brypto

An attacker compromised the Amps contract 12 hours ago, stealing ~$6,700 USDC from 112 Amps users. 

@phil and the Amps team fixed the issue and refunded users. @horsefacts and the Farcaster team have been assisting. Farcaster wallets are safe and unaffected.

Who was affected?

Users who gave Amps an allowance to withdraw USDC from their wallet to purchase likes and recasts were affected.

Users who simply used Amps to receive funds for likes and recasts are unaffected. Users who did not use Amps are unaffected.

What happened?

The Amps team will publish a detailed report soon.  In short, their contract had a vulnerability and the attacker was able to withdraw USDC that the users have given Amps permission to withdraw. 

Some users gave Amps the permission to withdraw all USDC from their wallet, and the attacker was able to withdraw all USDC. 

Are Farcaster wallets unsafe?

No, Farcaster wallets remain safe to use. The exploit is entirely within the Amps contract and only affects users who explicitly gave Amps the permission to access their USDC.

What should I do to be safe?

Never give permissions to withdraw unlimited funds (as a user) and never ask for these permissions (as a dev). It is safer to ask user to transfer in a fixed amount (e.g. 100 USDC), and top up as needed.

let me re-phrase that for you:

the authors/owners of the Amps contract didn't properly review or audit their contract for security.

their mistake cost users a bunch of money, but they aren't owning up to responsibility for the incident: they left the doors to your money unlocked, and the attackers walked in and took it.

the attackers didn't create the vulnerability, they merely took advantage of it.

being extremely clear about these things is important to our industry. absolutely vital, in fact, because the so-called "leaders" WANT you to be confused about who to trust.

don't be.

soldier of Good. 🪖🥰 
producer × DJ. 🎧 🪩 
working on /campfire. 🫴🪵🔥
host of /downshift ⚙️ + /dww 🎧 +  /gtd 🛠️.
https://linktr.ee/0xdownshift

Absolutely. The contract owners dropped the ball. Attackers just took advantage of an open door. Clear accountability is crucial, don’t get confused about who’s responsible.

i just have strong opinions about comms, especially of the crisis variety.. they may have had to say some things the way they did for legal reasons, but it doesn't all sit right with me 

when i ran war rooms, we were quite direct about the source of fault.

There is nothing more powerful in this world than words.

Nah, doubt this has anything to do with legality. No issue in admitting there was an exploit because of bad code. That's a genuine error not malicious. They just fucked up,.happens all the time, surprised ir didn't happen sooner on here. Although I vaguely remember something else happening with a different app, can't remember what that was now.

https://farcaster.xyz/downshift.eth/0xacc29ae0

Lets hope they admit the cock-up in their post mortem.

Talking *@! In /extracurriculars reminiscing in /gen-x and curating in /trish

If you can't convince them, confuse them 🤯