Best practices when handing payments 💸 in NFT contracts #solidity ↓
Pull, don't push.
* If you forward ether payments from your mint function, it makes minting more expensive.
* If your contract gets some Ether without triggering the mint function, these funds will be lost forever.
Instead, make a function that transfers you the full balance.
Note that the withdrawAll function isn't marked as onlyOwner. Anyone can call it. This lets you set up automation (e.g. via Infura or OZ defender) that doesn't depend on your private keys.
While you are here, it's also a good idea to include a function that does the same but for any ERC20 token.
There are plenty of ways your contract can get these, and it would be unfortunate to lose thousands of dollars by not implementing this simple function.
Always check for the exact payment value.
I used msg.value > X ether in my first NFT contract, and it caused a lot of headaches. Some users minted from Etherscan's UI and miscalculated the proper value, and then chased me asking for a refund (which I did). Not fun.
Royalties (IERC2981) is a good idea, but there are some gotchas. The payment token can be anything, so make sure the royalties receiver is either the owner or the contract has a way to extract ERC20s. Here's an example where funds got locked forever
Here's how we are implementing royalties support for @watchfacesworld. Note that we can upgrade the royaltyInfo in the future by supplying a new implementation. This is cool because we could offer our holders some royalties (no promises 😅), without locking the logic now.
Last 2💸 tips for now:
1) Use a shared @gnosisSafe for your team (ideally with N/M signatures requirement). It'd really suck to lose your hard earnings in case someone is compromised.
If you only use Etherscan to browse Ethereum, you're missing out.
Here's a list of power tools (and their hidden features) that security researchers use to investigate hacks.
↓
Etherscаn
✅ Fast and popular
🤫 Most people don't know about Logs and State tabs
🤫 New transaction decoder (click to jump to source code)
❌ UI is hard to navigate
☠️ Linking to Etherscаn gets you shadowbanned by Twitter
✅ Detailed trace of all calls that happen in the transaction
✅ Account balance change and token transfer summary
🤫 A new version at new.ethtx.info with fancy UI
❌ Slow
❌ Can't expand call data
❌ The new UI breaks sometimes
I was around when phpBB was invented, I worked at Facebook for many years, I see "web3 social will change the world" narratives and I can't keep quiet
↓
1. "Owning your data" doesn't make sense. You can own a house, a car, a pen; $100 in cash, a bank account, a share, a crypto asset. You can own intellectual property.
But if you "own" a digital file and share it online, you don't really own it anymore. And web3 social won't help
2. When people want their content to not be public, they create "friends-only" accounts. Google "finsta" if you are a millennial or older. Messengers are social networks too. Facebook was really concerned about iMessage growth among teens when I was there.
I'll review your Solidity code and provide feedback.
Rules:
- Has to be your code
- OK with me sharing some parts
- Export to Gist and send a DM
- No promises
Austin offered his code for roasting. It's a multisig implementation that allows adding/removing owners. In the 30 mins I couldn't find critical vulnerabilities, but there is some low hanging fruit
Here's a new pattern I started using lately: allow the owner of the NFT contract to execute any transaction on its behalf.
It's more flexible and future-proof than the old pattern of withdrawing balance & coins. It DOES NOT allow the owner to rug the project.
Details ↓
Here's the initial problem: as an owner of an NFT project, you want to have a way to withdraw the funds from the contract, so you add withdrawBalance.
Next, you learn that some marketplaces pay royalties in ERC20 tokens, so you add withdrawCoin.
Then your users send an NFT to your contract by mistake, or your contract receives an award as an NFT and you want to recover it, so you add withdrawNFT.
And by "add" I mean "include it in the next project you make" because most NFT contracts are immutable and non-upgradeable.
To sell out, of course! "Sold out" is such a powerful status message, especially in the current market.
Looks like the NFT degen meta slowly shifted from expensive mints, to cheap mints, to free mints. Owners make money from royalties (while it's still a thing).
Negative price VRDGA could save a project that had a good start in sales but then slowed down the midway of selling out. Existing owners are incentivized to buy to make their money back, bystanders could make a buck, and bots will take over once the hype is in full swing.