Skip to content

Fix: Replace unsafe mnemonic fallback with secure random generation #11644

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 4 commits into from
Sep 15, 2025
Merged

Fix: Replace unsafe mnemonic fallback with secure random generation #11644

merged 4 commits into from
Sep 15, 2025

Conversation

viktorking7
Copy link
Contributor

Description

Security Issue Fixed: Removed silent fallback to the well-known test mnemonic "test test test test test test test test test test test junk" when invalid word count is provided to --mnemonic-random.

Problem

When users specified an invalid word count (e.g., anvil --mnemonic-random 13), the code would silently fall back to DEFAULT_MNEMONIC, which is a publicly known test phrase. This created a security risk where users might unknowingly use predictable, insecure accounts.

Solution

  • Added warning logging when invalid word count is detected
  • Generate secure random 12-word mnemonic as fallback instead of using the test phrase
  • Preserve user intent of having a random mnemonic while ensuring security

onbjerg
onbjerg requested changes Sep 15, 2025
View reviewed changes
crates/anvil/src/cmd.rs Outdated
Ok(mnemonic) => mnemonic.to_phrase(),
Err(_) => DEFAULT_MNEMONIC.to_string(),
Err(err) => {
warn!(target: "node", ?count, %err, "invalid mnemonic word count, falling back to 12-word random mnemonic");
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

this error message is not correct, it might also be that the word is not in the dictionary

viktorking7 and others added 2 commits September 15, 2025 14:02
@viktorking7 @onbjerg
Update crates/anvil/src/cmd.rs
0ec2dc5 
Co-authored-by: onbjerg <onbjerg@users.noreply.github.com>
@viktorking7
Update cmd.rs
6e76e22
@viktorking7 viktorking7 requested a review from onbjerg September 15, 2025 12:05
@onbjerg onbjerg self-assigned this Sep 15, 2025
onbjerg
onbjerg requested changes Sep 15, 2025
View reviewed changes
Copy link
Contributor

@onbjerg onbjerg left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

last stretch, please format the code using rustfmt :)

@viktorking7 viktorking7 requested a review from onbjerg September 15, 2025 13:44
@onbjerg onbjerg merged commit 6efb240 into foundry-rs:master Sep 15, 2025
25 checks passed
@github-project-automation github-project-automation bot moved this to Done in Foundry Sep 15, 2025
MerkleBoy pushed a commit to MerkleBoy/foundry that referenced this pull request Sep 17, 2025
@viktorking7 @onbjerg @MerkleBoy
fix: Replace unsafe mnemonic fallback with secure random generation (f…
f249f0f 
…oundry-rs#11644)

* Update cmd.rs

* Update crates/anvil/src/cmd.rs

Co-authored-by: onbjerg <onbjerg@users.noreply.github.com>

* Update cmd.rs

* Update cmd.rs

---------

Co-authored-by: onbjerg <onbjerg@users.noreply.github.com>
@grandizzy grandizzy moved this from Done to Completed in Foundry Sep 22, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@onbjerg onbjerg onbjerg approved these changes

@DaniPopes DaniPopes Awaiting requested review from DaniPopes DaniPopes is a code owner

@klkvr klkvr Awaiting requested review from klkvr

@mattsse mattsse Awaiting requested review from mattsse mattsse is a code owner

@grandizzy grandizzy Awaiting requested review from grandizzy grandizzy is a code owner

@yash-atreya yash-atreya Awaiting requested review from yash-atreya yash-atreya is a code owner

@zerosnacks zerosnacks Awaiting requested review from zerosnacks zerosnacks is a code owner

@0xrusowsky 0xrusowsky Awaiting requested review from 0xrusowsky 0xrusowsky is a code owner

Assignees

@onbjerg onbjerg

Labels
None yet
Projects
Foundry
Status: Completed
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@viktorking7 @onbjerg