TL;DR
No secrets.
Serverless and Stateless.
Security bounties.
No secrets
POV December 2023: if Ledger Connect can be supply-chain attacked, if X can get link-jacked, then a smol project like Farchiver should never manage secrets.
The contents of any Farchive are 100% public. Farcaster shares everything in real-time, across the decentralized and permissionless Hub network.
Meanwhile, a Farchive collects all your social activities into a neat package. The act of extracting one individual's activities, out of the swirling sea of global messages, can feel intrusive.
For most users, it is better to keep the files unencrypted. For those who are extremely concerned about privacy, we offer symmetric encryption of each Farchive. We will throw away the key right after encryption, making the contents of the Farchive unrecoverable if the key becomes lost.
Serverless and Stateless
The Farchiver website offers a private section, behind signed wallet authentication provided by Dynamic. Connection + signature takes two clicks, in one flow.
Each Farchive is a gzipped tarball with a random name. Cloudflare R2 protects these assets from scraper bots, providing access by exact filename only. Serverless Cloudflare Workers verify Dynamic-signed JWTs, and Cloudflare KV holds meta-data mappings at the edge.
Even if a malicious actor is able to present properly-structured spoofed credentials after reverse-engineering the flow, they would still need to break whitelisted communication channels, the JWT signature chain, and/or the adaptive Cloudflare network, in order to access unauthorized data.
Farchiver does not need to secure a large set of private secrets, only a handful of API keys across multiple trustworthy providers.
Security Bounties
One view on Farcaster: startups paying for smart contract audits before PMF ngmi
Our problem is different. Farchiver is never gonna hit $100k in daily volume. Nobody with skillz would waste their time on our tiny-stakes project. Yet security is of paramount importance to end users.
So we launched a 0.75 ETH bounty on POIDH, payable to anybody who could retrieve private filenames hidden with Vitalik's public ENS. To our vast surprise, a 21-year-old anon weightlifter in a small village in Germany hacked the site in ~45 minutes.
The smart contract paid 0.75 ETH [proof]. We learned many valuable lessons. Individual pieces may be highly secure, but a project combining battle-tested, open-source technologies can still have holes.
We immediately hardened endpoints and rotated secrets. The hacker is actually a member of a whitehat collective and worked with us responsibly. Very happy to recommend privately.
We implemented three features/migrations which were already on the roadmap, but got pulled forward from nice-to-haves to P0:
random filenames + (optional) encryption + obfuscation
migrated from DigitalOcean to Cloudflare
switched from wagmi + WalletConnect to Dynamic (still wrapping WalletConnect)
Follow @farchiver on Forecaster for new security bounties in January 2024 👀 .
Up Next: How Farchiver