Thank you to The Red Guild for inspiring this post.
Picture any one of these scenarios.
forge test.npm install.npm update, forge install, or mox install.Well, guess what? If you didn’t take the proper precautions, you’ve just been hacked.
In this blog post, we’ll explore how isolated development environments, particularly using Docker containers, can significantly reduce your risk of falling victim to these kinds of threats.
According to Chainalysis, private key leaks were the most popular attacks in 2024.
There are many ways private key leaks can happen, but for developers and security researchers, the easiest way for such an attack to happen is by running unvetted code. In all three scenarios we gave above (all three also happened in 2024), they all had this issue in common.
Running your code on your host machine gives that code access to your entire machine.
This is the issue.
One of these private key attacks was a supply chain attack, where the @solana/web3.js package had malware injected into it. When you updated your packages to the malicious version, it would look through your entire machine for potential private keys, connect to the blockchain, and then send your crypto to another wallet!
You can read more about the attack here.
This would have been as simple as running npm update and npm run, and you’d be finished! So, as developers and security experts, we can help protect ourselves by running our code in an isolated development environment.
While it's impossible to eliminate all risks in software development, there are a few tools we can use to mitigate potential issues:
At Cyfrin, we are big fans of Docker containers, as they are lightweight and developer-friendly environments that most developers should be able to set up without interrupting their flow.
Docker containers are portable environments that encapsulate your application’s code along with all its dependencies. This means you can run your application in a controlled setting without affecting your host machine. Let’s break down how Docker works:
You can think of a docker container as being a self-contained machine inside of your machine.
To help developers set up a project that has most of the tools they need already installed, we’ve created the web3-dev-containers repo. It helps users set up an isolated environment.
View the quickstart to get set up with a VSCode-based docker container (called a dev container) so you can run your scripts with an extra layer of safety! This repo will:
foundry or moccasin libraries already installedFor security researchers:
You should always run client code in a developer container! There have been many attacks where a client asks an auditor to audit some code, and they put malicious code into the audit repo, hacking the auditor's machine.
AIs like Claude and ChatGPT are really good at docker containers. Give them the repo files as context and ask them questions about what’s going on in the files!
While Docker helps isolate your development environment, it's essential to follow best practices to maximize security:
Though running applications in isolated environments significantly reduces risk, it's crucial to remain aware of potential security implications. For example:
It’s important to understand the potential security concerns, as no solution will ever be 100% foolproof.
In summary, the key to minimizing your risk of cyber attacks lies in understanding the threats and implementing security practices. By utilizing Docker containers and following best practices, you can create isolated development environments that protect your sensitive information and reduce the likelihood of falling victim to malicious attacks.
Stay safe out there, and remember, while no system is entirely foolproof, informed practices can significantly enhance your security posture!
For further reading on protecting your development environment, check out resources from the Red Guild blog and the GitHub repository for web3 Dev containers.
