The Hacking Risk of Private Keys When Deploying Contracts Locally

A True Tale from ETH Global Tokyo

This story unfolded at ETH Global Tokyo. A developer, who had entered the Bunzz Prize hackathon, froze in the midst of his presentation, yelling, “I’ve been hit!” When we asked what had happened, he said, “My wallet’s been hacked, and the funds have been drained.” The cause quickly came to light. He was using a local development environment, storing his private key locally to deploy contracts.

Unfortunately, this private key, its storage location specified in the code of the DApp program he was developing, had been pushed to a public GitHub repository. Essentially, his private key was visible from anywhere in the world.

The Hectic Environment of a Hackathon

Here’s a plausible theory. When a hackathon is held, many developers, including beginners, join in, often writing code under more pressure than usual. They may end up hurriedly uploading their code to GitHub as the submission deadline approaches. Somewhere in the world, a malicious actor could be keeping track of hackathon schedules, waiting for new repositories to be created in droves. They sift through this mountain of code to find private keys.

This is not an unlikely scenario because our victim had funds withdrawn right after his code submission time. In fact, when we searched GitHub using certain keywords (which we won’t reveal to prevent further abuse), we found several repositories where the private key was explicitly listed.

Developers may unknowingly upload sensitive keys to GitHub when deploying from a local environment, making them vulnerable to hackers.

The terrifying fact is this could happen to any user utilizing local development environments such as Hardhat, Truffle, or Foundry since they necessitate storing the private key locally and specifying its location in the code.

The Search for a Secure Web3 Development Environment

A way to avoid such incidents would be to use an IDE like Remix instead of a local one. However, developers primarily using Remix as their development environment are rare, suggesting that a secure web3 development environment might not exist yet. 

To this effect, the Bunzz deployment process is conducted via MetaMask, mitigating such risks. We’re also continuously exploring the possibility of developing an ideal IDE as part of our development infrastructure. Improving the security of private keys undoubtedly will propel the development of web3. 

Please follow us on Twitter to stay tuned for updates.

Share this article: