If a project builds an NFT smart contract, it is necessary to follow the standard and create a secure contract based on it. Learn from past mistakes that have been identified and have solutions ready.
Ensure that a verified contract satisfies the following high-level requirements:
- Contract follows a tested and stable NFT standard,
- Vulnerabilities identified in various NFT implementations have been taken into account during implementation.
Category “C6” lists requirements related to the NFT smart contract as one of the project components.
| # | Description |
|---|---|
| C6.1 | Verify that the source code of the NFT implementation is available on explorer. |
| C6.2 | Verify that all necessary functions and events are present, have consistent types and all functions emit the proper events in order to follow the ERC standard. |
| C6.3 | Verify that predefined solidity methods (such as block.timestamp, block.coinbase, or blockhash) are not used as a source of entropy for generating random numbers. |
| C6.4 | Verify that project inform users to adjust the gas limit depending on the number of NFTs they want to mint, as digital wallets set default maximum gas limits which may not be sufficient and could result in wasted ether for reverted transaction. |
| C6.5 | Verify that the re-entrancy attacks are mitigated by following Checks-Effects-Interaction pattern, in case of using the standard ERC721 safeMint function calls the onERC721Receiver function on the receiver address. |
| C6.6 | Verify that in case of NFT sales where metadata is publicly accessible during the sale, the process is divided into two separate transactions. Ensure that the empty token is minted in the first transaction, but the NFT metadata is assigned in the second, pseudo-randomly. |
| C6.7 | Verify that the potential attacker does not have any profit (e.g., special NFT being minted) from sending multiple transactions to the NFT contract (even though paying for gas). |
| C6.8 | Verify that the Inter Planetary File System (IPFS) is used to store all metadata of NFTs on-chain. |
| C6.9 | Verify that the ERC712 standard is implemented for signature verification (instead of custom usage of eth_sign and personal_sign functions). |
For more information, see also:
Request an audit of your project by SCSVS authors. Contact a specialist.