I'm Sean and I've been a developer for a little over a year. I'm a blockchain/crypto enthusiast and started programming in/around crypto in the strangest of ways....I GOT HACKED!
Well, not exactly, more like I made a major not so smart mistake. I'll share my experience here so that you won't have to make the same mistake!
It all started when I took this course by Stephen Grider on Udemy: https://www.udemy.com/ethereum-and-solidity-the-complete-developers-guide/
I highly recommend it if you're interested in learning how to program smart contracts in Ethereum...it's a super fun course!
Shortly thereafter, I went to start sandboxing some new apps I wanted to play around with. Well, if you know anything about about programming Ethereum applications that interact with the blockchain, you'll know that you have to provide a 12-word MNEMONIC which serves as your private key (basically your password to your Ethereum address that shows that you own the address).
Little did I know that since I wasn't using any environment variables and my repo was public, my private key to my account would be open to all of GitHub! After doing a quick search on GitHub, an exposed user looks like this:
In short, somebody found my keys on GitHub, broke into my account, and stole my money!!!! Bad day for the wallet, Excellent day for learning!
TAKEAWAY LESSON:
1) Use environment variables when posting your private key data on GitHub
2) Use private repos when possible for additional safety
3) Use a command-line interface (like readline-sync: https://www.npmjs.com/package/readline-sync) to enter your private key data at runtime for ultimate safety
Happy Programming!
Top comments (4)
Key lesson is NOT to hide your repos, but to keep your credentials out of your code.
+1 to that. Even with private repos a rogue employee could have access to the credentials, and if the payout is big enough it may just be worth it for them.
What is with Tools like BFG Repo Cleaner ? rtyley.github.io/bfg-repo-cleaner/
Edit
What do you think about a „Testnet“ for youre Development?
rinkeby.io
You can use something like this for Develompment, Testing and CI but use your real Credentials only for Production.
A good way to Learn to „How to handle different Environments“ is to Look at other Tools and their behavior.
An Example for „Named-Profile“ is the AWS CLI...
docs.aws.amazon.com/cli/latest/use...
yeah for sure, getting real into the weeds with that the catch is that when you create a new account with MetaMask (3rd party GUI interface for sending transactions) you still end up using the same MNEMONIC, so even if you're on the testnet all wallets/accounts connected to that mnemonic are vulnerable.