Deploy contracts using mobile or browser wallets #868
Replies: 2 comments 1 reply
-
|
Another option that would be better in some ways/worse in others is if you were prompted for your seed phrase (or pk) and it was just used for the deployment process - not saved anywhere. Spin on this would be saving the seed phrase in an encrypted state and prompting for the password when you deploy. |
Beta Was this translation helpful? Give feedback.
-
|
Related: #812 I think we should implement it when doing #866 For hardhat, we could even implement a simple system to encrypt/decrypt your PK with a password? Anyway, 100% that we should improve PK safety. |
Beta Was this translation helpful? Give feedback.
-
|
Awesome! Did not realize that issue existed. |
Beta Was this translation helpful? Give feedback.
-
The reliance on using a local file containing a seed phrase (whether generated or pasted from your wallet) in order to deploy contracts is untenable as it ends up with users accidentally committing their seed phrase and generally encouraging bad opsec. Optimism's recent Onchain Builders Retro Funding initiative pushed for builders to prove themselves as the holders of the deployer for their contracts. This highlights the disconnect between using a throwaway deployer account with a lower security threshold and using an account that you intend to keep safe (and remember) long term.
Additionally, Patrick Collins recently posted about the frameworks culpability in newbie devs getting hacked when we push bad practices like this.
Beta Was this translation helpful? Give feedback.
All reactions