Problem Statement
STELLAR_SECRET_KEY is loaded from environment variable but is accessible as plaintext via ConfigService throughout the application runtime. If an attacker gains access to the running process (via RCE, memory dump, or logging), they can read the secret key and authorize on-chain transactions.
Evidence
Backend/src/config/configuration.ts lines 20-22: STELLAR_SECRET_KEY loaded from env, available via ConfigService.get()
- No encryption-at-rest for secrets
Impact
Secrets compromise could lead to unauthorized on-chain transactions, fund loss, or contract manipulation.
Proposed Solution
- Use AWS Secrets Manager or HashiCorp Vault for secret storage
- Retrieve secret at startup and decrypt in memory
- Zero out memory after use where possible
- Add audit logging for secret access (without logging the secret itself)
- Ensure secrets are never logged or exposed in error messages
Technical Requirements
- Secrets must never be logged or serialized
- Memory should be cleared after use (Buffer.alloc or similar)
- Must work with both local dev and production (different secret providers)
- Must handle rotation of secrets gracefully
Acceptance Criteria
- Secret key is not directly logged on startup
- Error messages do not include secret key values
- AWS Secrets Manager integration works in production
- Local .env file works for development
- Memory containing secret is cleared after signing
File Inventory
Backend/src/config/configuration.ts
Backend/src/soroban/soroban.service.ts
Dependencies
Issue #4 (real Soroban integration) — secret becomes more critical when real integration exists.
Testing Strategy
- Unit test: verify secret is not in error messages
- Integration test: AWS Secrets Manager retrieval
- Manual: inspect logs for any secret leakage
Security Considerations
Primary secrets management improvement. Must be implemented before production deployment.
Definition of Done
Problem Statement
STELLAR_SECRET_KEY is loaded from environment variable but is accessible as plaintext via ConfigService throughout the application runtime. If an attacker gains access to the running process (via RCE, memory dump, or logging), they can read the secret key and authorize on-chain transactions.
Evidence
Backend/src/config/configuration.tslines 20-22: STELLAR_SECRET_KEY loaded from env, available via ConfigService.get()Impact
Secrets compromise could lead to unauthorized on-chain transactions, fund loss, or contract manipulation.
Proposed Solution
Technical Requirements
Acceptance Criteria
File Inventory
Backend/src/config/configuration.tsBackend/src/soroban/soroban.service.tsDependencies
Issue #4 (real Soroban integration) — secret becomes more critical when real integration exists.
Testing Strategy
Security Considerations
Primary secrets management improvement. Must be implemented before production deployment.
Definition of Done