What if the malicious client sends an invisible DM to the attacker not only with your nsec but with also your Nostr Wallet Connect secret?
Since you are not verifying your zaps out, they can just slowly drain your funds forever.
Discussion
Primal's reputation is worth more than the throwaway money in my Nostr wallet.
It's really just like banks. Eventually we'll circle back around to trusting institutions because it's just easier, and safer for the average person.
What if attackers have been stealing small amounts from you for the past year and you have not realized?
I don't use NWC. Too low friction. Bad security posture.
However, doesn't NWC have spend limits for this reason?
Yep, but if people don't check where each individual zap is going then who knows which wallet is actually receiving them. A malicious client can create a zap for A to receive but with B's address.
Thank you for all you do, Vitor 🙏 I'm hoping for a good open-source mobile nostr client with an ecash wallet built in. Don't mind manually maintaining the balance with a separate lightning wallet. #GrapheneOS user that prefers to minimize background app communication. Amethyst someday maybe?