Identifying Authentic NFTs (Especially Against Attackers)

Michael Blau

3.9.22

As an NFT collector, you should care about on-chain provenance. The most authentic provenance for an NFT is when it is initially minted directly from a creator’s wallet or a smart contract that the creator owns. However, with a few clever smart contract illusions, someone could manipulate NFT provenance using a technique known as Sleep Minting.

Sleep Minting is when a scammer mints an NFT directly to a famous creator’s wallet with permission to reclaim or pull the NFT back out of the creator’s wallet. This creates the appearance that (1) a creator authentically minted an NFT to themselves; and then (2) sent that NFT to a scammer. Based on “on-chain” provenance, the scammer can claim they own an NFT minted by a famous creator and sell it for a higher value.

How does this work technically? First, it is essential to understand how a smart contract stores NFT provenance and ownership. Anybody can query an NFT smart contract to determine who the current owner of an NFT is using the ownerOf(tokenId) function from the ERC-721 Standard. You could even query for an NFT owner at a specific block number by varying the eth_call RPC method parameters. However, the simplest way to see changes in ownership is to look at ERC-721 Transfer Event logs.

My a16z Crypto colleague Daren Matsuoka wrote a great Twitter thread about Event logs and how they work. A Transfer Event log is a message sent to the outside world by a smart contract containing details about an NFT transfer (who the NFT is transferring FROM, who the NFT is transferring TO, and the transferred TOKEN ID). Transfer Event logs provide an efficient way to check an NFT’s provenance.

The deception of Sleep Minting comes from the fact that you can emit any piece of data in an Event log. One would expect that if YOU send a transaction to transfer an NFT, then your address should be in the Event log as the “from” field. However, that is not the case when a scammer reclaims a sleep-minted NFT from a famous creator. A scammer could artificially place the famous creator’s address in a Transfer Event’s “from” field.

In more detail, here is how Sleep Minting works:

  1. A scammer would mint an NFT to a famous creator’s wallet but maintain permissions to reclaim or pull that NFT out of the creator’s wallet.
  2. The scammer would issue a transaction that reclaims the NFT from the famous creator. Even though the scammer is sending this transaction (and not the creator), they can artificially place the creator’s address in the “from” field of a Transfer Event. On the surface, it would appear as if the famous creator legitimately transferred an NFT to the scammer.
  3. The scammer now holds an NFT that appears to be authentically created and previously owned by a famous creator, and they can sell that NFT at a higher price.

I would also recommend reading this great walkthrough of a real Sleep Minting attack.

Thanks to Forta, I built an agent that helps detect potential NFT Sleep Minting. Forta created a network for real-time web3 threat detection! Developers can build Forta agents (or threat-detection bots) to alert any suspicious activity on the blockchain. The agent checks to see if the address that sent a transaction to transfer an NFT differs from the “from” address emitted in a Transfer Event log. If they are different, there is a possibility that the NFT in question was sleep minted.

You can see a live monitor for my agent here and the agent code here

Subscribing to NFT Sleep Minting alerts may help prevent you from collecting a fraudulent NFT. If you ever see an agent alert referring to a specific NFT contract address on the Forta Explorer Agent page, you may want to think twice before purchasing an NFT from that contract.

podcast: web3 with a16z

A show about building the next internet, from a16z crypto

Any investments or portfolio companies mentioned, referred to, or described on this page are not representative of all investments in vehicles managed by a16z and there can be no assurance that the investments will be profitable or that other investments made in the future will have similar characteristics or results. Exits include current and former a16z portfolio companies which have been acquired as well as companies which have undergone an initial public offering or direct public offering of shares. Certain publicly traded companies on this list may still be held in Andreessen Horowitz funds. A list of investments made by funds managed by a16z is available here: https://a16z.com/investments/. Excluded from this list are investments for which the issuer has not provided permission for a16z to disclose publicly as well as unannounced investments in publicly traded digital assets. Further, the list of investments is updated monthly and as such may not reflect most recent a16z investments. Past results of Andreessen Horowitz’s investments, pooled investment vehicles, or investment strategies are not necessarily indicative of future results.

© 2024 Andreessen Horowitz WTUVKUCXZLYAD
GGCMUGJX