ERC 2335 - Encrypting Private Keys
While taking the @cyfrin_Updraft course, I came across ERC 2335, I realized the dire implication of hardcoding private keys onto the project repo and then pushing to GitHub.
So many developers forget to remove their private keys and it was a menace and a big issue until the ERC 2335 was introduced.
So what is the ERC 2335?
ERC-2335 emerged as a crucial response to a persistent and dangerous problem in blockchain development: the accidental exposure of private keys in public repositories and production environments.
Before its standardization, developers frequently made the costly mistake of hardcoding private keys directly in their source code or configuration files, which would then be inadvertently pushed to GitHub or deployed to production servers.
These exposures often resulted in the immediate theft of funds and compromise of smart contracts, as malicious actors continuously scan public repositories for exposed keys.
The standard introduces a structured approach to private key encryption, specifically designed to make it harder for developers to accidentally commit sensitive key material.
It provides a robust encryption framework that separates the storage of encrypted keys from application code while maintaining interoperability across different platforms and tools.
By enforcing a clear distinction between encrypted key storage and application logic, ERC-2335 helps development teams implement secure key management practices from the start of their projects.
One of the most significant aspects of ERC-2335 is its emphasis on secure local storage and encryption of private keys, rather than relying on environment variables or configuration files that might accidentally be included in version control.
This approach directly addresses the common pitfall of developers using plaintext private keys during development and forgetting to remove them before pushing code to public repositories.
How does it work
To follow this next part, fork the contract repo and you would need to have the following.
- Text editor recommended (Vscode)
- Install Foundry
curl -L https://foundry.paradigm.xyz | bash
If you encounter any issues during the installation please drop a comment or use AI to resolve them.
Once you are done you should be able to see the following cast
, anvil
, forge
and chisel
Create a folder and navigate into it, then run forge init
this sets up a boilerplate our focus would be script
src
and test
.
Next copy the scofield
contract we forked from GitHub into our src and delete whatever you see inside. Make sure to save with the .sol
format.
In the script folder, we are going to write a test script, the test script must have an extension of .s.sol
,
Spin up your terminal and type anvil
to create a local EVM account which would give us access to accounts and private keys.
This is a test account so do not use them for production.
if we were going to run a test without obstructing our private keys, this is what we would have done.
forge script script/Deployscofield.s.sol --rpc-url HTTP://127.0.0.1:8545 --broadcast --privatekey 0xf39Fd6e51aad88F6F4ce6aB8827279cffFb92266
Notice we are placing our private key directly on the transaction and if we create a script we would have to store the private key in plain text.
To resolve this.
We run a cast wallet import hide_my_key interactive
to obfuscate the private key.
Here we set our private key to hide_my_key
and set a password so we we run
forge script script/Deployscofield.s.sol --rpc-url HTTP://127.0.0.1:8545 --broadcast --account hide_my_key --sender 0x15d34aaf54267db7d7c367839aaf71a00a2c6a65
Here we are prompted for the password we set for our private key
when we input the password the transaction goes through.
Voila.
We have learnt a valuable lesson and that is we don't have to use our private key in our development stage going forward.
If you have any recommendations or you feel I forgot something please drop a comment below.
You can read more about ERC 2335 here.
Top comments (0)