Cover photo

Protecting Your Crypto Butt with Hardhat & Foundry

Fabian Owuor

Fabian Owuor

Two Wallets Walk Into a dApp

Welcome to Web3, where the gains are sweet, the risks are spicy, and one wrong click sends your life savings to a phishing wallet named rekt.eth. But fear not, brave dev! Today, we embark on a hilarious and semi-responsible journey into protecting your private keys while developing with Hardhat and Foundry — and why you need two wallets like Batman needs Bruce Wayne.

HARDHAT: The Leather Glove of Web3 Dev

Hardhat is like the Swiss Army Knife of Ethereum development — sharp, versatile, and dangerously easy to misuse. Most tutorials tell you to do this:

jsCopyEditconst PRIVATE_KEY = "0xYOURSUPERSECRETKEY";

Then BOOM — you push it to GitHub, forget it's there, and some script kid empties your wallet before you can say “testnet”.

So, what should you do?

Step 1: Use. env like your life depends on it

bashCopyEdit# .env
PRIVATE_KEY=0xYOUR_PRIVATE_KEY
jsCopyEditrequire("dotenv").config();
const privateKey = process.env.PRIVATE_KEY;

Why? Because committing your private key to Git is like leaving your ATM card taped to an actual ATM with your PIN written in lipstick.

Step 2: Use HD Wallets for Local Dev

Instead of using real private keys, Hardhat can spin up HD wallets with a mnemonic you can throw away after testing:

jsCopyEditmodule.exports = {
  networks: {
    hardhat: {
      accounts: {
        mnemonic: "test test test test test test test test test test test junk",
      },
    },
  },
};

Remember: no one ever cried over losing 10 test ETH.


FOUND(RY) THE LIGHT

Foundry is faster, rustier, and a little more paranoid (which is good). By default, it stores your keys safely in:

bashCopyEdit~/.foundry/keystores

And you can encrypt them with a password like a normal human being:

bashCopyEditforge wallet import --private-key 0xabcdef1234...
# Prompts for password

Foundry also has smart support for impersonation, so you don't need to risk anything while testing:

bashCopyEditanvil --fork-url https://mainnet.infura.io/v3/KEY --fork-block-number 9999999

You’re now god. Don’t abuse it. (Okay, maybe just a little.)


TWO WALLETS, ZERO REGRETS

Let’s talk about the real alpha: you need two wallets.

Wallet Type

Purpose

Nickname

Example Use

Developer Wallet

Testing, deploying, breaking stuff

“The Lab Rat”

Connecting to dApps, debugging

Pay Wallet

Holding funds, NFT flex, staking

“The Vault”

Actually, valuable stuff

Why two?

Because all those flashy sites with Connect Wallet buttons aren’t your friends. Some of them are like sketchy nightclubs — you enter once and wake up airdropped an STD (Suspicious Token Drain).

By using a developer wallet, you:

  • Keep your main wallet untouched

  • Can nuke it and start over if things go bad

  • Test risky sites without fear

  • Don’t lose your $420 Blur NFT

And your pay wallet? Treat it like it’s made of actual gold. Cold storage, hardware wallet, multisig... go full Fort Knox.

Real Talk: What Not to Do

  • Don't store private keys in plaintext in your repo

  • Don't use one wallet for everything (you’ll regret it)

  • Don’t paste your private key into chatGPT, Discord, or Google Docs 😬

  • Don't connect your pay wallet to cutehotgirl.eth, cute girls online are usually Male.

  • Don't reuse testnet accounts on mainnet

The Zen of Web3 Dev

To survive Web3, think like a squirrel with trust issues. Hide your nuts (private keys), test before leaping, and never put your treasure map (mnemonic) in the cloud.

Use Hardhat responsibly, switch to Foundry when you're ready to feel the Rust, and keep your wallets separated like a DJ and his groupies.

Lastly

  • Use. env for keys in Hardhat.

  • Use Foundry’s secure wallet imports for dev workflows.

  • Have two wallets: one for dev, one for funds.

  • Don’t be that person in Discord begging for a refund after “just clicking a mint button.”

Protecting Your Crypto Butt with Hardhat & Foundry