Skip to content

fix: add security warning for raw PRIVATE_KEY usage in launch-token guide #1374

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
schoolkamsergj wants to merge 3 commits into
base: master
Choose a base branch
from
Open

fix: add security warning for raw PRIVATE_KEY usage in launch-token guide #1374

Changes from all commits
Commits
Show all changes
3 commits
Select commit Hold shift + click to select a range
5d666cf
fix: add security warning for raw PRIVATE_KEY usage in launch-token g…
schoolkamsergj May 1, 2026
4aea646
Update warning about .env file and PRIVATE_KEY
schoolkamsergj May 2, 2026
0da74b8
docs: add security warning for PRIVATE_KEY in .env (fixes #1357)
schoolkamsergj May 14, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
17 changes: 4 additions & 13 deletions docs/get-started/launch-token.mdx
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -254,6 +254,10 @@ BASE_MAINNET_RPC_URL=https://mainnet.base.org
BASESCAN_API_KEY=your_basescan_api_key_here
```

<Warning>
**Security:** Never commit your `.env` file to version control. Add `.env` to `.gitignore` immediately after creating it. Storing a raw `PRIVATE_KEY` in `.env` is acceptable for local testing only — **never use this approach for production deployments**. For production, use the keystore method instead: `cast wallet import deployer --interactive`. See the [Deploy Smart Contracts guide](/get-started/deploy-smart-contracts) for the recommended secure approach.
</Warning>

Update `foundry.toml` for Base network configuration:

```toml foundry.toml
Expand Down Expand Up @@ -297,7 +301,6 @@ contract MyTokenTest is Test {
}

function testInitialState() public {
// Verify token was deployed with correct parameters
assertEq(token.name(), "Test Token");
assertEq(token.symbol(), "TEST");
assertEq(token.totalSupply(), INITIAL_SUPPLY);
Expand All @@ -306,36 +309,27 @@ contract MyTokenTest is Test {

function testMinting() public {
uint256 mintAmount = 1000 * 10**18;

// Only owner should be able to mint
vm.prank(owner);
token.mint(user, mintAmount);

assertEq(token.balanceOf(user), mintAmount);
assertEq(token.totalSupply(), INITIAL_SUPPLY + mintAmount);
}

function testBurning() public {
uint256 burnAmount = 1000 * 10**18;

// Owner burns their own tokens
vm.prank(owner);
token.burn(burnAmount);

assertEq(token.balanceOf(owner), INITIAL_SUPPLY - burnAmount);
assertEq(token.totalSupply(), INITIAL_SUPPLY - burnAmount);
}

function testFailMintExceedsMaxSupply() public {
// This test should fail when trying to mint more than max supply
uint256 excessiveAmount = token.MAX_SUPPLY() + 1;

vm.prank(owner);
token.mint(user, excessiveAmount);
}

function testFailUnauthorizedMinting() public {
// This test should fail when non-owner tries to mint
vm.prank(user);
token.mint(user, 1000 * 10**18);
}
Expand All @@ -345,7 +339,6 @@ contract MyTokenTest is Test {
Run your tests:

```bash Terminal
# Run all tests with verbose output
forge test -vv
```

Expand All @@ -354,10 +347,8 @@ forge test -vv
Deploy to Base Sepolia testnet:

```bash Terminal
# Load environment variables
source .env

# Deploy to Base Sepolia with automatic verification
forge script script/DeployToken.s.sol:DeployToken \
--rpc-url base_sepolia \
--broadcast \
Expand Down