NFT Security API Update — Approval Objects Restriction and Contract Self-Destruction

GoPlus Security
3 min readSep 22, 2022

--

Approval Objects Restriction

An investor came to GoPlus and shared his experience lately. He could not make an offer of his NFT, the one he has expected to be a dark horse with good trading records and floor price. The question is, why?

Researchers of GoPlus Security looked through this NFT contract and found that there was an “Approval Objects Restriction” logic in it, which means that the NFT could not be traded properly and all the previous trading records were self-directed by the contract deployer.

Take the following NFT as an example.
https://etherscan.io/address/0xfad931e00b22eb97680776245ca3856ebcd5ff9f#code

A requirement of this NFT contract indicates that the approved object cannot be a contract, and to make an order on OpenSea requires approval of OpenSea’s contract, meaning this NFT cannot be traded normally in OpenSea.

As we can see from the code, only addresses in the _addressTransferToContract list can be approved successfully, while contract addresses not in this list cannot call setApprovalForAll to approve the contract.

So for general investors, it is easy to be tricked and suffer losses when they encounter this kind of NFT!

Contract Self-Destruction

Another recent case we have heard from users is that the NFT disappears from the wallet.

The investor tried to add the disappeared NFT into the wallet again but failed. And when he started to check on EtherScan, the NFT also disappears from its smart contract.

Researchers of GoPlus Security looked through this NFT contract and found that there was a “Contract Self-Destruction” logic in it, meaning the contract deployer has destructed the smart contract, the corresponding NFT was gone at the same time, and of course, the user’s assets disappeared as well. This logic was written in the contract of the NFT at the beginning, but still, general investors jump into the pit!

Take the following NFT as an example.
https://etherscan.io/address/0x9ef27de616154ff8b38893c59522b69c7ba8a81c#code

The contract code for this NFT contains the self-destruct logic, and as we can see that the contract has activated the self-destruct logic. When the contract self-destructed, the corresponding NFT also disappears.

The general investors are the most vulnerable ones in the Web3 ecosystem. They generally do not read the contract code, and encountering this situation is easy to suffer losses.

GoPLus Security NFT Security API has been updated with both new vulnerabilities. Users are able to detect whether the Contract Self-Destruction or Approval Objects Restriction is hidden in the NFT smart contract code with one click when integrating NFT Security API from GoPlus Security!

--

--

GoPlus Security
GoPlus Security

Written by GoPlus Security

Empowering a #SaferWeb3 with user-driven, open access security solutions. Championing user education for a fortified front against adversaries.

No responses yet