Farcaster

I decide to public this info/report
dear cc @dwr.eth @warpcast 

I've discovered an issue on Warpcast that allows someone to bind wallet address to any others without being authorized.

Affected:
- Warpcast Web
- Warpcast App (send email link)

Simple explanation for reproduce:
When you click the button to verify your wallet on either of these affected services, it grants public authorization for a limited time. During this period, malicious actors can bind their wallet address to your Warpcast using your FID.

Impact: 
This could replace your recipient's address for any transactions on Farcaster, including airdrops (degen, ham, etc..).