Security guidance for EEL users and operators
EEL Core 1.00 has not received an external security audit. Users and operators should treat it as early network software and run the included self-check and security-check scripts before public operation.
Private key safety
Never paste a private key into eel.best or any website. Browser mining and external mining require only a public reward address. Envelope signing should run locally or inside trusted wallet tooling.
Do not trust private messages, direct offers or unofficial support accounts asking for keys, seed phrases, remote access or signed unknown payloads.
Release verification
Verify release artifacts with CHECKSUMS.txt and downloads/CHECKSUMS.txt. Use the bundled SELF_CHECK.sh, SECURITY_CHECK.sh and doctor.sh scripts.
Server hardening
- Serve only
/var/www/eelpublicly. - Keep backend code in
/opt/eel. - Keep chain state and
wallet.keyin/var/lib/eel. - Use Nginx source/config/key blocking.
- Enable TLS with Certbot.
- Use firewall rules for HTTP/HTTPS/P2P only as needed.
Disclosure
Security reports should include version, commit or release checksum, reproduction steps, logs with secrets removed, expected behavior and observed behavior. Official reporting channels must be verified through the project website and release repository before use.