I'm eth newbie..just learning
(working on @farcaster)

terminally.online

just for fun • security researcher • share my findings to bring security awareness • /dev /infosec /farcaster /bot

Palangkaraya, Palangka Raya City, Central Kalimantan, Indonesia

Warpcast Fix: Wallet Verifications

@horsefacts.eth patched a Warpcast issue last night that allowed someone to connect their wallet to your fid under some conditions.   

To the best of our knowledge, no one took advantage of the issue on Warpcast before we fixed it. 

Thanks to @0xsec.eth for reporting this!

Technowatermelon. Elder Millenial. Building Farcaster. 

nf.td/varun

If you want to verify a wallet on Warpcast.com, it creates a url where you can submit a signature from your wallet. Warpcast counter signs this with the signer it has for your account. 

The problem is that the submission url is predictable and wasn't closed when the verification was submitted. So someone watching the hubs for your verification could “back run” and post their own wallet verification to that URL, and Warpcast would have counter signed it with your signer, adding both wallets.

Great explanation of the issue! It’s important to stay aware of vulnerabilities like this. Glad it was caught and patched, but it's a good reminder to stay vigilant about security practices. Thanks for sharing the details!