Skip to content
This repository has been archived by the owner on Oct 3, 2024. It is now read-only.

fix: added warning about using private keys in plaintext #1031

Conversation

PatrickAlphaC
Copy link
Contributor

@PatrickAlphaC PatrickAlphaC commented Apr 25, 2024

What 💻

Added a warning about using unencrypted private keys.

Why ✋

New developers accidentally exposing private keys to GitHub is one of the quickest ways to destroy a new developer's motivation. Most people don't encrypt their keys and essentially just get lucky. We often don't hear about it because new developers are often embarrassed, and this goes underreported because the advice is, "Oh, you exposed your private key? Skill issue TBH." And then they leave Web3. A large part of this stems from the fact that most tutorials encourage people to place their private keys in plaintext without any warning of the downsides.

Evidence 📷

This poll shows that most people are good, but it should be all.

https://twitter.com/PatrickAlphaC/status/1783561089105465654

Out of the few that lose money, often lose a lot.

https://twitter.com/PatrickAlphaC/status/1783562471602618712

We need to fix our tutorials so this is not the case.

Notes 📝

@PatrickAlphaC PatrickAlphaC requested review from a team as code owners April 25, 2024 18:27
::: warning
Remember to use a private key that only has testnet funds if you are going to paste your private key in plaintext. It is recommended to [never have a private key associated with real funds in plaintext.](https://github.com/Cyfrin/foundry-full-course-f23/discussions/5).

If you wish to use hardhat with real funds, it's recommended to encrypt your key so it's not accidentally exposed.
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Do you have a link to an example we can link to for encrypting your Private Key for use with something like Hardhat?

Also, as a general note, the upcoming new docs will lean more on tools like Foundry's cast wallet importto manage keys in a private encrypted keystore automatically for devs.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

For Hardhat, you have to roll your own encryption script. They recommend using their variables setting, but I don't like it because the keys are still in plaintext and just moved elsewhere.

I have used this example in the past to encrypt and decrypt your own keys. The project has an example of encrypting and decrypting the keys.

cast wallet import is the best way to do key management!! That's great!

I'll add this example to the warning.

@@ -842,6 +842,12 @@ Make sure you deposit funds on zkSync Era using [one of the available bridges](h

1. In the `deploy` folder, create the file `deploy-factory.ts` and copy/paste the following code, replacing `<WALLET_PRIVATE_KET>` with your private key.

::: warning
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Let's please update all instances where this warning should be added. I believe the other tutorials also need this warning.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Done!

@itsacoyote
Copy link
Contributor

Moving Issue to zksync-docs repo and closing this PR. Will create a new PR for the changes in that repo.

@itsacoyote itsacoyote closed this Aug 16, 2024
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

4 participants