salty af

Warpcast

intersubjective mechanism design @ poidh.xyz - come chill /poidh + follow @poidhbot

yeah I guess? I never connected mine. I guess someone used my cryptographic signature to append information to a chain of data that I used to assume was self-sovereign.

I stand corrected.

in today's edition of stfu bro, don't you know that nobody cares?

yeah, even after learning more technical details of how it was done, I only signed two of the three signatures shown here that are cryptographically proven to have been signed by a wallet I control

```
curl --request GET \
  --url 'https://nemes.farcaster.xyz:2281/v1/verificationsByFid?fid=6546' | jq
```

🐟 Snappa | picosub.artlu.xyz | SassyHash.artlu.xyz

Find me with my same PFP on GH

some technical nuance:
- a FC signer can sign messages, and protocol participants will consider those messages valid as long as the signer is valid.

- verifications are not signed by a FC signer (I was confused about this). Rather, your FC custodial address signs verifications, and stores the signatures on Hub, not on chain

- Warpcast mobile app ("trusted") appears to have permissionlessly used our private key to sign the verifications of our Warplet address

Of note: several other apps can import your FC custodial address private key. Any app that holds your private key (including Warpcast) can use it. It's useful to consider how transparent and/or trusted any project is about keys handling

So basically, any connected app that has signing authority can decide, out of the blue, to sign anything they want on behalf of our FID? Or is it just limited to connected addresses and other things in the protocol? Even so, this is a red flag. No one but me should be able to connect an address on behalf of my FID. Im confused, please help make it make sense