Btw, a lot of hive engine tokens and games require only the posting key for transfering assets
Good point!
They should probably change the code as that is the entire point of the active key.
But yeah it's little things like that can lead to a big problem down the road.
I could be wrong here but I think they almost exclusively use custom JSON. RIP 💀.
You are right and wrong.
Seems like you don't know yes that there is an option for custom JSON to require either either the posting key or the active key for signature. Most custom JSONs on HE that move money around require active key authority. I've actually tested this functionality myself with the API.
Yeah but I think it's because it is a hierarchical structure. Active key has all permissions except for owner permissions.
So in my mind the posting key is just a limited scope of active. If it is entirely separate there's nothing to worry about, maybe.
Also, would the "depth" parameter not apply to active? Either way there's a whole lot of trust given there.
The thing being worried about is devs creating tokens and allowing them to be transferred with posting key authority using custom JSONs.