Secret leaks often occur when a sensitive piece of authentication data is stored with the source code of an application. Considering the source code is intended to be deployed across multiple assets, including source code repositories or application hosting servers, the secrets might get exposed to an unintended audience.
In most cases, trust boundaries are violated when a secret is exposed in a source code repository or an uncontrolled deployment environment. Unintended people who don’t need to know the secret might get access to it. They might then be able to use it to gain unwanted access to associated services or resources.
The trust issue can be more or less severe depending on the people’s role and entitlement.
In that case, the wallet seed phrase, also known as a recovery phrase or
mnemonic seed, is arguably the most critical element in managing cryptocurrency.
Its importance cannot be overstated, as it serves as the master key to entire
crypto portfolios.
The consequences vary greatly by situation and by audience.
Below is the critical impact of an attacker accessing the wallet phrase.
Access to your seed phrase means complete control over your wallet. An attacker
can import your wallet on their own device and drain all your assets to their
own address.
Due to the irreversible nature of blockchain transactions, there is no way to
undo the theft.
You cannot change the seed phrase for an existing wallet. A seed phrase is the
master key from which all your wallet’s private keys are mathematically derived.
Therefore, the correct procedure is not to "change" the phrase, but to move your
funds to a new wallet with a new seed phrase.
Then, transfer the assets from the old wallet to the new one.
Store this new backup in an extremely secure, offline location. Do not take a photo of it or store it on any internet-connected device.
If you need to store it digitally, consider using a hardware wallet or a dedicated secret vault.
import { HDNodeWallet } from 'ethers'
const mnemonic = 'donate clutch sport betray purpose monitor lift blame slide spin crunch marriage'
const mnemonicWallet = HDNodeWallet.fromPhrase(mnemonic) // Noncompliant
import { HDNodeWallet } from 'ethers'
const mnemonic = process.env.SECRET
const mnemonicWallet = HDNodeWallet.fromPhrase(mnemonic)
While the noncompliant code example contains a hard-coded seed phrase, the
compliant solution retrieves the secret’s value from its environment.
This allows it to have an environment-dependent secret value and avoids storing
the phrase in the source code itself.