Varun Srinivasan pfp
Varun Srinivasan
@v
An attacker compromised the Amps contract 12 hours ago, stealing ~$6,700 USDC from 112 Amps users. @phil and the Amps team fixed the issue and refunded users. @horsefacts and the Farcaster team have been assisting. Farcaster wallets are safe and unaffected. Who was affected? Users who gave Amps an allowance to withdraw USDC from their wallet to purchase likes and recasts were affected. Users who simply used Amps to receive funds for likes and recasts are unaffected. Users who did not use Amps are unaffected. What happened? The Amps team will publish a detailed report soon.  In short, their contract had a vulnerability and the attacker was able to withdraw USDC that the users have given Amps permission to withdraw. Some users gave Amps the permission to withdraw all USDC from their wallet, and the attacker was able to withdraw all USDC. Are Farcaster wallets unsafe? No, Farcaster wallets remain safe to use. The exploit is entirely within the Amps contract and only affects users who explicitly gave Amps the permission to access their USDC. What should I do to be safe? Never give permissions to withdraw unlimited funds (as a user) and never ask for these permissions (as a dev). It is safer to ask user to transfer in a fixed amount (e.g. 100 USDC), and top up as needed.
26 replies
36 recasts
196 reactions
Duxander.base.eth |🔵 pfp
Duxander.base.eth |🔵
@altagers.eth
add an option to revoke for farplets
3 replies
0 recast
38 reactions
bertwurst pfp
bertwurst
@bertwurst.eth
rebranding it as a learning experience for me! thankful it happened with @phil/and team who handled it quickly and transparently.
0 reply
0 recast
7 reactions
Nounish Prof ⌐◧-◧🎩 pfp
Nounish Prof ⌐◧-◧🎩
@nounishprof
Was it just users who gave permission to use the fc wallet?
1 reply
0 recast
2 reactions
aferg pfp
aferg
@aferg.eth
Is there a Farcaster app for checking/revoking privileges?
1 reply
0 recast
1 reaction
jac pfp
jac
@aphextwin
nice, and let us hide spam tokens
1 reply
0 recast
4 reactions
potato pfp
potato
@potato
@goldie had his mini app exploited as well
1 reply
0 recast
2 reactions
max ↑ pfp
max ↑
@baseddesigner.eth
never understood this approval thing in ethereum you either want to complete transaction or not - why leave approval hanging for your assets forever
1 reply
0 recast
3 reactions
Duxander.base.eth |🔵 pfp
Duxander.base.eth |🔵
@altagers.eth
there is also a cast from compez he was scammed a couple days ago, too, most likely at miniapp. https://farcaster.xyz/compez.eth/0xbc4df7ca
0 reply
0 recast
2 reactions
Cool Beans 🌞 pfp
Cool Beans 🌞
@coolbeans1r
Once again, devs not doing their job to protect users. Par for the crypto course.
1 reply
0 recast
1 reaction
Noted Debug pfp
Noted Debug
@notedebug
i don't give more allowance
0 reply
0 recast
0 reaction
Basehead pfp
Basehead
@0xsniper
Should I move funds if ive used amp before .
0 reply
0 recast
0 reaction
matar caesar pfp
matar caesar
@matarcaesar
Good luck
0 reply
0 recast
0 reaction
Emmy Walka pfp
Emmy Walka
@emmywalka
Will die on this hill https://farcaster.xyz/emmywalka/0x1af346c1
0 reply
0 recast
0 reaction
Ej pfp
Ej
@tugzpaker.eth
hackers ain't sleepin
0 reply
0 recast
0 reaction
J. Valeska 🦊🎩🫂 pfp
J. Valeska 🦊🎩🫂
@jvaleska.eth
are other similar ways of interaction (from other apps) potentially at risk or is it something specific for amps contracts? thinking of other apps where they allow auto spend of our usdc
0 reply
0 recast
0 reaction
REN2140 pfp
REN2140
@ren2140.eth
Would be neat to get a mini app that revokes unlimited approvals for warplet easily
0 reply
0 recast
0 reaction
Tonia Packer 🐱 pfp
Tonia Packer 🐱
@tohpac1
Revoking option would be better, i mistakenly sent my fund to an inactive account 08-07-25 @v . Would appreciate if the team could work on revoking of transaction
0 reply
0 recast
0 reaction
helladj pfp
helladj
@helladj
Can I check my allow list somewhere somehow
1 reply
0 recast
0 reaction
Peter Arogundade pfp
Peter Arogundade
@noblepeter2000
Thanks for the update.
0 reply
0 recast
0 reaction