This document outlines the security improvements made to prevent hardcoded private keys in the Hardhat configuration.

Previous Issue: The hardhat.config.js file contained a hardcoded private key:

0xac0974bec39a17e36ba4a6b4d238ff944bacb478cbed5efcae784d7bf4f2ff80

This is a well-known Hardhat default account that poses significant security risks:

• Exposure: Anyone with access to the codebase can extract this private key
• Fund Risk: If real funds are sent to this address, they can be stolen
• Reproducibility: The same key across all environments creates predictable attack vectors

• No Hardcoded Keys: Eliminated all static private keys from configuration
• Conditional Logic: Use environment variable if present, otherwise empty array
• Hardhat Defaults: Leverages Hardhat's built-in test accounts for localhost

// Dynamic fallback for CI/CD if needed
const { ethers } = require("ethers");
const fallbackKey = process.env.PRIVATE_KEY || ethers.Wallet.createRandom().privateKey;

// Network configuration
accounts: process.env.PRIVATE_KEY ? [process.env.PRIVATE_KEY] : []

• Localhost: Uses Hardhat's default 20 test accounts automatically
• External Networks: Requires explicit PRIVATE_KEY environment variable
• CI/CD: Can optionally use generated random keys for external network testing

// Polygon Mumbai Testnet
mumbai: {
  url: process.env.INFURA_URL || "https://polygon-mumbai.infura.io/v3/YOUR_PROJECT_ID",
  accounts: process.env.PRIVATE_KEY ? [process.env.PRIVATE_KEY] : [],
  gasPrice: 20000000000,
  gas: 6000000
}

• Zero Hardcoded Values: No private keys in the codebase
• Environment Dependent: Requires explicit configuration for external networks
• Fail-Safe: Empty accounts array prevents accidental transactions
• Hardhat Compliant: Follows Hardhat best practices

1. Localhost Testing (No setup required):

   npx hardhat node  # Uses default test accounts
   npx hardhat test  # Works automatically

2. External Network Testing:

   # Create .env file
   PRIVATE_KEY=your_generated_private_key_here
   INFURA_URL=your_infura_url_here
   
   # Test on external network
   npx hardhat run scripts/deploy.js --network mumbai

1. Repository Secrets: Store PRIVATE_KEY as a repository secret
2. Environment Variables: Inject during CI/CD runs
3. Optional Fallback: Can use generated keys for compilation-only testing

# Option 1: Use Hardhat node (shows test accounts)
npx hardhat node

# Option 2: Generate new wallet
npx hardhat console
> const wallet = ethers.Wallet.createRandom();
> console.log(wallet.privateKey);
> console.log(wallet.address);

# Search for potential private keys
grep -r "0x[a-fA-F0-9]{64}" . --exclude-dir=node_modules
# Should return no results in hardhat.config.js

# Test without PRIVATE_KEY (should work for localhost)
npx hardhat compile

# Test with PRIVATE_KEY (should work for all networks)
PRIVATE_KEY=0x... npx hardhat compile

• Use environment variables for all private keys
• Generate unique keys for each environment
• Use repository secrets for CI/CD
• Test on testnets before mainnet deployment
• Use Hardhat's default accounts for local development

• Commit private keys to version control
• Use the same key across environments
• Share private keys in plain text
• Use testnet keys with real funds
• Hardcode private keys in configuration files

# Required for external network testing
PRIVATE_KEY=0x1111111111111111111111111111111111111111111111111111111111111111
INFURA_URL=https://polygon-mumbai.infura.io/v3/your_project_id
POLYGONSCAN_API_KEY=your_api_key_here

# GitHub Actions example
env:
  PRIVATE_KEY: ${{ secrets.PRIVATE_KEY }}
  INFURA_URL: ${{ secrets.INFURA_URL }}

• Never use real funds with test-generated keys
• Always verify network before transactions
• Rotate keys periodically for production
• Monitor for unauthorized access

• Localhost: Automatically provides 20 test accounts with 1000 ETH each
• External Networks: Requires explicit private key configuration
• Empty Accounts: Prevents accidental deployments without proper keys

If you discover any security vulnerabilities:

1. Do NOT create a public issue
2. Email: security@cropchain.dev
3. Include: Detailed description and reproduction steps
4. Response: We'll acknowledge within 48 hours

Remember: Security is everyone's responsibility. This configuration eliminates hardcoded keys while maintaining full functionality for development and testing.