Lots of us use accounts with well known keys for testing, such as the test test test ... junk Mnemonic which generates the 0xf39Fd…, 0x70997…, 0x3C44C… etc. series of addresses.
TL;DR these test accounts should have warnings in account lists & when signing using them
However, these are rarely if ever clearly demarcated as being test wallets in Wallet UIs and other tools. See example from MetaMask:
As a developer that routinely spins up fresh local/ephemeral nodes as part of the testing process it’s a big frustration having to reconfigure my Web3 wallet(s) every time, so having the de-facto standard handful of accounts which are assumed to always be present and have gas is time-saving and convenient.
However, sometime this slips into the real-world by accident. The following story is that of a co-worker (non-developer). At some point he imported one of the test wallets into MetaMask while demoing an app to somebody at a conference, where it remained in his account list for a few months.
Then, needing a new wallet to setup Gnosis Pay, looked in his Metamask and there it was, sitting at the end of the account list after his Ledger and other routinely used accounts, proceeded to go through KYC, and enter that address in, tried to fund the card but the $20 test transaction didn’t seem to go through… strange he thought. Tried sending 0.1 ETH … but that disappeared!
Initially he thought he’d been hacked, maybe it was malware, a keylogger, was his seed phrase brute forced? Fortunately… the wallet address was one of these test accounts and nothing more sinister, but up until that point there was no indication that basically every every Ethereum adjacent developer has used these accounts at one point or another.
This is yet another story to add onto the giant burning fire of user frustration, this is not the first time something like this has happened - far from it - and it certainly won’t be the last.
But, if we can do one simple thing in our apps, in our wallets, in our services, in our deterministic icon generators:
- Clearly demarcate test accounts with known keys and warn the users, as they may not realize until it’s too late
My suggestions:
- Deterministic icon generators: overlaid with a warning sign
- Account name auto-fill, instead of
Account N, it could beTest Account!!! N - When signing, include a big warning that it is a test account