Content
@
https://warpcast.com/~/channel/fc-updates
0 reply
0 recast
0 reaction
Varun Srinivasan
@v
Warpcast Fix: Wallet Verifications @horsefacts.eth patched a Warpcast issue last night that allowed someone to connect their wallet to your fid under some conditions. To the best of our knowledge, no one took advantage of the issue on Warpcast before we fixed it. Thanks to @0xsec.eth for reporting this!
9 replies
72 recasts
207 reactions
Varun Srinivasan
@v
If you want to verify a wallet on Warpcast.com, it creates a url where you can submit a signature from your wallet. Warpcast counter signs this with the signer it has for your account. The problem is that the submission url is predictable and wasn't closed when the verification was submitted. So someone watching the hubs for your verification could “back run” and post their own wallet verification to that URL, and Warpcast would have counter signed it with your signer, adding both wallets.
2 replies
2 recasts
72 reactions
Varun Srinivasan
@v
The fix was to have the server pass down a secret that the client has to include when submitting the verification. This was only needed on web, mobile used a slightly different system that was unaffected by this issue.
0 reply
1 recast
6 reactions
DegenFans 🎩🔵🫂Ⓜ️
@degenfans
If someone is unsure and want to check his address history, feel free to use this frame (history + active via hub) https://fc-verified-addresses.df-frame.xyz/ff/?method=fc-verified-addresses&subview=0&ts=1726817434
0 reply
0 recast
3 reactions
