search

trufflesuite / truffle

:warning: The Truffle Suite is being sunset. For information on ongoing support, migration options and FAQs, visit the Consensys blog. Thank you for all the support over the years.
https://consensys.io/blog/consensys-announces-the-sunset-of-truffle-and-ganache-and-new-hardhat?utm_source=github&utm_medium=referral&utm_campaign=2023_Sep_truffle-sunset-2023_announcement_
MIT License
14.02k stars 2.32k forks source link

hdwallet-provider requires plaintext mnemonic #3361

Open 0x9060 opened 4 years ago

0x9060 commented 4 years ago

Issue

hdwallet-provider requires plaintext mnemonic.

Steps to Reproduce

I want to deploy a contract to a network using truffle/hdwallet-provider and truffle migrate --network rinkeby, for example. Accordingly, I've defined by truffle-config.js file like so:

const HDWalletProvider = require('@truffle/hdwallet-provider');
const fs = require('fs');
const mnemonic = fs.readFileSync(".keysToTheKingdom").toString().trim();

const infuraURL = 'https://rinkeby.infura.io/v3/MY-PROJECT-ID'
const infuraKey = fs.readFileSync(".infuraProjectSecret").toString().trim();

var HDWallet = require('@truffle/hdwallet-provider')

module.exports = {
  networks: {
      rinkeby: {
      provider: () => new HDWalletProvider(mnemonic, infuraURL),
      network_id: 4,       // Rinkeby's network id 
      gas: 5500000,
      },
};

This works, but requires me to store my mnemonic on my host in plaintext somewhere. This is insecure, regardless of the fact that I'm storing it in a hidden file.

Expected Behavior

Do not require plaintext wallet mnemonics to deploy to networks. Instead, some public keys or a hash of the wallet mnemonic should be provided.

Or some other workaround?

Actual Results

Deployment to network works, but this requires storing wallet mnemonics in plaintext on the host somewhere. If the host becomes compromised, the keys to the kingdom, and my entire net worth, are lost. Storing this in plaintext is wild because of how critical this mnemonic is. It's 2020 - we don't store passwords in plaintext in a file on our host... why should we do it with something so critical as a wallet mnemonic?

Environment

gnidan commented 3 years ago

Hm. HDWalletProvider needs private key information, so your thought to provide just public key would be insufficient.

You can add mnemonics that use a password, but nothing about how Truffle works today would change the situation about requiring this in plaintext. I've just opened a new issue to consider a password CLI prompt, but I think there's probably a better way to get what you're looking for (which I touched on in the issue).

In any event, don't use your main account inside Truffle, please!!! Make a new mnemonic and transfer as little ETH as you need! Truffle makes development tools; our specialty is not in building a secure wallet implementation! Truffle doesn't need access to your entire net worth, I promise you!

0x9060 commented 3 years ago

@gnidan Agree, I'm not actually using the same wallet for development and managing crypto holdings. Just included that to drive the point home, we still should not be storing plaintext mnemonics on our host, unless that wallet is not important to us if it becomes compromised. Thanks for opening the feature request!

haltman-at commented 3 years ago

OK, we'll look into doing this when we have the chance!

sterlingcrispin commented 3 years ago

I agree this is crazy and should be fixed -- I'm sure this is being targeted by hackers trying to gain access to big wallets. This should be a must-fix issue

freddyshim commented 3 years ago

I'm surprised this issue hasn't been given a larger priority. Sure, we can circumvent the security issue by using a development account with a different mnemonic phrase, but I shouldn't have to download multiple Metamask extensions on different browsers just so that I can test my projects with an ease of mind.