Sleepminting: How to Avoid the End of NFTs

Sleepminting: How to Avoid the End of NFTs

NFTs Scams
by Julian Lopez-Acosta
363
Last year set the tone for the mainstream adoption of NFTs. With the rise of blue-chip projects like BAYC, CryptoPunks, and Doodles, and people from all around the globe FOMO-ing into NFTs for thousands of dollars, all eyes were on us: the degens of the crypto world.
Beeple's Everydays: The First 5,000 Days artwork

Why would people buy into digital JPEGs if they could just right-click and save? What utility do NFTs offer? Why are NFTs trusted? These are just some of the reasonable questions asked by newbies. Most projects often fail to deliver on their promises, and it’s well known by now that you’ll probably experience at least one rug pull in your NFT career.

The thing is, the foundational technology backing NFTs is trusted by millions of people. If you mint an NFT, your transaction will be recorded on the blockchain forever. There isn’t one single person on planet Earth that can go in and change the information of the transaction. 

At least, this is what we thought. I guess we were wrong.

On April 4, 2021, the anonymous whitehat hacker Monsieur Personne managed to mint a “second-edition” of Beeple’s $69.3 million record-breaking Everydays: The First 5,000 Days artwork. The thing is, he didn’t just right-click-save the JPEG and mint it under his name. Instead, he minted the second edition under Beeple’s wallet, then transferred it into his own.

How is this even possible? How can someone mint an NFT under someone else’s address?

This counterfeiting phenomenon—called sleepminting—could lead to massive repercussions for NFTs.

What is Sleepminting?

Sleepminting is the process of minting (or registering) NFTs to the crypto wallets of other artists, then transferring ownership back to yourself without the artist having a clue of what’s going on. 

It’s a form of fraud where a hacker deploys a custom-built contract without a crucial component of the standard ERC721 contract: a security check. Therefore, the hacker can move the token freely between wallets without signing off on the transaction. Hence the “sleep” in sleepminting.

How does Sleepminting work?

Although you get the general idea of sleepminting, it’s much more complex than you may think. Even Kevin McCoy, the godfather of NFTs, took a crack at unlocking the knowledge behind the contract. And guess what he found? Nothing.

That’s right: The source code that built the contract is so complex to decompile and ultimately understand, that the function responsible for the sleepminting hack can’t be located.

But one thing we can decipher is how the concept of sleepminting works. Most often than not, this is how a standard ERC721 contract is written:

Standard ERC721 contract minting process
Smart contract → ERC721 token is sent to the minter’s ETH address → Minter receives the ERC721 token → ERC721 token is then minted

From here, the minter can send the ERC721 token to another wallet, or they can sell it on the marketplace. These transactions can only go through if there is a valid signature between both parties.

Now, Monsieur Personne’s malicious ERC721 contract doesn’t require the aforementioned security check. No parties have to sign off on any transaction taking place on the blockchain. 

This is how it works:

Malicious ERC721 contract using the sleepminting process
Smart contract → ERC721 token is sent to the artist’s ETH address, or any other wallet for that matter → Artists receives the ERC721 token, ERC721 token is then minted under artist → Hacker puts ERC721 token up for sale → Oblivious buyer purchases ERC721 token → Profits go to hacker

The hacker can transfer the NFT to any other account or offer it for sale on a secondary market. Since the hacker probably intends to scam someone, they’ll generally put it up for sale on popular NFT platforms like OpenSea or LooksRare.

The hacker can accomplish this because they created a contract to which they have full power to transfer the ERC721 token to any other account after the mint process is finished.

Since the hacker registered or minted the NFT under the artist’s address, it’ll appear like the creator is actually the artist when in reality, they’re not. It’s just a scumbag who’s trying to steal your money.

Beeple's Everydays: The First 5,000 Days artwork
Beeple’s Everydays: The First 5,000 Days artwork

The ETH will be processed into the hacker’s wallet once the fake ERC721 token is sold to a poor soul. Let’s hope this doesn’t happen to you.

The dangers of Sleepminting

Sleepminting may ruin the credibility of NFTs. Without unchangeable provenance, NFTs serve no purpose. The underlying layer of security in the contract can be tampered with, and thus, we’re losing trust in smart contracts. 

The problem is that a vulnerability of this magnitude in ERC721 contracts could initiate growing attempts to forge the NFTs of big players. So yes, we could (and will) see hackers implement malicious smart contracts to ruin your NFT dreams.

From the words of Keir Finlow-Bates: “The hack can be pulled on ERC1155 contracts. ERC20 tokens like Aave, Binance, Tether USD, Uniswap, or Chainlink could theoretically also have been deployed with such a backdoor allowing some shadowy person to seize any of these tokens from any address at any time.”

And yes, this isn’t likely, but it’s still possible. 

Luckily, although it appears the credibility of NFTs are at stake, it’s only because most newcomers don’t know how to read smart contracts. However, if you look close enough and know precisely where to look, you can spot a sleepminted piece within minutes.

How to spot a Sleepminted price

So the question you should be asking yourself is: how do I protect myself from these fraudulent contracts? More specifically, how do I spot a sleepminted NFT?

Honestly, it’s easier than you think. You just need to know how to use Etherscan or any other block explorer to view the contract.

Turtle Town smart contract

Here’s an example of a recent mint for Turtle Town NFT

We’re looking at two things here:

  1. The “From” field displays the address sending ETH in exchange for an ERC721 token (an NFT). It cannot be manipulated.
  2. The “Tokens Transferred” field displays the address of the NFT sender (the project or artist, for the most part). It can be manipulated depending on how the contract was implemented.

Okay cool. We know where to look. Now what?

You want to check the contract to see if it’s legitimate. Click on the contract (either beside the “Interacted With” field, or you can click the name of the token in the “Tokens Transferred” field) and compare it to the contract address listed on the project’s web page or Discord. 

If it isn’t the same, then it’s a fake.

Sometimes, you can even catch if it’s fake if the contract address only has one or a couple Max Total Supply, even though the actual collection has thousands of tokens.

At the end of the day, trust your gut. Don’t risk your money if it’s too good to be true, especially in the NFT world.

What does Sleepminting mean for the future of NFTs?

Hackers will continue to hack. It’s in their blood. 

And with the evolution of the web, there will always be new attacks, frauds, exploits, etc., to breach systems in their infancy. So even though the general public despises hackers and their attempts to rob people of their livelihood, it’s a necessary evil.

We live in a world where we learn from our mistakes. We’re used to forming rules and laws to deter and prevent social issues from happening again. 

When Monsieur Personne sleepminted Beeple’s Everydays: The First 5,000 Days artwork, he was doing us a favour. He taught us a valuable lesson we should all carry deep within our hearts when degen-ing in the NFT space: learn to read and analyze smart contracts for your own security. 

Although sleepminting may discourage newcomers from joining the NFT-verse, it’ll help increase our knowledge of NFT security while lessening our need for trusting relationships within transactions.

The moral of the story is: if you know how to read a smart contract, you can take action in the crypto world without a worry in sight.

FAQ