Varun Srinivasan
@v
A quick primer on how keys and frames work in FC. During sign up: 1. User creates eth key on their phone. 2. Warpcast creates account key on its server. 3. User approves account key onchain Eth keys can hold funds and can control your account. Account keys can only post messages from your account.
10 replies
44 recasts
165 reactions
Varun Srinivasan
@v
The eth key controls your account and is an Ethereum address. The account key can post from your account, and is NOT an Ethereum address. This design is intentional and ensures that: 1. users never have to give apps control of their account 2. apps never have to worry about users storing funds on keys they control
1 reply
0 recast
9 reactions
Varun Srinivasan
@v
Enter frames. When you click a frame button, you sign a message from your account key. Or rather, Warpcast or Supercast sign it for you. A frame can never request a signature from your Eth key. If properly implemented, a frame can never touch an Ethereum address and your funds are safe.
2 replies
0 recast
7 reactions
Varun Srinivasan
@v
Could frames securely ask you to do things onchain? I think yes, but there are different approaches and tradeoffs. Option 1: Use the account key to control a wallet This is easy to build, but the app and not the user is in control of the wallet. Also, a user would need to make a separate wallet on each app.
2 replies
0 recast
6 reactions
Varun Srinivasan
@v
Option 2: Link to external wallets Clicking a transaction simply opens your favorite mobile wallet and asks it to execute your transaction. This is much more secure, but the mobile <> mobile user experience is sometimes bad. Requires almost 7 steps in some cases and fails a surprising amount of the time.
3 replies
0 recast
11 reactions
Varun Srinivasan
@v
Option 3: Use a wallet inside Farcaster An ethereum key inside FC acts as a wallet or controls an AA wallet. Doing it inside Warpcast is a lot of work and being a fully functional wallet isn't our main quest. Setting up another AA wallet could work, but won't work in other apps like Supercast.
4 replies
0 recast
10 reactions
Matt Schoch
@md5
How is "an Eth Key inside FC" different than Option 1 w/ a client-side key? Either you hold a key client-side (whether the wallet or a key to operate AA), or the App holds your key (even if operating AA, it still has full control). The lack of client-side attestations on requests seems to be the root issue.
0 reply
0 recast
0 reaction
