◆ methodology
Audit the auditor.
The Provenance score is a deterministic public formula. Every weight, every threshold, every data source is documented below. Same input always produces the same score — that property is what makes the audit credible.
Scoring starts at 100, applies all deductions, applies all bonuses, clamps to [0, 100], and assigns a band. There is no proprietary scoring, no Pro-bonus, no Lectern-bonus, no time-decay. The reward for clean Provenance is the same for everyone.
bands
Verified Provenance
90+
Strong Provenance
75+
Mixed Provenance
50+
Weak Provenance
25+
No Provenance
0+
deductions (10)
Recovery has been initiated
-25
A Transfer event means custody changed hands. Usually after compromise, custodial-service migration, or a wrapper-driven password reset. Strongest negative signal because it implies the account WAS once owned by a different key.
source: Optimism IdRegistry — Transfer(fid) event history (via Hub onChainEventsByFid)
Recovery address equals custody address
-20
Circular fallback. If custody is compromised, recovery is functionally useless because the attacker controls both. Default state for custodial app signups and many bot accounts.
source: Optimism IdRegistry — recoveryOf(fid) + custodyOf(fid)
Fname changed in the last 6 months
-15
Recent identity churn often signals reputation laundering — someone bought a desirable fname and renamed to it, picking up the historical reputation of the prior holder.
source: fnames.farcaster.xyz/transfers
No primary verified ETH address
-15
Verifications tie a FID to wallets. Without a primary ETH verification, none of the account's off-chain identity claims (NFT ownership, on-chain history, etc.) can be confirmed.
source: Farcaster Hub — verificationsByFid
No verified addresses at all
-10
No public ownership anchors beyond the custody address itself.
source: Farcaster Hub — verificationsByFid
Over 3 active signers (base + per-extra)
-10
Each signer is a delegated app key that can post / react / DM on the account's behalf. 1–3 signers is normal usage. Above 3 implies many third-party apps with persistent access, each a potential leak point. Base deduction is -10; -2 per extra signer beyond 3.
source: Optimism KeyRegistry — Add/Remove/AdminReset event stream (via Hub onChainEventsByFid)
Fname changed at some point in the past
-5
Older fname churn is a weaker signal than recent, but still indicates mutable identity. Suppressed when the recent-change deduction applies (the larger deduction covers it).
source: fnames.farcaster.xyz/transfers
Account is less than 30 days old
-5
Sybil resistance is a function of tenure. A 30-day window is short enough to be merciful to new real users while still flagging accounts created specifically for a campaign.
source: Optimism IdRegistry — Register(fid) event timestamp
Custody wallet has no activity outside Farcaster
-3
Real human wallets accumulate non-Farcaster transactions over time (NFTs, swaps, gas top-ups). A custody address with zero non-Farcaster activity is either a brand-new wallet OR a single-purpose address created by a custodial app at signup. Small deduction because plenty of real users start clean.
source: Blockscout / Etherscan — custody address tx history (Optimism + Ethereum)
Active signers have not been rotated in over a year
-3
Security hygiene signal. Periodic key rotation reduces the window during which a leaked key matters. Not a hard rule — many real users never rotate — so the deduction is small.
source: Optimism KeyRegistry — Add event timestamp for the oldest still-active signer
bonuses (7)
Recovery address is a contract (likely multisig)
+10
Strongest single positive signal. Even if the custody key is compromised, an attacker needs M-of-N multisig signers to take over the account. The gold standard recovery setup.
source: Optimism — eth_getCode on the recovery address
3+ verified addresses across chains
+5
Multi-chain verifications indicate active multi-ecosystem usage and create multiple cryptographic identity anchors. Hard to replicate in bulk for a sybil attack.
source: Farcaster Hub — verificationsByFid
Custody wallet has meaningful pre-Farcaster on-chain history
+5
Wallet existed (with at least 10 non-Farcaster transactions) at least 6 months before Farcaster registration. Strong signal that the custody key belongs to a real wallet, not a wrapper-created single-purpose address.
source: Blockscout / Etherscan — custody address tx history
Account is at least 1 year old
+5
Inverse of the young-account deduction. Tenure earns trust over time, especially on Farcaster where sybil-resistance scales with active days.
source: Optimism IdRegistry — Register(fid) event timestamp
Custody wallet paid for storage directly
+3
Most signups have storage paid by the Bundler contract or a Farcaster Pro subscription. When the custody address itself paid the rent, the full ownership chain is sovereign with no third-party subsidy.
source: Optimism StorageRegistry — Rent(payer, fid) events (via Hub onChainEventsByFid)
Minimal signer surface (1-2 active signers)
+3
Fewer delegated keys = fewer attack surfaces. 1-2 is the "I use one or two Farcaster apps, full stop" pattern.
source: Optimism KeyRegistry — signer event stream
Full profile (pfp + bio + banner)
+2
A complete profile indicates real usage, not a throwaway account. Small bonus — easy to fake in isolation, but combined with other signals it raises confidence.
source: Farcaster Hub — userDataByFid
what we don't measure (and why)
- Follower count. Followers can be bought; an account with a clean Provenance score and zero followers is more sovereign than one with 100k bought followers and a recovered key.
- Cast quality / engagement. Subjective + easily gamed. Out of scope for an audit-of-ownership tool.
- Channel membership. Doesn't speak to identity sovereignty.
- Power Badge / paid status. Pro subscriptions don't impact the score. Lectern Pro doesn't either — paying for our app doesn't earn Provenance points.
- Mutual follows / network. Sybil-resistant only at scale; we'd need a graph algorithm and a way to ground-truth it. Future enhancement, not v1.
data sources
· Farcaster Hub (Quilibrium Haatz default) — UserData, Verifications, on-chain events
· fnames.farcaster.xyz — fname ownership history
· Optimism mainnet — IdRegistry / KeyRegistry / StorageRegistry contract reads
· Public RPC (publicnode.com default) — recovery-address isContract check
· fnames.farcaster.xyz — fname ownership history
· Optimism mainnet — IdRegistry / KeyRegistry / StorageRegistry contract reads
· Public RPC (publicnode.com default) — recovery-address isContract check