Incident

Schedly, a mini app on Farcaster, started posting casts without permission on behalf of users, including a cast from Rish’s account about launching a token.

Overall timeline

Impact

14 users saw casts posted from their account by Schedly that they had not created. Derivative of these casts, some users put money in a scam token that was launched from a Schedly cast on Rish’s account. There was no account hack in the traditional sense, user permission secrets were leaked / maliciously used by the developer.

Mitigation

Farcaster and Neynar systems operated as per expectations. Neynar doesn't give out access to farcaster signer private keys (they're encrypted at rest, in a separate data store). We give out Signer UUIDs that developers can use with their API keys. Our API keys can be rotated at any time and a developer needs both - the API key and a signer_uuid to post on behalf of a user. Both are meant to be secrets and are noted as such in our docs.

Root cause

Based on signals thus far, developer seems malicious. Developer asked end users for access to write on user’s behalf. Users approved signers on Farcaster app.

The signer_uuids, that give these permissions are available to the developer, alongside their own API key. Developer stored this data in an external Supabase account, explicitly choosing to not use the bundled Neon database provided by Neynar. This Supabase database, alongside their API key, was then either hacked or the developer maliciously used it themselves to post on behalf of others.

Developer did not rotate API key in the developer portal even after publicly acknowledging the leak: https://farcaster.xyz/schedly/0x78cf7c79. They acknowledge supabase leak but not API leak which is suspicious. Both must be used to write on behalf of users.

image.png

We know from app analytics that they were active on Neynar and Farcaster products on Feb 17, 2026. We have reached out to them and haven’t heard anything back.

FAQs