diff --git a/.travis.yml b/.travis.yml
index 7facdba..1fb7b35 100644
--- a/.travis.yml
+++ b/.travis.yml
@@ -11,4 +11,4 @@ install:
 script:
   - npm run test
   - npm run eslint
-  - ./cli.js test
+  - node cli.js test
diff --git a/circuits/withdraw.circom b/circuits/withdraw.circom
index bed8cd6..54c3838 100644
--- a/circuits/withdraw.circom
+++ b/circuits/withdraw.circom
@@ -50,6 +50,18 @@ template Withdraw(levels) {
         tree.pathElements[i] <== pathElements[i];
         tree.pathIndices[i] <== pathIndices[i];
     }
+
+    // Add hidden signals to make sure that tampering with recipient or fee will invalidate the snark proof
+    // Most likely it is not required, but it's better to stay on the safe side and it only takes 2 constraints
+    // Squares are used to prevent optimizer from removing those constraints
+    signal recipientSquare;
+    signal feeSquare;
+    signal relayerSquare;
+    signal refundSquare;
+    recipientSquare <== recipient * recipient;
+    feeSquare <== fee * fee;
+    relayerSquare <== relayer * relayer;
+    refundSquare <== refund * refund;
 }
 
 component main = Withdraw(20);
diff --git a/cli.js b/cli.js
index 4793daa..623c629 100755
--- a/cli.js
+++ b/cli.js
@@ -1,4 +1,4 @@
-#!/usr/bin/env NODE_OPTIONS=--no-warnings node
+#!/usr/bin/env node
 // Temporary demo client
 // Works both in browser and node.js
 
@@ -515,6 +515,16 @@ async function init({ rpc, noteNetId, currency = 'dai', amount = '100' }) {
     tokenAddress = currency !== 'eth' ? erc20ContractJson.networks[netId].address : null
     senderAccount = (await web3.eth.getAccounts())[0]
   } else {
+    try {
+      const account = web3.eth.accounts.privateKeyToAccount('0x' + PRIVATE_KEY)
+      web3.eth.accounts.wallet.add('0x' + PRIVATE_KEY)
+      // eslint-disable-next-line require-atomic-updates
+      web3.eth.defaultAccount = account.address
+      senderAccount = account.address
+    } catch(e) {
+      console.error('Please provide PRIVATE_KEY in .env file')
+      process.exit(1)
+    }
     try{
       tornadoAddress = config.deployments[`netId${netId}`][currency].instanceAddress[amount]
       if (!tornadoAddress) {
diff --git a/truffle-config.js b/truffle-config.js
index 47a0f87..04451ba 100644
--- a/truffle-config.js
+++ b/truffle-config.js
@@ -43,7 +43,7 @@ module.exports = {
     // Useful for deploying to a public network.
     // NB: It's important to wrap the provider as a function.
     kovan: {
-      provider: () => new HDWalletProvider(process.env.PRIVATE_KEY, 'https://kovan.infura.io/v3/c7463beadf2144e68646ff049917b716'),
+      provider: () => new HDWalletProvider(process.env.PRIVATE_KEY, 'https://kovan.infura.io/v3/97c8bf358b9942a9853fab1ba93dc5b3'),
       network_id: 42,
       gas: 6000000,
       gasPrice: utils.toWei('1', 'gwei'),
@@ -52,7 +52,7 @@ module.exports = {
       skipDryRun: true
     },
     rinkeby: {
-      provider: () => new HDWalletProvider(process.env.PRIVATE_KEY, 'https://rinkeby.infura.io/v3/c7463beadf2144e68646ff049917b716'),
+      provider: () => new HDWalletProvider(process.env.PRIVATE_KEY, 'https://rinkeby.infura.io/v3/97c8bf358b9942a9853fab1ba93dc5b3'),
       network_id: 4,
       gas: 6000000,
       gasPrice: utils.toWei('1', 'gwei'),