Security

How we protect your data

• All traffic is served over HTTPS.
• Database access is restricted to server-side API routes — no direct client access.
• We never store private keys or wallet credentials.
• On-chain payment verification uses read-only RPC calls — we cannot move funds.
• Transaction hashes are recorded in a ledger to prevent replay attacks.
• Admin routes require separate authentication.

Wallet interactions

Los Fomos reads your publicly verified wallet addresses from the Farcaster protocol. We use these only to check NFT balances on Base chain via read-only contract calls. We never request transaction signing except in features where it's explicitly shown to you in the app.

Agentic payment security

Paid bundle endpoints implement the following protections:

• On-chain verification — we read the actual transaction receipt, not a self-reported claim.
• Replay protection — each transaction hash can only unlock one request; reuse is rejected.
• Amount check — we verify the transferred amount meets the minimum required.
• Recipient check — we verify the transfer was sent to our treasury address specifically.

Responsible disclosure

If you find a security vulnerability in Los Fomos, please report it privately before disclosing it publicly. Contact us on Farcaster at @losfomos or reach out directly in the Los Fomos channel. We'll respond as quickly as we can and work with you to resolve the issue.

We appreciate responsible disclosure and will credit researchers who report valid issues.

Third-party services

Los Fomos uses the following external services, each with their own security practices:

• Supabase — database hosting
• Vercel — deployment and edge infrastructure
• Upstash — Redis cache and async jobs
• Base chain — on-chain role and payment verification