Category: Coding Mistakes
The test
keyring backend is used
Medium Severity
Low Impact
Low Likelihood
Description
The stakerd daemon requires a key pair with Babylon tokens to pay for various transactions. This keypair is stored on disk using the keyring implementation from the Cosmos SDK.
However, the default settings for stakerd and staker-cli use the test
keyring backend, which insecurely stores keys to disk, encrypted with the password "test".
The keyring documentation states that this backend should only be used for testing purposes.
Impact
The stakerd key pair is stored insecurely on disk.
If an attacker were able to steal the keyring information, they would be able to decrypt the key pair.
Recommendations
Change the default keyring backend.
Remediation
This issue has been acknowledged by Babylon Labs, and a fix was implemented in commit 7de1a748↗.