fix: add security warning for raw PRIVATE_KEY usage in launch-token guide#1374
Open
schoolkamsergj wants to merge 1 commit intobase:masterfrom
Open
fix: add security warning for raw PRIVATE_KEY usage in launch-token guide#1374schoolkamsergj wants to merge 1 commit intobase:masterfrom
schoolkamsergj wants to merge 1 commit intobase:masterfrom
Conversation
…uide
The launch-token guide used vm.envUint("PRIVATE_KEY") without any
security warning, while the deploy-smart-contracts guide explicitly
recommends cast wallet import (keystore) as the safer approach.
Added a Warning callout before the .env configuration block to:
- Alert developers that raw PRIVATE_KEY in .env is for local/testing only
- Recommend cast wallet import for production deployments
- Link to the deploy-smart-contracts guide for the secure approach
Fixes base#1357
Collaborator
🟡 Heimdall Review Status
|
Jhosepin
approved these changes
May 2, 2026
Collaborator
|
Review Error for Jhosepin @ 2026-05-02 00:35:39 UTC |
|
Thanks for picking this up! I'd also suggest mentioning in the note that .env files should be added to .gitignore to prevent accidental key commits — might be worth adding while this is open. |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
4 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Fixes #1357
The
launch-tokenguide usedvm.envUint("PRIVATE_KEY")to load a private key directly from a.envfile, but provided no security warning about the risks — while thedeploy-smart-contractsguide on the same site explicitly recommendscast wallet import deployer --interactiveas the safer approach and warns: "Never share or commit your private key."This inconsistency could lead developers (especially those new to Foundry) to accidentally expose their private keys in local
.envfiles or commit them to version control.Changes
Added a
<Warning>callout directly before the.envconfiguration block indocs/get-started/launch-token.mdx:PRIVATE_KEYapproach is for local development and testing only.envor share the private keydeploy-smart-contractsguide for the recommendedcast wallet importkeystore approachWhy this matters
Both guides are in the same
get-startedsection and developers often follow them together. Without this warning, a developer could reasonably assume the raw env var approach is acceptable for production — leading to potential key exposure.This is a minimal, targeted fix that resolves the inconsistency without rewriting either guide.