Collective loopholes of lot bifurcation: scarcity has rules to follow

Chain Teahouse 2021-09-14 10:01:28 阅读数:1,001

collective loopholes lot bifurcation scarcity

Original title :《Loot Bifurcated collective vulnerability —— Scarcity has rules to follow | Chain tea Express 》

writing :iamthetorn

translate : scarlett

If you don't modify the way randomness is used in smart contracts , Don't put Loot Code for new projects .

Loot Smart contracts have a design limitation ( Or a security vulnerability ), It affects the fairness of the initial token distribution . And those who use Loot This vulnerability also exists in new projects of code .

br

This article is not intended to belittle Loot Or any related company , It's meant to :

  1. By reducing information asymmetry , Build NFT A level playing field ;
  2. Reduce the continuous spread of program errors or design patterns , To prevent putting users at risk .

Loot It's a by 8000 A token consisting of NFT aggregate , be called Bags.97% Of NFT Can be cast by the public , except Gas There are no other expenses besides the fee .

Smart contracts include randomization and rendering layers 、 Logic layer , Allow it to generate tokens corresponding to any ID Of SVG.

Every Bag Yes 8 Item properties , Each item randomly generates a score on the smart contract . Higher score , The greater the variability of the name of an item , Items are even rarer .

So what's the problem ?

Bag The content of is based on its token ID affirmatory —— This means any node before or during the initial token allocation , Just read the smart contract , Anyone can easily calculate the whole in advance Bag Supply of ( Including rare metrics ).

because claim() The function will token ID As a parameter , therefore It's easy to pick out the rarest items from the collection , And cast it immediately before others .

If the contract code is public at the time of initial release , Would make Loot And similar projects can easily be gamed .

in fact ,Loot And most of its imitators use  Etherscan  As their coinage UI, This requires the source code to be in Etherscan Verified on .

The company has confirmed that , The initial issue of the following items is open to the above minting operations .Loot、Bloot、More Loot、n、CHAR 0......

This is a non exhaustive list , At the time of writing this article , I haven't found any other projects open to this .

The most worrying thing is , This gameplay will lead to a significant gap in the results between ordinary users and experts or users with technical knowledge .

Loophole 1

More Loot yes Loot Creator dhof released Loot Follow up products , As of the time of this writing, it has only been published for a few hours , from More Loot The impact of this vulnerability can be clearly found in the data on the chain .

br

The figure above shows More Loot Bags The difference in distribution between available and actual coins . It includes more than... In the current series 130 m Bag Of 「greatness 」 fraction .

If the coinage is random , We expect these distributions to be consistent .

On the contrary , We can see clearly that , Although the vast majority of purchases are 「 Blind 」, But a small part of the transaction is the use of contracts , Only for the rarest Bag to mint .

since GitHub After the rarity ranking is published on , The frequency of this targeted coinage activity has increased .

However , Even in public Loot Discord A few hours after sharing these data , Targeted coinage still accounts for only a small part of coinage , This shows that most users are in the dark .

Some people might use More Loot Come and try the water , Don't take it too seriously , But its practical impact should still be considered .

For example, the user is More Loot The coinage paid about 300 Thousands of dollars Gas fee . Most of these coins are blind .

With the supply ceiling far exceeding 100 Ten thousand tokens , Thousands of 「 special 」 Tokens poured into the market , The resale prospect of ordinary holders is very bleak .

Loophole 2:CHAR 0

CHAR 0 It's another recent one based on Loot Project , from UTC 9 month 3 Japan 13:47 To UTC 9 month 4 Japan 11:56, In distribution 9700 In the process of a token , Estimated cost 70 Thousands of dollars in Gas fee .

As an early miner in this project , Produce the necessary data to identify and obtain many of the rarest tokens in the series , It's very easy for me .

To demonstrate , I only minted coins for a small collection , But nothing can stop me from getting the front... Quickly and secretly 1% The vast number of supplies .

Obviously , Motivated takers like me can learn from CHAR 0 Extract great value from your user base , And have a considerable impact on the results of the project .

Possible solutions

I will delimit this part at a higher level of discussion , And leave some room for follow-up solutions . Here are several different ways to solve the above problems .

Blind casting

Hashmasks Popularized the blind casting mode , In this pattern, the creator promises to provide a hash value for the entire series , At the end of the sale, shuffle the series sequence through the randomness on the chain .

This can create fairness 、 Random assignment , Even creators can't cheat .Hashmasks Smart contracts are BAYC And some other projects have successfully adopted .

Can change the blind casting strategy and Loot Use it together , Keep all Loot SVG Properties generated by smart contracts .

On the chain RNG

The randomness of the chain can be used at run time to randomly produce the results of each coin .

Extra care must be taken with this method , Because the source of randomness in the chain may be used by others in unexpected ways .

The best way is to use VRF, Such as Chainlink Of VRF, But this may be too expensive for some applications .

Unverified contract

A simple fix is to keep the smart contract code private at the initial release . In the following cases , This method is reasonable :

  1. The founder's reputation is threatened ;
  2. The contract does not accept payment .

Although this can be said to be an improvement , But I strongly recommend not using this method .

Unlike blind casting , This method has no protective measures to prevent NFT The creator cheated . Whether by analyzing coinage output or bytecode decompilation , The contract may be affected by Reverse Engineering .

Even if the contract creator is trustworthy , However, there are also bad precedents , Including the contract does not accept payment , Require users to interact with unauthenticated contracts .

resist Sybil investment

Last , I have a suggestion to appeal to : Use Mirror To try to resist Sybil Fair distribution of .

This is a forward-looking approach , I believe it will become more and more interesting in the future .

Last ...

Each of these methods has a trade-off , Some may be original Loot What the team is considering .

The fact is that , Current version Loot The more smart contracts spread , The worse it is for users .

Before the problem is solved , This smart contract should not be reused , At least in the absence of clear communication , Coinage is a game , And the purpose of distribution is not to be fair or random .

The appeal at the end

All the discussions about community and equitable distribution lie in ,NFT Users deserve better treatment .

They should have a level playing field , They deserve to be carefully designed 、 Will not harm their token issue .

Beyond all doubt ,Loot Has triggered a revolution , yes NFT A key project for sustainable development .

I want to emphasize that , Even when testing the water ,NFT Developers are also accountable to their users , This includes developers who copy and paste code from other projects .

Stop bragging about the man who used you Loot The guy who plagiarizes looks at YouTube Learned smart contracts in one day .

Let's provide users with more secure NFT Space , New and high-value smart contracts should be reviewed , Or at least code review by experienced smart contract developers .

Well known issues should be discussed openly , Let's improve good practices , And widely share , Ensure that artists create safe and meaningful NFTs Sometimes there is a place to play .

版权声明:本文为[Chain Teahouse]所创,转载请带上原文链接,感谢。 https://netfreeman.com/2021/09/20210908160710951v.html