Conf File Accidentally Empty, Addresses at Risk?

While getting myself setup and acquainted with the Zcash Linux wallet I realized that at at some point I overwrote my Conf file so that all that was in it was a line for addnode. There was no rpcusername or rpcpassword. I know that while the Conf file was like this I generated wallet addresses and synced the blockchain. I hadn’t sent any funds to any of these addresses yet. Am I at risk for my future funds being stolen if I continue to use this wallet? Could the lack of having an rpcusername and password mean that the private keys of the addresses I created be at risk and collected by someone?

This is actually correct and the rpcusername and rpcpassword are not required. There is a discrepancy in the docs here https://github.com/zcash/zcash/wiki/1.0-User-Guide (which only includes the addnode line) and here https://z.cash/download.html where it specifies to add the rpcusername and rpcpassword. I’m guessing the latter just hasn’t been updated.

If rpcuser and rpcpassword are not set then it uses cookie based authentication like Bitcoin - you can see the Bitcoin issue here: https://github.com/bitcoin/bitcoin/pull/6388 which is referenced via the Zcash devs here: https://github.com/zcash/zcash/issues/1950.

So your keys are safe (assuming your machine is) as RPC by default only allows access from the same machine.