August 24, 2023 exposes 100,000+ addresses related info, how to protect user privacy of social Dapps

In just 12 days since its launch, Friend.Tech has attracted enthusiastic participation from Web3 users. started invite-only beta testing and has quickly attracted a large number of users, even attracting the attention of big-name crypto influencers, NBA players, and OnlyFans creators.

This latest Web3 social application allows users to trade tokenized "shares" with their favorite influencers. Amidst the frenzy, some security crises have drawn attention.

On the afternoon of August 21, banteg, Yearn core developer, tweeted that more than 100,000 user information had been leaked. The leaked information included users' wallet addresses and Twitter information, which caused huge controversy and attention.

Beosin investigated the information leakage incident at the first time, and also conducted a detailed analysis of the project. The following is our analysis.

Base's Hot New Dapp: What's Friend Tech? is a decentralized social application built on the Base blockchain. Users need to use by binding their Twitter accounts and crypto wallets to make profits. is to tokenize users' influence, and users can purchase other users' "shares" to obtain the right to communicate directly with other users. Yuga Cohler, a senior software engineer at Coinbase, emphasized in a tweet that Friend Tech is a decentralized social media platform for crypto users. The core of Friend Tech's innovation lies in the use of "shares" as digital assets. These shares symbolize ownership when interacting with crypto users. This concept mirrors the ownership principles of the stock market, where owning stock is equivalent to owning a stake in a particular company.

At present, the official website of is relatively simple, and the white paper and roadmap have not yet been released. It is currently known that the increase of shareholder of each token will lead to the price increase and each transaction needs to pay an additional 10% transaction fee, of which 5% goes to the protocol and 5% goes to the creator. At present, has more than 100,000 users. Cobie, a crypto KOL with more than 700,000 fans, and Ansem, a trader, have joined and the transaction volume of shares has exceeded $34 million.

What are the reasons for the explosion of

1. Twitter KOLs bring huge influence to

As a social product, offers considerable benefits by tokenizing influence into KOLs. Every time a user purchases Shares, the corresponding KOL will receive 5% of the transaction fee. Therefore, is very attractive to influential KOLs. KOLs can benefit from their fan economy through, and the presence of KOLs has brought an increase in the number of users and popularity of

2. Airdrop Expectations

On August 19, announced on Twitter that Paradigm will participate in its seed round of financing and will cooperate with Paradigm to build advanced social tools.

Users will get points when using announced that these points will be used for special purposes after the 6-month test period ends, and the airdrop will refer to users' activities. Therefore, currently attracts a large number of airdrop hunters to contribute to's statistics. Privacy Controversy

On August 21, more than 100,000 user data of were leaked. The reason is that the API provided by can directly query the user's wallet and the binded Twitter account. The queryable API link is as follows:

(The full link to the API has been hidden for security reasons)

Just replace the address in the link (the address of the founder of with other addresses that interact with to find more information. The query results of the above API link:

Although responded that the information was scraped by's public API, it is irresponsible for reports of information leakage. The information includes wallet address and Twitter account, that is, on-chain information and off-chain information, which is enough for hackers or centralized institutions to locate the entity information of a wallet.

In addition, MEV bots can use the information provided by the current API and the information on the Base blockchain to monitor whether influential KOLs join, so as to frontrun their shares as soon as they join. At present, MEV bots on are already flooded, which is a harm to real users.

In addition, through further analysis of information provided by the current API and the leaked 100,000+ information, hackers may be able to obtain more transaction information and identity information about users who may face potential social engineering attacks.

How to solve the issues?

1. Clarify the privacy policy as soon as possible has been live for 12 days, but its privacy policy still hasn't been released. If continues to provide the current API access service, then should clearly state in its privacy policy that the API will provide your wallet information and twitter account information to everyone. If subsequently modifies the API access service, it also needs to declare in its privacy policy which API services will provide to which users, and which information will be provided to API callers. currently has no privacy policy

2. Adjust API access permissions

Although the addresses that interact with the contract are publicly available on the blockchain, this does not mean that should expose the addresses and associated Twitter accounts to everyone. Beosin suggested that's publicly accessible API should not include users' wallet information and Twitter account information at the same time. In addition, should restrict the non-holders of certain shares from viewing the corresponding user's wallet and Twitter account, which can prevent MEV bots from identifying influential users in advance and frontrunning. It is expected that can formulate more API access rules to better protect user privacy and provide a better user experience.

3. Account Segregation

Beosin recommends that users use a new wallet to interact with and the funds in this wallet should be withdrawn directly from the centralized exchange to avoid leaking the associated addresses. At the same time, for users who interacted with before August 22, their user data has been leaked, and they should pay attention to possible targeted phishing attacks in the future. We recommend the following Beosin Alert anti-phishing extension to readers and friends, which can identify most phishing websites in the Web3 field and protect everyone's wallet and asset security.

Anti-phishing extension download:

Overall, is hot and has amassed tens of thousands of users, which is a promising sign for the Base ecosystem. However, some legal experts also reminded that may attract the attention of the SEC and the security and privacy risks mentioned above cannot be ignored.


If you need any blockchain security services, welcome to contact us:

Official Website Beosin EagleEye Twitter Telegram Linkedin

Related Project

Related Project Secure Score

Guess you like
Learn More
  • Analysis of Exactly Protocol’s $7.3M Exploit: How the Permit Check is Bypassed

    August 22, 2023

  • May Bali take its place in the Web3 boom in Southeast Asia?

    August 24, 2023

  • Base sets off Onchain Summer. What opportunities and risks are there?

    August 30, 2023

  • Beosin and OpenBlock Forge Strategic Partnership to Build a Secure and Trusted Blockchain Financial

    August 31, 2023

Join the community to discuss.