- This was not a "hack" by any means. The contract developer just used a clever technique to bypass the basic address check in the minting contract.
As far as I could tell, the Adidas contract was standard compared to other contracts.
- The Adidas NFT contract was made public before the mint so anyone could have done this
- This transaction was not guaranteed to succeed. It could have failed for any reason. e.g. NFTs sold out before tx was picked up by a miner. This could have cost up to ~$100k in wasted gas
Now to get started. There are a few methods that can be used, each with different pros/cons that I'll dive into
The easiest and probably most inexpensive option:
require(tx.origin == msg.sender)
Add a check to make sure that the originator of the transaction is the same as the current caller of the NFT contract mint function
This approach is mentioned by the CTO of @opensea here
It would have prevent the custom contract from minting 330 NFTs in the Adidas mint, as the transaction origin was the developer's main address and the message sender (msg.sender) was each sub smart contract's address
This check will cause the entire transaction to fail
This strategy isn't perfect though. It prevents several legitimate use cases from being able to mint the NFT.
For example DAOs that use smart contracts to mint NFTs will be excluded from minting. Same with multi-sig transactions
Another similar strategy with the same limitations is checking if the caller's address belongs to a smart contract.
While these solve the issue of someone buying a bunch of NFTs in a single TX using a smart contract, it doesn't prevent writing a bot that generates a bunch of new addresses that each submit a TX during a mint
It turns out that this problem has been an issue in the NFT space for a while.
Several projects have taken advanced measures to counteract this type of strategy, @SVSNFT wrote up how they combatted this using an advanced solution
Their goal was to minimize bots, whaling, and to promote fair distribution. They created a solution to make it challenging to minting from their NFT contract directly
This forced people to interact with the NFT contract directly through their website interface.
TLDR: The way it works is, when you mint through their website, it calls their own backend API that generates a signature that is unique to your ETH address and their backend's private key
This signature is then forwarded into their NFT contract's buy function which validates that:
1. The signature contains the public key of the buyer 2. The signature was signed by their backend's private key
Because a call to SVS's backend is required to generate a valid transaction, it eliminates the ability for child smart contracts that are generated in a transaction to be able to send valid transactions as they cannot interact with off-chain APIs.
There might be a way to modify their approach to allow multi-sigs and DAO contracts to mint but I'll let someone with more expertise answer that
The downsides to this strategy are that because extra validation occurs on-chain, the minter is required to pay increased gas fees for their transaction.
Also the NFT creators have to do extra work to make sure their backend API is properly secured against bots
These are just a few approaches NFT projects can take to increase distribution of their collection minting.
If I missed anything, feel free to discuss in the replies and I'll add good solutions to the thread.
If you found this insightful, feel free to share this with anyone you know who is working on an NFT project.