It is common practice for DApp developers to import account keys from Truffle TestRPC to MetaMask while they are developing user interfaces that interact with their smart contracts. This is a great way to simulate user experience and work flow while developing using a testRPC or a test EVM. Unfortunately, this is also a quick and efficient way to lose real world ETH.

While my team was converting a web3 enabled React component into a wordpress plugin, one of my teammates, let's call him Brian to protect the innocent, started freaking out because Etherscan.io was showing a whole bunch of transactions taking place on his Rinkeby account. It turned out he was looking at the transaction history for 0x627306090abab3a6e1400e9345bc60c78a8bef57. If that address looks familiar, that’s because it’s Accounts(0) when you run Truffle Develop.

It never occured to any of us before that the same private keys would create the same addresses on every network. In practice we would import the private key for the address we are working with to MetaMask and assign it a name like TruffleDev0 or MewRinkeby0. Then, when we switched provider from localhost to Rinkeby Test Network, we would switch addresses as well. This is the first time one of us forgot to switch accounts in MetaMask to reflect the change in web3 provider.

Here are the notes Brian wrote describing how he discovered the vulnerability:

Exploit we found

1. ran truffle dev

2. MetaMask imported using truffle dev seed phrase or private keys

3. THEN connected to networks other than local using the same MetaMask account

What that did:

Created the same wallets (with the same private keys) on each network I connected to

How we found it:

MetaMask didn’t show other people’s transactions

When we went to Etherscan, noticed a bunch of transactions we didn’t initiate

Exploit:

Everyone that runs truffle dev knows those private keys

So, when I connected to live net, every other Ethereum developer had access to real funds

Having realised that the Truffle private keys worked on Rinkeby, we switched providers over to Main Ethereum Network and hit the “View account on Etherscan” button. It turns out that since the deployment of Truffle 4.0, Accounts(0) has been very active on the main net. At the time of this writing there have been 378 transactions representing about ten thousand dollars in value passing through a completely open address.