing about how Truffle works today would change the situation about requiring this in plaintext. I've just opened a new issue to consider a password CLI prompt, but I think there's probably a better way to get what you're looking for (which I touched on in the issue).
❗ In any event, don't use your main account inside Truffle, please!!! Make a new mnemonic and transfer as little ETH as you need! Truffle makes development tools; our specialty is not in building a secure wallet implementation! Truffle doesn't need access to your entire net worth, I promise you!
@gnidan Agree, I'm not actually using the same wallet for development and managing crypto holdings. Just included that to drive the point home, we still should not be storing plaintext mnemonics on our host, unless that wallet is not important to us if it becomes compromised. Thanks for opening the feature request!
OK, we'll look into doing this when we have the chance!
I agree this is crazy and should be fixed -- I'm sure this is being targeted by hackers trying to gain access to big wallets. This should be a must-fix issue
I'm surprised this issue hasn't been given a larger priority. Sure, we can circumvent the security issue by using a development account with a different mnemonic phrase, but I shouldn't have to download multiple Metamask extensions on different browsers just so that I can test my projects with an ease of mind.
Issue
hdwallet-provider
requires plaintext mnemonic.Steps to Reproduce
I want to deploy a contract to a network using
truffle/hdwallet-provider
andtruffle migrate --network rinkeby
, for example. Accordingly, I've defined bytruffle-config.js
file like so:This works, but requires me to store my mnemonic on my host in plaintext somewhere. This is insecure, regardless of the fact that I'm storing it in a hidden file.
Expected Behavior
Do not require plaintext wallet mnemonics to deploy to networks. Instead, some public keys or a hash of the wallet mnemonic should be provided.
Or some other workaround?
Actual Results
Deployment to network works, but this requires storing wallet mnemonics in plaintext on the host somewhere. If the host becomes compromised, the keys to the kingdom, and my entire net worth, are lost. Storing this in plaintext is wild because of how critical this mnemonic is. It's 2020 - we don't store passwords in plaintext in a file on our host... why should we do it with something so critical as a wallet mnemonic?
Environment
truffle version
): 5.1.43node --version
): 8.10.0npm --version
): 6.14.8