Cointime

Download App
iOS & Android

What Is Sleepminting And Will It Ruin NFT Provenance?

published 2021-04-22 by timdaub

Today, while browsing /r/ethereum, I stumbled upon an impersonation attack using NFTs called "sleepminting." I ended up taking a closer look as I wanted to understand the idea of the attack. Here's how it works.

The Bait

Oh, look, it's beeple's multi-million dollar piece "the first 5000 days" for sale on rarible. Check the screenshot, It clearly says "Creator: beeple." Wow, Metakovan must have gotten badly rekt having to sell that $69M combo-breaker for a handful of WEIs.

Please don't fall for it! It's a scam. Or shall I saw an art piece? That's right! Its creator, Monsieur Personne, that also goes by the self-proclaimed alter ego The Banksy of NFTs, deliberately minted the piece under beeple's name using a technique he calls sleepminting. Why? Because Monsieur is disappointed in NFTs. So how did he do it?

The Basics

NFTs are created using ERC-721 smart contracts. They the ownership record of NFTs as a list of pairs. One address and a piece's serial number make up a pair. Like this (I replaced "Bob" with "Booble"):

  • Alice: 1
  • Booble: 2
  • Malory: 3

Upon a sale, Alice can transfer her piece to Boople by:

  • transfer 1: Alice ==> Booble

Now, the list of pairs is updated as follows:

  • Alice:
  • Booble: 2, 1
  • Malory: 3

In Ethereum, we don't use clear names for identification but addresses. And we need to sign transfers to authorize them. But in the examples provided in this post I'll use clear names to simplify explaining.

Now, usually developers implement ERC-721 contracts in a reasonable way. As we expect Alice can then only transfer a piece if she owns it and can deliver a valid signature. But what happens if a developer doesn't respect this convention?

See, the ERC-721 standard is just a social contract that defines a interface to allow art platforms to interoperate. There's no criteria for what's a good and what's a bad implementation. As long as a contract's interface matches that of an ERC-721 contract, any machine is considering it as valid.

But, as we've now seen, that can lead to safety issues with NFTs' provenance on Ethereum. It can be tampered with!

The Attack

As I said, any reasonable ERC-721 contract would allow a minter only to mint to themselves and to only transfer the pieces they own.

But say we customize our ERC-721 contract such that we can mint to other accounts. And say that we adjust the transfer function so that our account can, in a minor exception, also transfer another person's pieces. Well then, we can build a contract that allows us to sleepmint pieces. So as the attacker Malory, we'd do the following: We'd mint a piece with the serial number 1 to Booble:

  • mint 1: address(0) => Booble (executed by Malory)

Now our pairs look as follows:

  • Alice:
  • Booble: 1
  • Malory:

Then, since Malory has adjusted the contract to transfer the piece with serial number 1 from Booble's account to any other account, she can offer it for sale on an NFT platform like rarible.

As she minted from address(0) to Booble as "Creator: Booble" is displayed.

Once Malory successfully deceived a buyer, she receives her Ethers and transfers the piece to the buyer:

  • transfer 1: Booble => Buyer (executed by Malory)

The updated ownership record now reads:

  • Alice:
  • Booble:
  • Malory:
  • Buyer: 1

And with that, Malory has successfully tampered with the NFT's provenance record to sell her piece for more than it's worth.

The Specifics

So is this attack breaking NFTs? Should you panic sell your collection of crypto punks? What about poor Metakovan. He rekt now?

I'd say no. Sure, rarible and Etherscan state wrongly that beeple has minted a piece that genuinely he didn't. However, that's more of an interface issue than it is a security vulnerability. Nobody ever had access to beeple's account.

Also, the impersonater can be spotted when taking a closer look at the origin transactions:

Let's take a closer look at these transactions.

For the mint transaction, we can see that Etherscan displays two "From" fields: One for which msg.sender sent the transaction and another one to state the NFT's sender.

For the transaction's from field, the msg.sender, it cannot be manipulated as it requires a valid signature from the sender's private key. The authorization of the "From" field for the NFT's sender is, however, subject to the smart contract's implementation and, hence, may not display authenticated information.

Simply put, the NFT's sender field could display any data an attacker picks.

Hence, to spot a sleepminted piece from an original, one has to check if both the mint transaction's sender and the NFT's sender match beeple's correct address. If not, it's a fake.

Conclusion

I love this attack. It's similar to rug pulling in that it also plays with the user's trust towards an online identity. We think, now that we use blockchain, all our web2 problems are gone. Every piece of data is authenticated and checked for authorization. But the truth is that these problems aren't gone. They've just shifted somewhere else.

We humans cannot reproduce cryptographic verification in our brains. Sure, we can be extra careful and only trust green checkmarks and lock symbols in user interfaces. But can we recompute hashes of files or the validity of a digital signature? No.

And so the rise of new attacks on web3 is inevitable. I for one am looking forward to learning from them.

NFT
Comments

All Comments

Recommended for you

  • Citi report: predicts that corporate finance will undergo major changes in the next 3 to 5 years, and DLT and AI will play a role

    Citi GPS has released a report titled "Financials 2030" exploring the future development direction of corporate finance functions. A survey found that 93% of surveyed financial executives believe that there will be significant changes in corporate finance functions in the next three to five years, but more than half of them are unsure of what these changes will be.

  • Fiamma Completes $4 Million Seed Round Financing

    Fiamma, a project based on BitVM2's on-chain ZKP verification infrastructure and Babylon's ecological infrastructure, announced the completion of a $4 million seed round of financing. Lightspeed Faction and L2 Iterative Ventures led the investment, with participation from Astera Ventures, Contribution Capital, Sats Ventures, Chapter One and FoundersHead, as well as BOB (Build on Bitcoin), Satlayer and Daedalus founders. The new funds will be used to accelerate product development and promote the adoption of its underlying technology.

  • Australia’s financial regulator proposes new crypto rules, emphasizing risks and mitigation measures

     Australian Securities and Investments Commission (ASIC) has released a consultation paper suggesting updates to its regulatory guidelines for digital assets, with a focus on compliance requirements under the Corporations Act. The revisions to Information Sheet 225 (INFO 225) include 13 worked examples aimed at clarifying when digital assets qualify as financial products, such as stablecoins, packaged tokens, and staking services. In these examples, ASIC outlines scenarios involving exchange tokens, interest-bearing stablecoins, and tokenized assets such as concert tickets. The draft guidance proposes that classification depends on "inherent rights, interests, expectations, and product features that are offered together with the token." ASIC encourages cryptocurrency companies to apply for an Australian Financial Services License, providing them with a safe harbor from legal action.

  • BlackRock executive: More and more investors from different wealth classes are looking at Bitcoin as a hedging tool

    Bitcoin has been rising all the way, breaking through the $100,000 mark. A large part of the demand driving the rise in Bitcoin prices has recently flowed into Bitcoin ETFs. Jay Jacobs, head of thematic and active ETFs in the United States at BlackRock, said that since its launch in January of this year, the value of the IBIT ETF has grown to over $45 billion, and its value has increased by $4.1 billion in just the past month. Jacobs said that in addition to candidates who are more friendly to cryptocurrencies winning in elections, an increasing number of investors from different wealth levels are beginning to see Bitcoin as a tool to hedge against geopolitical risks and currency depreciation caused by inflation. As ETFs become an easy way for investors to understand Bitcoin price trends, mainstream interest in cryptocurrencies reaching a critical point is only a matter of time. (Jinse)

  • BTC breaks through $101,500

    the market shows that BTC has broken through $101,500 and is currently trading at $101,510.91, with a 24-hour increase of 6.15%. The market is volatile, so please be prepared for risk control.

  • Trump announces series of appointments for key government positions

    President-elect Donald Trump has made a series of appointments, including Peter Navarro as senior counselor for trade and manufacturing, Paul Atkins as commissioner of the Securities and Exchange Commission, and former Rep. Billy Long as the Internal Revenue Service's commissioner. Trump has chosen people for most Senate-confirmed Cabinet-level jobs, as well as key roles that don't require confirmation. However, he is reportedly considering replacing Defense Secretary nominee Pete Hegseth amid allegations of public drunkenness and sexual misconduct.

  • Source: CFTC chairman candidate has put the suspension of Biden-era enforcement actions on the agenda

    According to FOX Business reporter Eleanor Terrett, CFTC Commissioner Caroline D. Pham is one of the candidates for the new CFTC chairman. Under the leadership of the new leadership, the suspension of enforcement actions during the Biden era has been put on the agenda.

  • Careers in Crypto: 5 Insights for 2024

    In an overwhelming job market, leaning into personal networks and connections are more important than ever. Emily Landon, CEO of The Crypto Recruiters, outlines what is happening in the crypto job market and how you can position yourself or your company in 2024.

  • Cointime August 10th News Express

    1. The U.S. Internal Revenue Service has released a new draft of the crypto tax form, which no longer requires filling in wallet addresses and transaction IDs

  • Adidas and Doodles collaborate to launch a limited edition NFT collection pack

    Sportswear giant Adidas is collaborating with Ethereum NFT series Doodles to sell virtual gift packages that support buyers in purchasing exclusive physical clothing. Adidas and Doodles stated in a joint statement that these limited edition collectible packages will be available for purchase before August 16th, with two items in each package. The Adidas Originals x Doodles online store shows that the retail price for a single package is $4.99, while the price for 2 to 100 packages ranges from $8.49 to $374.99.Some joint sets include physical collectibles featuring Deysi, the digital mascot in Pharrell Williams and Coi Leray's new song "Not in the Store". These collectibles include Deysi sportswear and Superstar shoes, with each limited to 200 pieces.