Secret leaks often occur when a sensitive piece of authentication data is stored with the source code of an application. Considering the source code is intended to be deployed across multiple assets, including source code repositories or application hosting servers, the secrets might get exposed to an unintended audience.
In most cases, trust boundaries are violated when a secret is exposed in a source code repository or an uncontrolled deployment environment. Unintended people who don’t need to know the secret might get access to it. They might then be able to use it to gain unwanted access to associated services or resources.
The trust issue can be more or less severe depending on the people’s role and entitlement.
In that case, the wallet seed phrase, also known as a recovery phrase or mnemonic seed, is arguably the most critical element in managing
cryptocurrency.
Its importance cannot be overstated, as it serves as the master key to entire crypto portfolios.
The consequences vary greatly by situation and by audience.
Below is the critical impact of an attacker accessing the wallet phrase.
Access to your seed phrase means complete control over your wallet. An attacker can import your wallet on their own device and drain all your
assets to their own address.
Due to the irreversible nature of blockchain transactions, there is no way to undo the theft.
You cannot change the seed phrase for an existing wallet. A seed phrase is the master key from which all your wallet’s private keys are
mathematically derived.
Therefore, the correct procedure is not to "change" the phrase, but to move your funds to a new wallet with a new seed
phrase.
Then, transfer the assets from the old wallet to the new one.
Store this new backup in an extremely secure, offline location. Do not take a photo of it or store it on any internet-connected device.
If you need to store it digitally, consider using a hardware wallet or a dedicated secret vault.
import { HDNodeWallet } from 'ethers'
const mnemonic = 'donate clutch sport betray purpose monitor lift blame slide spin crunch marriage'
const mnemonicWallet = HDNodeWallet.fromPhrase(mnemonic) // Noncompliant
import { HDNodeWallet } from 'ethers'
const mnemonic = process.env.SECRET
const mnemonicWallet = HDNodeWallet.fromPhrase(mnemonic)
While the noncompliant code example contains a hard-coded seed phrase, the compliant solution retrieves the secret’s value from its
environment.
This allows it to have an environment-dependent secret value and avoids storing the phrase in the source code itself.