PR: #55 (feat/27-docker-compose)
Files: deploy/compose/.env.example (BOT_SIGNER_KEY line); deploy/compose/docker-compose.yml env_file block
The compose stack passes BOT_SIGNER_KEY (the hot-wallet private key) into the charon container via env_file: ./.env. Docker stores all container environment variables in the container runtime metadata, visible in plaintext to any OS user with access to the Docker daemon:
On Linux, the Docker socket (/var/run/docker.sock) is accessible to the docker OS group, which is effectively equivalent to root access. Any user added to the docker group on the Hetzner host — including deployment scripts, monitoring agents, or any compromised service — can extract the private key in one command.
Impact: Full hot-wallet compromise. CLAUDE.md safety invariant: the bot hot wallet holds gas and routes profit sweeps inside every flash-loan callback. Key compromise allows an attacker to drain the hot wallet and intercept in-flight sweep transactions before they reach the cold wallet.
The PR description acknowledges this risk and defers to "ACL on who can run docker on host" but neither .env.example nor the README quickstart warns operators. The 3-command quickstart leads operators directly into the exposure without a single security notice.
Suggested mitigations (in order of preference):
- Add a prominent warning comment in
.env.example adjacent to the BOT_SIGNER_KEY= line: explain that this value is visible via docker inspect to any OS user in the docker group.
- Document in the README deploy section that the
docker group on the Hetzner host must be restricted to the single deploy OS user only, and that running docker inspect on the charon container exposes the signing key.
- For future hardening: pass the key via an external secrets manager or a KMS-backed signer so the raw private key never appears as a plain environment variable.
Refs #55
PR: #55 (feat/27-docker-compose)
Files: deploy/compose/.env.example (BOT_SIGNER_KEY line); deploy/compose/docker-compose.yml env_file block
The compose stack passes
BOT_SIGNER_KEY(the hot-wallet private key) into the charon container viaenv_file: ./.env. Docker stores all container environment variables in the container runtime metadata, visible in plaintext to any OS user with access to the Docker daemon:On Linux, the Docker socket (
/var/run/docker.sock) is accessible to thedockerOS group, which is effectively equivalent to root access. Any user added to thedockergroup on the Hetzner host — including deployment scripts, monitoring agents, or any compromised service — can extract the private key in one command.Impact: Full hot-wallet compromise. CLAUDE.md safety invariant: the bot hot wallet holds gas and routes profit sweeps inside every flash-loan callback. Key compromise allows an attacker to drain the hot wallet and intercept in-flight sweep transactions before they reach the cold wallet.
The PR description acknowledges this risk and defers to "ACL on who can run docker on host" but neither
.env.examplenor the README quickstart warns operators. The 3-command quickstart leads operators directly into the exposure without a single security notice.Suggested mitigations (in order of preference):
.env.exampleadjacent to theBOT_SIGNER_KEY=line: explain that this value is visible viadocker inspectto any OS user in thedockergroup.dockergroup on the Hetzner host must be restricted to the single deploy OS user only, and that runningdocker inspecton the charon container exposes the signing key.Refs #55