dn404 icon indicating copy to clipboard operation
dn404 copied to clipboard

Published 20 hours ago verified publisher icon Vectorized

✨ Ownership detection for ERC721 side

Open Vectorized opened this issue 1 year ago • 11 comments

For marketplaces like Opensea

  • Upon initialization handshake, the mirror will try to get the owner from the base contract. If there is an owner, the owner will be updated to that owner, and a OwnershipTransferred(address indexed oldOwner, address indexed newOwner) event will be emitted. Store the current owner in the deployer slot.

  • Upon logging a batch NFT mint / burn, try to get the owner from the base contract. If the owner is different from that of the deployer slot, a OwnershipTransferred(address indexed oldOwner, address indexed newOwner) will be emitted, and the owner in the deployer slot will be updated.

Not sure if this will work, someone help me try.

Vectorized avatar Feb 13 '24 01:02 Vectorized

Why not just have an owner() function that returns the owner of the DN404 base contract?

lambdalf-dev avatar Feb 13 '24 01:02 lambdalf-dev

Opensea does not rely on owner or OwnershipTransferred because it’s easily spoofable.

wwhchung avatar Feb 13 '24 01:02 wwhchung

Event easily spoofable for sure, owner is what the contract considers owner.

lambdalf-dev avatar Feb 13 '24 03:02 lambdalf-dev

Proposed solution here: https://github.com/Vectorized/dn404/pull/43

lambdalf-dev avatar Feb 13 '24 04:02 lambdalf-dev

Event easily spoofable for sure, owner is what the contract considers owner.

Yup, but OpenSea typically doesn't use this to group things under an address's 'created tokens' because that can also be faked. i.e. I can hardcode the owner() to return as you, and have these tokens as 'created by you' if OpenSea trusted the contract return values as the source of provenance.

wwhchung avatar Feb 13 '24 05:02 wwhchung

Well, if I'm the owner of the contract, it makes sense that the items were created by me...

lambdalf-dev avatar Feb 13 '24 05:02 lambdalf-dev

Well, if I'm the owner of the contract, it makes sense that the items were created by me...

Not necessarily. I could create a contract with a fake owner function and inject tokens into your collection. Similar exploit has been used in the past to make fake beeples which is why rarible and opensea moved away from relying on owner.

wwhchung avatar Feb 13 '24 13:02 wwhchung

Yeah @wwhchung is correct here - it's extremely easy to game owner() to make it look like someone else deployed your contract

cygaar avatar Feb 13 '24 19:02 cygaar

Why is the owner needed at all? I’ve got a version of ERC404 on my TW3404 repo that uses ERC1155 instead of ERC721 which allows for batch transfers natively.

TechnicallyWeb3 avatar Feb 19 '24 23:02 TechnicallyWeb3

Why is the owner needed at all?

For marketplaces collection management

lambdalf-dev avatar Feb 20 '24 05:02 lambdalf-dev

Looks like a good solution would be to implement ERC-7015 since Opensea uses this for proof of ownership. (https://docs.opensea.io/docs/contract-level-metadata)

sonicsmith avatar Feb 20 '24 07:02 sonicsmith