When a user runs opengradient config init, their Ethereum private key is saved to ~/.opengradient_config.json with default file permissions
(typically 644 readable by all users on the system).
Any other process or user on the same machine can read the private key and drain the wallet.
Full wallet compromise on any shared or multi-user system (servers, university machines, CI environments, WSL, etc.).
Root Cause:
save_og_config() in cli.py opens the file with no explicit permissions:
with OG_CONFIG_FILE.open("w") as f:
json.dump(ctx.obj, f)
one line fix:
OG_CONFIG_FILE.chmod(0o600) - add this after writing
When a user runs
opengradient config init, their Ethereum private key is saved to ~/.opengradient_config.json with default file permissions(typically 644 readable by all users on the system).
Any other process or user on the same machine can read the private key and drain the wallet.
Full wallet compromise on any shared or multi-user system (servers, university machines, CI environments, WSL, etc.).
Root Cause:
save_og_config() in cli.py opens the file with no explicit permissions:
with OG_CONFIG_FILE.open("w") as f:
json.dump(ctx.obj, f)
one line fix:
OG_CONFIG_FILE.chmod(0o600) - add this after writing