JAKE
@jake
QR MINI APP USERS - PLEASE READ THIS IMPORTANT UPDATE ON TODAY'S INCIDENT. SUMMARY: QR MINI APP NOTIFICATIONS WERE COMPROMISED. THEY ARE NOW SECURED. THERE ARE NO FURTHER RISKS OR ACTIONS REQUIRED. ALL LOSSES HAVE BEEN REIMBURSED IN FULL. Earlier today, our QR mini app notifications system was compromised. The system has since been secured. There will be no further damages, there are no further risks for users whether they engaged with the notifications or not, and there are no further actions required by you or any of our users. As a result of our notifications system being compromised, some users were tricked into participating in a fake airdrop where they were asked to send 0.0006 ETH in order to receive worthless tokens. There were 302 such transactions in total, all of which have now been reimbursed in full. Here is the basescan confirmation for the reimbursement: https://basescan.org/tx/0xe86129aa25785aed91b15b3549cd93ad4d86361961d5b6097f6069001c3d205b I take full responsibility for this incident and appreciate everyone's patience while we figured out what happened and how best to resolve it as quickly as possible. I want to thank the Farcaster and Neynar teams for their immediate and effective assistance in helping us to do that. Thank you also to everyone who reached out and offered their assistance. Moving forward, you should feel safe interacting with our regular once-daily notifications, and if you get any other notification that looks unusual, please check my profile or message me before interacting. As always, thank you all for your support.
33 replies
33 recasts
164 reactions
Kieran Daniels
@kdaniels.eth
1. Def don’t feel safe 2. Are you doing an actual post mortem? 3. How do other teams prevent this? @dylsteck.eth This was a lucky situation that the app wasn’t actually a financial app and didn’t rekt full trading balances Is this a systemic mini app vulnerability?
1 reply
0 recast
0 reaction
dylan
@dylsteck.eth
I don’t wanna speak for the whole situation but it looks like the actual mini app here was compromised in some way, and no compromise at the protocol/Farcaster app/Neynar level in terms of preventing this, might be worth us adding some best security practices to our docs now
1 reply
0 recast
1 reaction
Kieran Daniels
@kdaniels.eth
Great call. It’s just worrisome that no one is actually doing a post mortem or explaining what happened and this was 3 days ago and network wide exploit. This would be company ending for a financial product and the vector is def still there if it just happened randomly and wasn’t a FC issue.
1 reply
0 recast
1 reaction
dylan
@dylsteck.eth
as a small follow up I don’t think this was network wide since this was isolated to their mini app and the attack vector was only on the FC app since other clients don’t support mini app notifs yet, and I do think this happened just yesterday unless I’m missing context — but regardless fully understand the concern here and from knowing Jake and the team I’m sure they’re taking further action & would share on that front too
1 reply
0 recast
0 reaction
