I will admit I don't get it. Is this the website of the thief? And re "There are no rights or protections preventing the theft and mis-use of their art," were artists expecting to get perpetual royalties from their NFT-tied works?
It appears this is the hackers website, and that they are going to be demonstrating multiple methods of duplication/fraud/"theft". For Act One, they legally created a duplicate that is indistinguishable from the original. (?)
From the FAQ:
"Won't your claim of the NFT digital asset association be easily disproved through the blockchain?
The blockchain proves ownership of the NFT token itself, and its association with a specific digital asset. There is no legitimate way to prove that the NFT that I have created does not in fact have the same association and attribution to the digital asset as the original NFT. This is due to the fact that there are no legally binding requirements in the world of NFT, and that the artist/creator is purely selling through an "Honor System" approach. All we have is their word that they will only mint one NFT for that digital asset. They can in fact mint it again as many times as they wish, and they can set whatever price they decide on, and from whatever wallet they chose to do it from. There is no way for anyone to disprove that the NFT token minted by me was not in fact done on behalf of the digital asset artist/creator."
popular sites just don't look for transactions right now that would show it was "sleepminted"
I'm all for also updating the protocols. ERC721 is not the predominant NFT protocol in use, actually that's hard to quantity as my point being there are several other standards in popular use, and many others still evolving.
Yes, it undermines the current NFT aggregator sites and all the hype.
The core concept of NFTs is sound, but the vast majority of NFTs I've seen encode only a URL, often for the marketplace that sold the NFT. So all you really own is a hyperlink to a company's website that likely won't be around for long.
A few NFTs encode links to the IPFS (InterPlanetary File System), which still carries some risk of the link/content being forgotten, but is probably a better way of doing this.
It looks like the author may have found an exploit of the ERC721 contract, whereby anyone can mint a NFT as though it looked like another user. They supposedly wrote another contract to execute against a ERC721, costs over 1 ETH to call it. So in the end, it's something like, he can mint NFTs for your work under your wallet and then transfer ownership to someone else.
Notice the implementation is totally up to you. You can emit events that totally lie about what’s really happening. You can make the transfer function always succeed if it’s from an address you hardcore in. etc.
The problem here is just the marketplace UI assuming every contract will follow the standard convention of what these logs and functions typically mean, so they are showing the NFT as “verified” to be from beeple. But really they need to be looking at the address who is initiating the transaction, or some other verification method (an external call you make that says ‘I verify i minted this NFT’). Its silly the marketplaces didn’t account for this
The hype around NFTs currently is just that: hype _BUT_ that doesn't mean that there is no value in an NFT. Remember, NFTs are non-fungible digital signatures and there is value in something being provable and forcibly unique. The easiest non-hype example I can think of right now is identity. If you literally own your identity then you're in control.
Anyway, the problem here is that apparently, via this hack, the ERC721 standard (which is implemented via a contract) is not as secure as we thought. That's fine, it can be improved, and I hope it will.
Art NFTs being hyped to the point where people invest tens of thousands or millions in something they don't know about is a layer on-top of this which is regrettable. I'd like to see someone present an example of the first implementation of a standard being secure for all time though.
> The easiest non-hype example I can think of right now is identity. If you literally own your identity then you're in control.
Can you explain what you mean by this?
I can understand using public/private key cryptography for identity. That makes a lot of sense, although there would be challenges around what to do when somebody loses or leaks their private key. Would likely require a central authority that can authenticate a fallback form of identification (old school birth certificate/driver's license/passport/whatever) and certify a new set of keys for the person's identity.
But how would NFTs/blockchain become involved? I wouldn't ever want to transfer my identity to somebody else.
You can already transfer your identity to someone else in your public/private key example. If you accidentally expose your private key it's no longer your identity. You can "transfer" this identity to your new machine by copying it across etc.
NFTs are just a standard, there's no rule requiring you monetise and trade them.
Say your wallet seed (which is used to derive your private keys) gets compromised, you'd want to transfer your NFT to yourself in a new wallet.
A typical use-case for burning (irrevocably destroying) tokens is to send them to specific burner contracts or addresses. MakerDAO does this with fees burned in MKR. You could "burn" your identity NFT by sending it to the burner contract if you need it changes or re-issued.
Oh, I understand that accidentally exposing my private key is a problem in my system, too. It's definitely not an advantage of my public/private key example, over NFTs. What I don't get is what the advantage is in the other direction: what does the NFT ecosystem give me, that a centralized database of public keys for identities doesn't?
> Say your wallet seed (which is used to derive your private keys) gets compromised, you'd want to transfer your NFT to yourself in a new wallet.
Unless the person who compromised my wallet seed does exactly that, before I find out about the compromise.
At that point, there must be some way for me to get my identity back, because no system of identity can function when the answer to "my identity was lost" is "you have no identity now sorry" and the answer to "my identity was stolen" is "they're legally you now sorry".
So there must be some authority I can contact and show real-world proof that... I'm still me. And that authority's word must be treated by the ecosystem as more meaningful than the now-irrecoverable NFT-identity that's held in my attacker's new wallet.
The question is, if this authority exists, what point is there to the blockchain or NFT-standard part of it? Since this authority is trusted more highly than the blockchain anyway, what do we lose by just trusting the authority to maintain a basic-bitch database of public key : identity pairs? It can still be publicly mirrored and distributed, as long as it has $trusted_authority's signature and a recent timestamp it's assumed good.
> The easiest non-hype example I can think of right now is identity. If you literally own your identity then you're in control.
You can do this using government issued certificates. In Spain you send them a CSR and then attend an appointment with a clerk who checks your passport/national ID. Afterwards they send out the certificate.
It's used for online authentication and signing scanned documents. Overall a good system.
You don't have the ability to trade them like NFTs, but that makes no sense for identities.
That does sound like a good system indeed. By extension imagine if you could login to anything using that certificate if it was digital. The problem with digital data is that it can be copied arbitrarily.
NFTs prove authenticity of some data, so now your identity can be provably yours, only a single one can exist, and you can use it to login to things, sign a message that is provably from you etc.
Yes NFTs are tradable because they are tokens but you don't have to, and I'd argue an extension to ERC721 which limits NFTs to only a single issuance with a single token would make such a system reasonbly whole.
This isn’t a big deal. This guy just created his own smart contract with a special code snippet that, after he mints an NFT to beeple’s address, allows his address to still transfer it to another address (himself). On Rarible/etc this then makes it appear that Beeple minted it and then transferred it to him.
This is why you need to publish the code for NFT smart contracts... which pretty much everyone does, which makes real NFTs auditable and secure (enough). He wouldn’t be able to mint a duplicate NFT from the same smart contract Beeple originally used.
Its up to the market to discern the earlier date of the original issuance. Its always been this way. The blockchain just allows for easier provenance instead of hearsay.
If you buy a duplicate art piece or an art piece that was "sleepminted" just because a popular artist addresses "dropped it", that's really on you
this sounds more like a UI problem that can be easily solved
try not to get scammed, ripped off, or if you want to buy things with resale value in the future maybe just avoid the entire NFT market and not worry about a UI issue
You can also check the decompiled source on eveem.org - doesn’t work with everything, but even if sources are public it’s good to double-check them there.
> you need to publish the code for NFT smart contracts... which pretty much everyone does
How do you not publish smart contract code on a public blockchain? This statement makes no sense. At best you could pull some obfuscation tricks which only serves to makes you look dodgy as fuck.
When I push a smart contract to the blockchain, it's in bytecode format -- impossible to read. There are some tools that try to decompile the bytecode back to the (readable) source code, but most I've seen aren't great.
Take Rarible's smart contract: https://etherscan.io/address/0xd07dc4262bcdbf85190c01c996b4c...
They published the actual code on Etherscan, so when you click "Contract" you can see the Solidity code. Etherscan compiles this Solidity code to confirm it matches the bytecode exactly. It also allows normal people to review the code.
Bah, are we all supposed to know what "sleepminted" mean? You click on the word and a DIV pops up that doesn't explain what the fuck it even means. A "disease"?
Guess I'll google what "X’s wallet minted an NFT" meansif I want to care about the whole fraud involving NFT.
I too was baffled by this post. Here's something that goes into a lot more detail: Short version, someone found an exploit that allows them to create NFTs that were allegedly created by a particular artist (but were actually not). https://news.artnet.com/opinion/sleepminting-nftheft-monsieu...
To me, the author doesn't fully understand how Smart Contract, NFT and ownership work.
It is as if he wrote "NFTheft owns the Joconde" in a Word document, printed it, signed it and tried to prove to the world that he truly owns the Joconde. It doesn't work that way with NTF, nor in real life. Ownership is a consensus.
You can verify the real owner of the token with [0] > Contract > Read > "16. Owner Of" and type "40913", as explain on the original marketplace [1].
However, what he highlights is that Smart Contract doesn't prevent the code from being malicious, in the same way than HTTPS doesn't prevent a website to be hackable. To be even more precise, ERC721 is a code interface. Its implementation is not universal, and thus can be malicious.
I strongly dislike the authors framing, but there is something of value here; the attack vector is essentially spam/fishing. Platforms like OpenSea are at the mercy of the events emitted by smart contracts, and you could certainly try to use a "Beeple sent this" event shown in an explorer to trick someone into believing that Beeple acknowledged this NFT as valuable enough to interact with it.
Create an ERC 721 contract where you control the events, mint a copy of a famous piece, emit an ownership history involving a bunch of famous collector accounts, mix in some wash-traded sales, and you might just convince someone that this is a valuable piece and that they don't need to look too closely.
27 comments
[ 5.4 ms ] story [ 64.1 ms ] threadFrom the FAQ:
"Won't your claim of the NFT digital asset association be easily disproved through the blockchain?
The blockchain proves ownership of the NFT token itself, and its association with a specific digital asset. There is no legitimate way to prove that the NFT that I have created does not in fact have the same association and attribution to the digital asset as the original NFT. This is due to the fact that there are no legally binding requirements in the world of NFT, and that the artist/creator is purely selling through an "Honor System" approach. All we have is their word that they will only mint one NFT for that digital asset. They can in fact mint it again as many times as they wish, and they can set whatever price they decide on, and from whatever wallet they chose to do it from. There is no way for anyone to disprove that the NFT token minted by me was not in fact done on behalf of the digital asset artist/creator."
popular sites just don't look for transactions right now that would show it was "sleepminted"
I'm all for also updating the protocols. ERC721 is not the predominant NFT protocol in use, actually that's hard to quantity as my point being there are several other standards in popular use, and many others still evolving.
The core concept of NFTs is sound, but the vast majority of NFTs I've seen encode only a URL, often for the marketplace that sold the NFT. So all you really own is a hyperlink to a company's website that likely won't be around for long.
A few NFTs encode links to the IPFS (InterPlanetary File System), which still carries some risk of the link/content being forgotten, but is probably a better way of doing this.
https://news.artnet.com/opinion/sleepminting-nftheft-monsieu...
Notice the implementation is totally up to you. You can emit events that totally lie about what’s really happening. You can make the transfer function always succeed if it’s from an address you hardcore in. etc.
The problem here is just the marketplace UI assuming every contract will follow the standard convention of what these logs and functions typically mean, so they are showing the NFT as “verified” to be from beeple. But really they need to be looking at the address who is initiating the transaction, or some other verification method (an external call you make that says ‘I verify i minted this NFT’). Its silly the marketplaces didn’t account for this
Anyway, the problem here is that apparently, via this hack, the ERC721 standard (which is implemented via a contract) is not as secure as we thought. That's fine, it can be improved, and I hope it will.
Art NFTs being hyped to the point where people invest tens of thousands or millions in something they don't know about is a layer on-top of this which is regrettable. I'd like to see someone present an example of the first implementation of a standard being secure for all time though.
Can you explain what you mean by this?
I can understand using public/private key cryptography for identity. That makes a lot of sense, although there would be challenges around what to do when somebody loses or leaks their private key. Would likely require a central authority that can authenticate a fallback form of identification (old school birth certificate/driver's license/passport/whatever) and certify a new set of keys for the person's identity.
But how would NFTs/blockchain become involved? I wouldn't ever want to transfer my identity to somebody else.
NFTs are just a standard, there's no rule requiring you monetise and trade them.
Say your wallet seed (which is used to derive your private keys) gets compromised, you'd want to transfer your NFT to yourself in a new wallet.
A typical use-case for burning (irrevocably destroying) tokens is to send them to specific burner contracts or addresses. MakerDAO does this with fees burned in MKR. You could "burn" your identity NFT by sending it to the burner contract if you need it changes or re-issued.
> Say your wallet seed (which is used to derive your private keys) gets compromised, you'd want to transfer your NFT to yourself in a new wallet.
Unless the person who compromised my wallet seed does exactly that, before I find out about the compromise.
At that point, there must be some way for me to get my identity back, because no system of identity can function when the answer to "my identity was lost" is "you have no identity now sorry" and the answer to "my identity was stolen" is "they're legally you now sorry".
So there must be some authority I can contact and show real-world proof that... I'm still me. And that authority's word must be treated by the ecosystem as more meaningful than the now-irrecoverable NFT-identity that's held in my attacker's new wallet.
The question is, if this authority exists, what point is there to the blockchain or NFT-standard part of it? Since this authority is trusted more highly than the blockchain anyway, what do we lose by just trusting the authority to maintain a basic-bitch database of public key : identity pairs? It can still be publicly mirrored and distributed, as long as it has $trusted_authority's signature and a recent timestamp it's assumed good.
You can do this using government issued certificates. In Spain you send them a CSR and then attend an appointment with a clerk who checks your passport/national ID. Afterwards they send out the certificate.
It's used for online authentication and signing scanned documents. Overall a good system.
You don't have the ability to trade them like NFTs, but that makes no sense for identities.
NFTs prove authenticity of some data, so now your identity can be provably yours, only a single one can exist, and you can use it to login to things, sign a message that is provably from you etc.
Yes NFTs are tradable because they are tokens but you don't have to, and I'd argue an extension to ERC721 which limits NFTs to only a single issuance with a single token would make such a system reasonbly whole.
> The problem with digital data is that it can be copied arbitrarily.
And NFTs aren't digital data? I don't understand the distinction.
This is why you need to publish the code for NFT smart contracts... which pretty much everyone does, which makes real NFTs auditable and secure (enough). He wouldn’t be able to mint a duplicate NFT from the same smart contract Beeple originally used.
Lol, self-proclaimed “banksy of NFTs”, come on
Forgery is forgery, and this is a fundamental flaw in the ERC-721 token.
Provenance matters, and this is more than a shot across the bow. This is a direct hit on trust.
I only have to fool you long enough to get the tokens into my wallet. This kind of forgery seems to do the trick.
If you buy a duplicate art piece or an art piece that was "sleepminted" just because a popular artist addresses "dropped it", that's really on you
this sounds more like a UI problem that can be easily solved
try not to get scammed, ripped off, or if you want to buy things with resale value in the future maybe just avoid the entire NFT market and not worry about a UI issue
But if you just use the general rule of only buying NFTs that are minted to smart code with published code, that basically solves this problem.
Also worth mentioning that two weeks ago this guy -- before posting all this BS -- first tried to sell this fake for 369,122 ETH lol.
https://rarible.com/token/0x5fbbacf00ef20193a301a5ba20acf047...
(I’m the creator of eveem)
How do you not publish smart contract code on a public blockchain? This statement makes no sense. At best you could pull some obfuscation tricks which only serves to makes you look dodgy as fuck.
Take Rarible's smart contract: https://etherscan.io/address/0xd07dc4262bcdbf85190c01c996b4c... They published the actual code on Etherscan, so when you click "Contract" you can see the Solidity code. Etherscan compiles this Solidity code to confirm it matches the bytecode exactly. It also allows normal people to review the code.
Compare that to the smart contract this 'banksy of nfts' published: https://etherscan.io/address/0x5FBbACf00ef20193a301a5BA20acf...
You can't review the Solidity code, all there is is bytecode.
Basically, you shouldn't buy an NFT that hasn't published the source code of its smart contract because you have NO idea what you are getting.
Guess I'll google what "X’s wallet minted an NFT" meansif I want to care about the whole fraud involving NFT.
It is as if he wrote "NFTheft owns the Joconde" in a Word document, printed it, signed it and tried to prove to the world that he truly owns the Joconde. It doesn't work that way with NTF, nor in real life. Ownership is a consensus.
You can verify the real owner of the token with [0] > Contract > Read > "16. Owner Of" and type "40913", as explain on the original marketplace [1].
However, what he highlights is that Smart Contract doesn't prevent the code from being malicious, in the same way than HTTPS doesn't prevent a website to be hackable. To be even more precise, ERC721 is a code interface. Its implementation is not universal, and thus can be malicious.
[0] https://etherscan.io/token/0x2a46f2ffd99e19a89476e2f62270e0a...
[1] https://onlineonly.christies.com/s/first-open-beeple/beeple-...
Create an ERC 721 contract where you control the events, mint a copy of a famous piece, emit an ownership history involving a bunch of famous collector accounts, mix in some wash-traded sales, and you might just convince someone that this is a valuable piece and that they don't need to look too closely.