Developer posts secret key on GitHub, loses $40K in 2 minutes

&gt; In 2023, Guan posted his opinion on smart contract engineers. According to Guan, projects that pay smart contract engineers $200,000 are “ngmi,” which is short for “not gonna make it.” The Web3 founder said that any solid developer “should be able to write solidity with the help of ChatGPT.”<p>Ah, schadenfreude.

I worked on Truffle and Ganache (RIP), the first Ethereum development toolchain. We had a default list of accounts and private keys on start up that everyone used, but devs kept using those keys on Mainnet and immediately loading their funds, despite the warning in docs and the CLI ourput. We have had threats from devs who thought we were running scripts to drain the accounts we gave them. So we switched to a randomized mnemonic by default.<p>So when competitors, like hardhat and foundry, popped up what did they do? Used default shared accounts and keys. We reached out to let them know that users will lose funds, but all they did was add a warning in the CLI output and in docs. Devs still regularly lose funds: <a href="https:&#x2F;&#x2F;etherscan.io&#x2F;address&#x2F;0xf39fd6e51aad88f6f4ce6ab8827279cfffb92266" rel="nofollow">https:&#x2F;&#x2F;etherscan.io&#x2F;address&#x2F;0xf39fd6e51aad88f6f4ce6ab882727...</a>

If you’ve got that much money in a project, it’s not a prototype.<p>This repo should have had all types of static analysis running automatically.<p>Hell, GitHub has built in secret scanning. Apparently it was only set as the default for all new repos in March 2024[].<p>[] <a href="https:&#x2F;&#x2F;docs.github.com&#x2F;en&#x2F;code-security&#x2F;secret-scanning&#x2F;configuring-secret-scanning-for-your-repositories#enabling-secret-scanning-alerts-for-users-for-all-your-public-repositories" rel="nofollow">https:&#x2F;&#x2F;docs.github.com&#x2F;en&#x2F;code-security&#x2F;secret-scanning&#x2F;con...</a>

&gt; When a community member inquired about how long it took for the funds to be drained, the Web3 founder responded that it took just two minutes for someone to withdraw the funds.<p>The public events API is delayed by 5 minutes[1]. Unless someone was actively scraping his profile rather than doing large scans on GitHub, this is not possible.<p>[1] <a href="https:&#x2F;&#x2F;docs.github.com&#x2F;en&#x2F;rest&#x2F;activity&#x2F;events?apiVersion=2022-11-28#list-public-events" rel="nofollow">https:&#x2F;&#x2F;docs.github.com&#x2F;en&#x2F;rest&#x2F;activity&#x2F;events?apiVersion=2...</a>

Genuine question here: isn’t it a standard security practice to avoid committing keys (or other secrets) to repos?<p>Edit: and what’s the best practice here? Is it using a key management system of some sort? (I’m thinking of scenarios where you might need to deploy your code + secrets on a remote server, say to authenticate with a third party API)

The real tragedy here is not that he lost $40K, but that crypto is the controversy generator that is part of the bread and butter of mass media, which in turn is a large part of the reason why cryptocurrencies have value in the first place. The loss of $40K didn&#x27;t just happen due to this developer&#x27;s mistake, but also because he was able to store $40K in crypto in the first place, and that partially happened because of people like us, reading this news story.

It is a sad day when someone loses imaginary fiat money tokens to someone lower on a Ponzi scheme.<p><a href="https:&#x2F;&#x2F;git-scm.com&#x2F;docs&#x2F;gitignore" rel="nofollow">https:&#x2F;&#x2F;git-scm.com&#x2F;docs&#x2F;gitignore</a><p>And I see most professional senior devs training juniors to be more helpful... It is always a blessing to see that perpetual look of terror subside when people finally understand what they should be doing.<p>A company attrition rate is a reflection of hiring, training, and project management skills. If you have an IT culture problem, than it will manifest in the high-stress areas first. i.e. you are likely not going to survive as a business beyond 3 years.<p>Happy investing, and I hope someone returns his gambling chips. =)

I don&#x27;t know about anyone else here but if I had 40k laying around in Cryptocurrency I would have taken some of that and bought a MacBook pro that didn&#x27;t have my personal information on it for coding, for a start.

&gt; a memecoin coded using the artificial intelligence chatbot has already found success within the crypto space.<p>So you can still offer any random shitcoin and make money with it. Seriously, I&#x27;ve got the wrong job.

Some cryptocurrency isn&#x27;t a safe store of value to begin with, so he was probably ready to lose that at any moment anyways. Worse way than most to lose it, but he doesn&#x27;t sound too bummed out.

&gt; Web3<p>We’re still doing that?

This is your reminder that every crypto&quot;currency&quot; using a transaction fee is fundamentally a scam and everything that is happening using them is merely hype to get you involved in them.

hackerone975 @ gmail com is your solution when your phone falls victim to hacking. With their expertise in data recovery and advanced detection techniques, they provide a reliable and efficient service to help you regain control of your device and secure your personal information. In today&#x27;s digital age, our smartphones hold a plethora of personal and sensitive information, making phone security a top priority. From financial details to personal photos, the data we store on our phones can be valuable and vulnerable. Protecting it from hackers is crucial to maintaining our privacy and preventing potential loss or misuse of our information. hackerone975 @ gmail com is a trusted firm to ensure that you are saved from hackers who are out there to steal

But but but Crypto will change the world?! And everyone should have their private wallet? And who cares about recovering your funds because everyone of us will be handling private data &#x2F; secrets (like passwords or keys) perfectly, always!111<p>Cryptobros telling you never to use an exchange due to FTX and other examples, also its super easy to use...<p>What stupidity