just had my first wallet drained, lost 20k after making old github code public.

made some mistakes:
- the project had an old commit w/ a private key for a wallet i was using on rinkeby
- I unknowingly reused this account in @metamask 1mo ago to trade clankers on base

funds were drained within 10m of making it public

farcaster engineering liquidity • prev manifold.xyz, twilio.com

Holy cow this story is blowing my mind 

key was in commit history so missed on a scan 😢 damn, add that to long list of things to check for 

When you created the “new” account in metamask, how does it use the same key as the 3 year old one you were using on a  testnet? Thats the part I’m not familiar with

Really makes me appreciate the risks all you good people take when you share your code publicly 💜

Why isn’t there a white hat hacker group that does this better than the bad guys 😢

Cohost /gmfarcaster livestream Farcaster news show 🎙️💬 Founder Tenger Ways, bringing joy into work with DevOps practices 🤗 mom x 3 💗

> how does it use the same key

I used the same seed phrase as my current hot wallet. If you're familiar with HD wallets, they increment an "account index" each time to generate a new account. Metamask and other wallets usually increase the account index 1 by 1 when you hit 'new wallet'. I used that index on an older machine when I generated the dev wallet for quick testing and didn't know it.

It was a bit unlucky and but mostly sloppy practice tbh.