NFT Code Review: mfers
We go line-by-line through NFT contract code.
Everyone sees the pfps, but few understand the code behind them.
We go line-by-line through NFT's contract code.
In this edition, we're going to dive into the mfers collection created by meme king @sartoshi_nft!
Unfortunately, it looks like their dev copy/pasted code from some vulnerable contracts.
If you read our Bored Ape YC code review, you may know what's coming next…
At the top, we have some straightforward variables that the mfers contract keeps track of.
The `constructor` takes the `shareholderAddress` as a parameter. This is the wallet the ETH spent minting is withdrawn to.
Here the contract overrides both `_beforeTokenTransfer` and `supportsInterface`.
Both functions appear to just call the `super` versions of each without modifying the behavior…
This code could just be deleted as it was not needed.
Here are `setBaseURI`, `_baseURI()` and `setProvenance` .
A quick reminder:
base URI is standard for off-chain NFTs. It points to the metadata stored elsewhere on the internet.
`provenance` is a hash used to run fair mints. This blocks minters from sniping rares etc.
`_baseURIextended` is a private variable. I'm not sure why this was done 🤔.
However, the base URI can easily be found by getting the `tokenURI` for a specific token id.
ipfs://QmWiQE65tmpYzcokCheQmng2DCM33DEhjXcPB6PanwpAZo/0
You can go to https://gateway.pinata.cloud/ipfs/QmWiQE65tmpYzcokCheQmng2DCM33DEhjXcPB6PanwpAZo/0… to see the metadata.
The metadata points to the image which can be found at https://gateway.pinata.cloud/ipfs/QmaEaHAZK98sZnXxQBVrESjBKuKV9zfD5B83iFz9qcsZKL
Now to some fun stuff... here is the `reserve` function 🤯
This is the same vulnerability that the BAYC contract has!!!
If @sartoshi_nft wanted to be a real mfer, he could mint 150 new mfers at a clip for the price of some ETH gas 😂.
This vulnerability has been shown twice, but in my experience, this is NOT commonplace. Don't assume all NFTs have uncapped owner mints.
The mutability of base URI, provenance, and this `reserve` function make the contract ripe for mayhem if it were to get in a hacker's hands.
Up next we have `setSaleState`. This function simply can be called to enable/disable minting of the public mint.
The `mint` function. A very standard implementation.
It validates that each mfer is minted for at least 0.069 ether and that the max mfers minted per transaction is 10, etc.
Finally, we have `withdraw`. This is how the ETH paid minting gets sent to the owner's wallet. In this case, it's the `shareholderAddress` and not the owner of the contract.
If you liked this breakdown of the mfers contract code please pass this along.
What NFT project should we do next? Let us know in the comments!
Original Twitter Thread:
