Problem: keyring-backend test leading to accounts to be drained when 8545 exposed public
#1657
Comments
|
Referral ticket from |
|
This issue is stale because it has been open 45 days with no activity. Remove |
|
This issue is stale because it has been open 45 days with no activity. Remove |
|
This issue is stale because it has been open 45 days with no activity. Remove |
|
This issue is stale because it has been open 45 days with no activity. Remove |
ramacarlucho
added
good first issue
|
This is a valid feature request. But currently we cannot add it to our priority development queue. |
|
This issue is stale because it has been open 45 days with no activity. Remove |
Context
https://github.com/evmos/evmos/blob/main/rpc/backend/sign_tx.go L26:29
It is implementation of
eth_sendTransactionWith keyring-backend
test, which is not protected by password, everyone able to drain all balance of all accounts managed under keyring-backendtestof the node just by sending a transfer command like this:And list of accounts managed by node can be retrievable by calling: eth_accounts
Fact is I got drained 10+ times but I didn't mind about that because most of the time I just set it up testing smt and eraser so got drained is not any problem.
10/10 times I got drained by this wallet
0x071aad74a52f76aec4a4b4fecfc910dbc8fe03f4(it is well-known)In this github ticket I see they mentioned about the
allow-insecure-unlockflag (which I believe not exists in current implementation of evmos/ethermint).So why don't we implement that flag?
So balance of test chains still safe unless that flag
--allow-insecure-unlocksupplied within start command.With
--allow-insecure-unlocksupplied, the un-safe methods like that can be accessible.The text was updated successfully, but these errors were encountered: