Content
@
0 reply
0 recast
0 reaction
Varun Srinivasan
@v
Warpcast Fix: Wallet Verifications @horsefacts.eth patched a Warpcast issue last night that allowed someone to connect their wallet to your fid under some conditions. To the best of our knowledge, no one took advantage of the issue on Warpcast before we fixed it. Thanks to @0xsec.eth for reporting this!
15 replies
14 recasts
157 reactions
Varun Srinivasan
@v
If you want to verify a wallet on Warpcast.com, it creates a url where you can submit a signature from your wallet. Warpcast counter signs this with the signer it has for your account. The problem is that the submission url is predictable and wasn't closed when the verification was submitted. So someone watching the hubs for your verification could “back run” and post their own wallet verification to that URL, and Warpcast would have counter signed it with your signer, adding both wallets.
5 replies
2 recasts
54 reactions
Varun Srinivasan
@v
The fix was to have the server pass down a secret that the client has to include when submitting the verification. This was only needed on web, mobile used a slightly different system that was unaffected by this issue.
0 reply
1 recast
8 reactions
DegenFans 🎩🔵🫂Ⓜ️
@degenfans
If someone is unsure and want to check his address history, feel free to use this frame (history + active via hub) https://fc-verified-addresses.df-frame.xyz/ff/?method=fc-verified-addresses&subview=0&ts=1726817434
0 reply
0 recast
3 reactions
rayhan03
@rayhan03
Thanks @v
0 reply
0 recast
0 reaction
Lokesh Thangam
@lokeshthangam
Great explanation of the issue! It’s important to stay aware of vulnerabilities like this. Glad it was caught and patched, but it's a good reminder to stay vigilant about security practices. Thanks for sharing the details!
0 reply
0 recast
0 reaction
pharm.Ashley
@ashergregson
I found linking quite a hassle tho!!. I was unable to link any wallets at all Was that part of the glitch?
0 reply
0 recast
0 reaction
