BLS keystore password is stored as plaintext
Description
The ERC-2335 BLS keystore implementation in Babylon stores the keystore password in plaintext in a file on the machine running the validator node.
// Save saves the bls12381 key to the file.
// The file stores an erc2335 structure containing the encrypted bls private key.
func (k *BlsKey) Save(password string) {
// [ ... ]
// write generated erc2335 keystore to file
if err := tempfile.WriteFileAtomic(k.filePath, jsonBytes, 0600); err != nil {
panic(fmt.Errorf("failed to write BLS key: %w", err))
}
// save used password to file
if err := tempfile.WriteFileAtomic(k.passwordPath, []byte(password), 0600); err != nil {
panic(fmt.Errorf("failed to write BLS password: %w", err))
}
}
Impact
Storing passwords in plaintext files is not a standard practice. Ideally, passwords should be stored in a password manager, or a hardware authentication device such as a yubikey should be used for this purpose.
The likelihood of the password and keystore files being leaked / stolen is low, but it is not completely out of the question. Therefore, we've given the finding a high severity with a medium impact.
Recommendations
Don't store the BLS keystore password in a plaintext file. Use a password manager, a hardware authentication device, or another equivalent form of password storage instead.
Remediation
This issue has been acknowledged by Babylon Labs, and a fix was implemented in commit 7de1a748↗. A password is now only saved to a file if one is not provided through an environment variable (which can be done through integration with secret management APIs).