hdwallet-provider requires plaintext mnemonic
See original GitHub issue- I’ve asked for help in the Truffle Gitter before filing this issue.
Issue
hdwallet-provider
requires plaintext mnemonic.
Steps to Reproduce
I want to deploy a contract to a network using truffle/hdwallet-provider
and truffle migrate --network rinkeby
, for example. Accordingly, I’ve defined by truffle-config.js
file like so:
const HDWalletProvider = require('@truffle/hdwallet-provider');
const fs = require('fs');
const mnemonic = fs.readFileSync(".keysToTheKingdom").toString().trim();
const infuraURL = 'https://rinkeby.infura.io/v3/MY-PROJECT-ID'
const infuraKey = fs.readFileSync(".infuraProjectSecret").toString().trim();
var HDWallet = require('@truffle/hdwallet-provider')
module.exports = {
networks: {
rinkeby: {
provider: () => new HDWalletProvider(mnemonic, infuraURL),
network_id: 4, // Rinkeby's network id
gas: 5500000,
},
};
This works, but requires me to store my mnemonic on my host in plaintext somewhere. This is insecure, regardless of the fact that I’m storing it in a hidden file.
Expected Behavior
Do not require plaintext wallet mnemonics to deploy to networks. Instead, some public keys or a hash of the wallet mnemonic should be provided.
Or some other workaround?
Actual Results
Deployment to network works, but this requires storing wallet mnemonics in plaintext on the host somewhere. If the host becomes compromised, the keys to the kingdom, and my entire net worth, are lost. Storing this in plaintext is wild because of how critical this mnemonic is. It’s 2020 - we don’t store passwords in plaintext in a file on our host… why should we do it with something so critical as a wallet mnemonic?
Environment
- Operating System: Ubuntu 18.04
- Ethereum client: geth v1.9.21
- Truffle version (
truffle version
): 5.1.43 - node version (
node --version
): 8.10.0 - npm version (
npm --version
): 6.14.8
Issue Analytics
- State:
- Created 3 years ago
- Reactions:4
- Comments:5 (2 by maintainers)
Top GitHub Comments
I’m surprised this issue hasn’t been given a larger priority. Sure, we can circumvent the security issue by using a development account with a different mnemonic phrase, but I shouldn’t have to download multiple Metamask extensions on different browsers just so that I can test my projects with an ease of mind.
I agree this is crazy and should be fixed – I’m sure this is being targeted by hackers trying to gain access to big wallets. This should be a must-fix issue