Description
Context
https://github.com/evmos/evmos/blob/main/rpc/backend/sign_tx.go L26:29
It is implementation of eth_sendTransaction
With keyring-backend test, which is not protected by password, everyone able to drain all balance of all accounts managed under keyring-backend test of the node just by sending a transfer command like this:
await web3.eth.sendTransaction({
from: validator,
gasPrice: "20000000000",
gas: "21000",
to: drainer,
value: "100000000000000000",
data: ""
});
And list of accounts managed by node can be retrievable by calling: eth_accounts
Fact is I got drained 10+ times but I didn't mind about that because most of the time I just set it up testing smt and eraser so got drained is not any problem.
10/10 times I got drained by this wallet 0x071aad74a52f76aec4a4b4fecfc910dbc8fe03f4 (it is well-known)
In this github ticket I see they mentioned about the allow-insecure-unlock flag (which I believe not exists in current implementation of evmos/ethermint).
So why don't we implement that flag?
So balance of test chains still safe unless that flag --allow-insecure-unlock supplied within start command.
With --allow-insecure-unlock supplied, the un-safe methods like that can be accessible.