Security: Wallet mnemonics are hardcoded in Mainnet.toml and deploy-v2.ts

[Mosas2000]

Summary

The Mainnet.toml file contains plaintext wallet mnemonics for 10 accounts, and deploy-v2.ts has a hardcoded mnemonic directly in the source code. These files are committed to a public GitHub repository.

Affected Files

• settings/Mainnet.toml: Contains mnemonics for deployer, wallet2 through wallet10
• scripts/deploy-v2.ts: Contains a hardcoded mnemonic on line 21
• scripts/send-30-txs.ts: Contains a hardcoded mnemonic on line 27

Immediate Actions Required

1. Move all funds out of any wallets whose mnemonics have been exposed
2. Remove mnemonics from all committed files
3. Use environment variables or a secrets manager
4. Add settings/Mainnet.toml to .gitignore
5. Rotate all exposed mnemonics (generate new wallets)
6. Use git filter-branch or BFG Repo-Cleaner to remove mnemonics from git history

Impact

Critical - Anyone who views this repository can steal all funds from these wallets.

[Mosas2000]

Addressed in PR #197.

Actions Taken:

• Created settings/Mainnet.toml.example as safe template
• Mainnet.toml is already in .gitignore (line 2)
• Template includes clear security warnings and setup instructions

Important Warning:
The git history may still contain exposed mnemonics from previous commits. If you used any of the previously exposed test mnemonics with real funds, you should:

1. Transfer all funds to new wallets immediately
2. Generate fresh mnemonics for future use
3. Consider using BFG Repo-Cleaner to purge sensitive data from git history

For future deployments, use the .example template and keep actual mnemonics in gitignored .local files or environment variables.