Warpcast

Farcaster

I decide to public this info/report
dear cc @dwr.eth @warpcast 

I've discovered an issue on Warpcast that allows someone to bind wallet address to any others without being authorized.

Affected:
- Warpcast Web
- Warpcast App (send email link)

Simple explanation for reproduce:
When you click the button to verify your wallet on either of these affected services, it grants public authorization for a limited time. During this period, malicious actors can bind their wallet address to your Warpcast using your FID.

Impact: 
This could replace your recipient's address for any transactions on Farcaster, including airdrops (degen, ham, etc..).

UPDATE: great news, the vulnerability has been fixed!

Looks like @v has done it today.
Thanks for listening in, @v!

Technowatermelon. Elder Millenial. Building Farcaster. 

nf.td/varun

just for fun • security researcher • share my findings to bring security awareness • /dev /infosec /farcaster /bot

Palangkaraya, Jekan Raya, Palangka Raya City, Central Kalimantan, Indonesia

frame developer, web3 developer, long distance runner /pixelnouns /frm /degendogs /degenfers /toka /maxis

Glad to hear that my efforts made a positive impact

Thank you for your persistence -- we are better off because of it.

Thank you for reporting this issue and for your effort to get it resolved! This could be a significant issue for all Farcaster users. 32768 👏🏻👏🏻👏🏻👏🏻👏🏻

Well done on finding and reporting this... Hope there was a bounty 🫡