Hardcoded Development Addresses in Move.toml Can Lead to Misconfiguration and Predictable Deployment
Hardcoded Development Addresses in Move.toml Can Lead to Misconfiguration and Predictable Deployment
Description
-
Normally, module and dev addresses should be configurable and environment-specific.
-
In this
move.toml, development addresses are hardcoded, which can reveal predictable module or account locations and may cause misconfiguration if deployed in a production. These values can be easy retrieve once deployed on chain.
Risk
Likelihood: Medium
-
Test or development addresses are used in code pushed to repositories or accidentally deployed.
-
External parties can discover predictable addresses and perform reconnaissance.
Impact: Low
Can facilitate chain scanning and early reconnaissance
Proof of Concept
Observing the Move.toml file, an auditor can directly see:
Recommended Mitigation
It is recommended to avoid hardcoding development addresses. Instead, use placeholders or environment-specific configurations to prevent accidental exposure or misuse.
Rewards breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.