My ETH was stolen

/ forecho

Original link: https://blog.forecho.com/my-eth-has-been-stolen.html

introduction

ETH has fallen recently. I looked at my ETH wallet before going to bed last night, and saw a transfer notification. All 0.76 ETH in the wallet were transferred away, and the transfer time was the night before yesterday.

This article is mainly to record my own experience and how to avoid my wallet being stolen.

process

I was studying smart contracts on Friday, and wrote an article “Using HardHat to Create NFT Smart Contracts” , and then uploaded the code to GitHub according to the tutorial, and made it open source. There is no intention to check the environment variables of the code.

Then on Saturday night, I found that the ETH in my wallet was stolen. At first, I thought that I had authorized the wallet to an unsafe website, which led to the theft, but I checked it carefully and found that the transaction records of MetaMask were not stolen. that record.

Then I looked at the Github code , the stolen time was before the last time the code was submitted, and then I looked at the code again, and found that I was an idiot, put my private key in the code, and then submitted it to Github.

There is a .env.example file in the warehouse. When hardhat initializes, it generates a .gitignore file with .env in it. This step is no problem, but when I create .env.example , I use cp .env .env.example , so that the private key is also copied into .env.example file, and the private key inside is not deleted or confirmed, so it is submitted to Github.

At that time, I rushed to get off work, submitted the code and left.

how to avoid

Recognize the importance of wallet private keys

Obviously, I didn’t know enough about the importance of the wallet private key before, which led to this loss. The private key (Private Key) of the Web3 wallet is very important. In blockchain technology, the private key is like your password and has the following importance:

  • Access : Private keys are the only way you can access and manipulate assets in your Web3 (e.g. Ethereum) wallet. With it, you can send transactions to buy, sell or exchange tokens.
  • Safeguards : Private keys must be kept private and should not be shared with anyone. Anyone with your private key can access and use your blockchain assets. Once the private key is lost, you may not be able to restore access to your assets. This is why many people choose to use hardware wallets or other security measures to store their private keys.
  • Immutable : Once a private key is generated, it cannot be changed. This ensures that no one can tamper with your transaction records or assets.
  • Impossible to get it back : If you lose your private key, there is almost no way to get it back. This is why it is very important to back up your private keys.

Therefore, it is very important to keep your Web3 wallet private key and keep it safe. Losing or leaking the private key may lead to your assets being stolen.

Separate wallet

When using the Web3 wallet, you must distinguish the wallets. You can create multiple wallets for different scenarios, such as one dedicated to storing assets, one dedicated to development and testing, one dedicated to transactions, and so on.

The wallet that stores assets must ensure the security of the private key, and do not authorize randomly. It is recommended to use a hardware wallet to ensure the security of your private key.

environment variable

When developing, you must pay attention to the security of environment variables, and do not put important information such as private keys in the code, and do not submit it to Github. Especially open source projects, we must pay attention. Solutions I can think of:

  • You can get into the habit of creating private repositories first and public repositories second.
  • When submitting the code, check the code changes and confirm that there is no important information such as the private key.
  • Install git-secrets locally and cooperate with git hooks to automatically scan the code before submitting or pushing to see if there is any problem, which is very convenient. ( Twitter program )

Summarize

This incident gave me a deeper understanding of the private key of the Web3 wallet, and also made me realize the importance of environment variables, so I must pay attention to it in the future. That post on Friday was worth 0.76 ETH, bloody.

I hope everyone can learn from this and don’t make the same mistakes I made. If my article is helpful to you, you can consider rewarding me to comfort me, thank you very much ? .

  • TRC: TRdBDpuSVffHfAD33SFVyc62hZe79msdcd
  • ETH: 0xc1a3C8DF608F8D4a321fEC13e968327ccFd0bf74

This article is transferred from: https://blog.forecho.com/my-eth-has-been-stolen.html
This site is only for collection, and the copyright belongs to the original author.