Last updated: March 11, 2025

SCWE-025: Improper Cryptographic Key Management

Stable Version v0.0.1

This content is in the version-(v0.0.1) and still under active development, so it is subject to change any time (e.g. structure, IDs, content, URLs, etc.).

Send Feedback

Relationships

• CWE-310: Cryptographic Issues
  CWE-310 Link

Description

Improper cryptographic key management refers to the failure to securely generate, store, or use cryptographic keys. This can lead to: - Unauthorized access to sensitive data. - Exploitation of the contract's logic. - Loss of funds or data.

Remediation

• Use secure key management: Leverage secure key management systems or libraries.
• Avoid hardcoding keys: Never hardcode cryptographic keys in the contract.
• Regularly rotate keys: Periodically update cryptographic keys to reduce risks.

Examples

• Improper Key Management

  pragma solidity ^0.8.0;
  
  contract ImproperKeyManagement {
      bytes32 private key = keccak256("insecure-key"); // Hardcoded key
  }
  

• Proper Key Management

  pragma solidity ^0.8.0;
  
  contract ProperKeyManagement {
      bytes32 private key;
  
      constructor(bytes32 _key) {
          key = _key; // Configurable key
      }
  }