Multiple Local Private Keys Hardcoded in .env.ci
Multiple private keys (Solana, Ethereum) committed in plaintext to the repository's CI env file. Accepted as test fixtures: EVM keys are Anvil default-mnemonic accounts and every `_LOCAL_PRIVATE_KEY` binds only to faker/simulator services.
Description
The CI environment file, which is committed to the repository and therefore present in the full Git history, contains multiple private keys in plaintext.
While labeled "local", if any of these keys correspond to wallets used in shared environments, or if they control any on-chain assets (even testnet), the risk is immediate.
FREE_MINTS_LOCAL_PRIVATE_KEY : Solana wallet private key (Base58, 64 bytes)
PM_SOLANA_AUTHORITY_LOCAL_PRIVATE_KEY : Solana PM authority key
PM_EVM_FAKER_LOCAL_PRIVATE_KEY=0x7c852118... : Ethereum private key
POLYMARKET_ORDER_FAKER_LOCAL_PRIVATE_KEY=0x47e179ec... : Ethereum private key
PRICE_SIMULATOR_LOCAL_PRIVATE_KEY : Solana key
DFLOW_ORDER_FAKER_LOCAL_PRIVATE_KEY : Solana key
PM_FAKER_LOCAL_PRIVATE_KEY : Solana key
This is a finding just to acknowledge their presence, independently of the usage which is why it is labeled as INFO.
Impact
Complete key compromise for all accounts listed. If any of these wallets hold assets or have signing authority in any non-fully-isolated environment, funds and signed data are at risk.
Recommendation
Remove all private key material from .env.ci immediately.
Add gitleaks or truffleHog as a mandatory pre-commit hook and CI gate. The repository already has .gitleaks.toml, but CI enforcement appears absent.
Resolution
Acknowledged by team and accepted by auditor as test fixtures with no live secret material. The EVM keys are Anvil default-mnemonic accounts (public to every Foundry/Hardhat install), and every _LOCAL_PRIVATE_KEY binds only to faker / simulator services, prod analogues come from GCP Secret Manager.
