Andrei O.

@andrei0x309

759 Following

2225 Followers

Andrei O. pfp

Did a minor update to farcaster-snapchain-utils, v1.1.8 to also allow the use of insecure GRPC, also replaced the default public Snapchain with a working version of a public snapchain. https://warpcast.com/yuptester/0xe3b49155 https://www.npmjs.com/package/farcaster-snapchain-utils

0 reply

0 recast

6 reactions

Andrei O. pfp

Not that I'm tribalistic, but I thought FC would be forever tied mostly with EVM, FID is on EVM, are there plans to be able to modify contracts to build a bridge to move the FID on Solana? I find it pretty hard to understand FC goals: 1 Create a good decentralized social network? 2 Onboard non-crypto people to crypto? 3 Attract crypto people from multiple ecosystems/platforms? 4 Focus on mini-apps to extract to monetize from client-side? 5 Attract non-crypto people? 6 Empower user ownership and reduce favoritism and censorship? I don't know, it feels like this product walks 10 paths at the same time, it feels very chaotic, to be clear I personally thought that the idea of slowly and iteratively creating a quality decentralized social protocol with a long runway (10y was first said) was the true goal. I'm trying to put myself into normie shoes, like someone that would come from Bluesky, and I imagine I would be spooked by 400+ features that seem disconnected from what I would expect from social media.

0 reply

1 recast

1 reaction

Andrei O. pfp

People don't want to execute JS because it's costly, so 100/100, there are many services that will do the minimum. But there are JS executing crawlers outside of search engines, prerender is pretty popular, so you're 3 code lines away from being able to parse pages that do DOM changes with JS, but again the issue is always cost. I am sure that there are also a few preview crawlers outside of Slack that do JS-enabled crawl, in terms of cost probably 1 JS crawl costs more than 100 page downloads for sure. It is a bad idea for Slack OG or Farcaster but not so much for OGs+Metadata on Bing/Google/Yandex when you absolutely need to cut SSR costs.

0 reply

0 recast

1 reaction

Andrei O. pfp

You can set it with JS, if the crawler is JS enabled it will pick the data, most search engines pick metadata that's set on the client. But there are many that just download the page without having a JS engine enabled in that case metadata sent from the server is required. In a world where all crawlers would be JS enabled SSR for metadata would not be necessary.

1 reply

0 recast

2 reactions

Andrei O. pfp

Token creator is actually banned on UI https://warpcast.com/clickersxyz

0 reply

0 recast

1 reaction

Andrei O. pfp

Clearly an unkown unkown... In my opinion, it would have been better if @circle would not get acquired. Maybe I am exaggerating, but if USDC has any large-scale incident, I don't know if the whole space can recover afterward, so for me, it seems the users of USDC are powerless anyway.

0 reply

0 recast

3 reactions

Andrei O. pfp

100/100, but when I do speculation, I want to think of all possible scenarios and always give the benefit of the doubt. Because there were 3 possible scenarios I could see: 1 They have access to the phone data for everybody, not just a hash of the phone 2 They have access to only older verification data, and newer ones are not stored 3 They used client-side encryption guarded by data that is available only on the client side The last one(3) I invalidated, so to the best of my knowledge, only 1 and 2 are possible now.

0 reply

0 recast

1 reaction

Andrei O. pfp

It seems using the auth token is enough endpoint is v2/account-verifications . I did the verification some time ago maybe they changed it for newer verifications to not store it anymore, who knows that could be tested with a new phone verification if anybody has a new number and checks this endpoint with his token he can find that out. Anyway even if this is the case, that they have changed the policy for phone storage, older verifications should have been updated to not be possible to get the phone from API. Because it's super easy to migrate old verifications to the new standard such that the data is uniform.

0 reply

0 recast

0 reaction

Andrei O. pfp

Thanks, much appreciated. I have not tested if the auth token is enough, but I can look into it. My speculation of this being guarded by the seed is the scenario, I dealt with in the past as an option when dealing with apps that integrate a client-side wallet. That scenario provides better protection for users, as any code that needs your PK needs to be executed by the client, which is more cumbersome for the provider because if users don't update the app, the provider can't take that action, or if the users use an alternative client( in Farcaster case). An example of this is the upcoming authorizing the Warplet address as an Auth address, which can only be executed with the custody PK, and will be fulfilled automatically. If is not accomplished by pushing code to the client it means Warpcast has direct access to your PK which is bad IMO. I'll take a look to see if it can be retrieved by auth token only and come back to this.

1 reply

0 recast

2 reactions

Andrei O. pfp

There are ways to provide proofs: 1 you can automate deploys, and use a third-party provider that you don't control to provide the commit for the code. For example, if Cloudflare says that worker x is deployed from commit Y, it would require Cloudflare to be compromised. 2 Remote Attestation (Hardware-Assisted Proof) Using specialized hardware features, such as Trusted Platform Modules (TPMs) or secure enclaves (like Intel SGX, AMD SEV, ARM TrustZone), to cryptographically prove the integrity of the software stack running on a server. 3 Third-Party Certifications You basically pay a trusted service to regularly inspect and publish certificates of your running code. IMO, even just open-sourcing without direct proof of deployment code is still much more trustworthy than proprietary code.

0 reply

0 recast

4 reactions

Andrei O. pfp

It's not only on the device, I just logged in with a fresh emulator. Clearly, it's stored persistently. In the best-case scenario, it's encrypted with the user-provided seed as a password, and the seed is never stored at Merkl. But again, without the full source code of the backend + client, it's just: "trust me, bro", for all we know, even the seed could have been stored.

3 replies

2 recasts

16 reactions

Andrei O. pfp

Rewrote this Kotlin Android App that needs root to auto disconnect Data/WIFI. Looks like on newer Android systems, to make this reliable, you need a ton of permissions, including a special service permission. This special service permission allows the service to run in the background continuously, without user interaction with the app, and from SDK 33 onwards, you can also run it without displaying anything to the user. Since they tightened the Store so much, I am curious if they will allow this upgrade of the app. https://github.com/andrei0x309/auto-data-disconnect-kotlin

1 reply

1 recast

4 reactions

mvr 🐹 pfp

Been trying to flag it several times but also the xyz TLD is blocked on a lot of corporate networks. Emails from farcaster.xyz will bounce Hoping they will keep mirroring with the other name

2 replies

1 recast

2 reactions

Andrei O. pfp

I see some opposition to this to be fair, the reality is that all social media platforms use this in some way the problem with this is not the verifications themselves, but in fact, that they are detached from the protocol, making the protocol less valuable. This should have been something that each client was forced to implement, it should have been a requirement at the protocol level, but that's also problematic because there aren't technical avenues to do that properly, as you have to rely on "good" clients. The saddest thing about this is, that this represents a crack into the facade that decentralization is safe, folks are willing to sacrifice the protocol if it means a client can be a little better. I also agree with @v here that you have to have these or similar mechanisms, but that is only if you have rewards. There is a simple and more effective solution here: stop rewards. A lot of people comlained that this is not the way to foster a useful social network, and is hard to disagree with that.

0 reply

1 recast

16 reactions

Andrei O. pfp

The UI went live a few days ago on farcaster.xyz . I do think too much emphasis is going on branding, maybe is just me but all these plays with names don't seem to do much. It will end up breaking up some third-party things, but other than that I would be amazed to see some significant effect. With the frames to mini-apps at least was the issue of frames v1 and v2 that complicated things. Probably frames would have been a better name if v1 had not existed, "Mini apps" is too detached from what a mini-app is, which is an iframe basically.

1 reply

0 recast

1 reaction

Umar B Umar pfp

That's a great idea 💡

0 reply

1 recast

1 reaction

Andrei O. pfp

Added some neat features in Clear Wallet 1.4.19 (live in the webstore) - dual provider announcement, one for Clear Wallet and one to simulate Metamask this will allow better interaction with MetamaskSDK websites - Live RPC performance measurement ( will show ms performance of RPC in UI) - System native notification if RPC becomes unresponsive - Dual memory queues for better message processing - Better disconnect handling tested with a few Connect kits @privy, onchainkit, rainbow, and others Will probably release a clear-wallet connect kit at some point with a focus on EOA only, simplicity, and performance.

1 reply

1 recast

6 reactions

Andrei O. pfp

From what I saw generally 1 DNS address maps well to one mini app. Having multiple mini apps tied to the same DNS address is possible but creates a lot of issues, like not being able to have metadata config for all mini apps, or a good shareable link for each individual app. This is mostly the standard that Warpcast adopted, with the .well-known pattern but it could have been implemented at folder level where farcaster.json would have been searched for each folder, albeit this would have been a messier implementation. Is it advisable to use a domain or subdomain as DNS address but not a sub-sub domain due to how SSL certs are implemented many large providers(eg. Cloudflare) don't support well sub-sub...-sub domains(especially shared certs), so it's best to use domain.extension or prefix.domain.extension.

1 reply

0 recast

0 reaction

Andrei O. pfp

TBH, I've seen this kind of vulnerability happen at least 3-4 times by now in different cases. I think even calling this kind of bug, a vulnerability is a stretch, it's just incredibly poor execution, you have to have some unit tests for these cases if you don't have that then what to expect? I get that in the startup era of products lasting 1 year, creating tests for products is happening very sparsely but IMO it's criminal to lack tests for contracts where risk is higher.

0 reply

5 recasts

8 reactions

Andrei O. pfp

For sure, it also makes rules more subjective. It's harder to classify bad actors if you actively incentivize such patterns. Is it a bad actor if the actor just follows the incentive? This conundrum creates a multi-tier system where some are labeled bad actors and others not depending on their behavior but depending upon their identity. Multi-tier systems are inherently unfair and lead to a lack of trust, justified critiques, and loss of reputation. To conclude, this strategy represents a bet that the short-term benefits will outweigh all negative consequences. Which IMO is a really poor bet when it comes to social networks, but works better in other environments.

1 reply

0 recast

1 reaction