Description

The stakerd daemon requires a key pair with Babylon tokens to pay for various transactions. This keypair is stored on disk using the keyring implementation from the Cosmos SDK.

However, the default settings for stakerd and staker-cli use the test keyring backend, which insecurely stores keys to disk, encrypted with the password "test".

The keyring documentation states that this backend should only be used for testing purposes.

Impact

The stakerd key pair is stored insecurely on disk.

If an attacker were able to steal the keyring information, they would be able to decrypt the key pair.

Recommendations

Change the default keyring backend.

Remediation

This issue has been acknowledged by Babylon Labs, and a fix was implemented in commit 7de1a748↗.