Identifying Authentic NFTs (Especially Against Attackers)

As an NFT collector, you should care about on-chain provenance. The most authentic provenance for an NFT is when it is initially minted directly from a creator’s wallet or a smart contract that the creator owns. However, with a few clever smart contract illusions, someone could manipulate NFT provenance using a technique known as Sleep Minting.

Sleep Minting is when a scammer mints an NFT directly to a famous creator’s wallet with permission to reclaim or pull the NFT back out of the creator’s wallet. This creates the appearance that (1) a creator authentically minted an NFT to themselves; and then (2) sent that NFT to a scammer. Based on “on-chain” provenance, the scammer can claim they own an NFT minted by a famous creator and sell it for a higher value.

How does this work technically? First, it is essential to understand how a smart contract stores NFT provenance and ownership. Anybody can query an NFT smart contract to determine who the current owner of an NFT is using the ownerOf(tokenId) function from the ERC-721 Standard. You could even query for an NFT owner at a specific block number by varying the eth_call RPC method parameters. However, the simplest way to see changes in ownership is to look at ERC-721 Transfer Event logs.

My a16z Crypto colleague Daren Matsuoka wrote a great Twitter thread about Event logs and how they work. A Transfer Event log is a message sent to the outside world by a smart contract containing details about an NFT transfer (who the NFT is transferring FROM, who the NFT is transferring TO, and the transferred TOKEN ID). Transfer Event logs provide an efficient way to check an NFT’s provenance.

The deception of Sleep Minting comes from the fact that you can emit any piece of data in an Event log. One would expect that if YOU send a transaction to transfer an NFT, then your address should be in the Event log as the “from” field. However, that is not the case when a scammer reclaims a sleep-minted NFT from a famous creator. A scammer could artificially place the famous creator’s address in a Transfer Event’s “from” field.

In more detail, here is how Sleep Minting works:

  1. A scammer would mint an NFT to a famous creator’s wallet but maintain permissions to reclaim or pull that NFT out of the creator’s wallet.
  2. The scammer would issue a transaction that reclaims the NFT from the famous creator. Even though the scammer is sending this transaction (and not the creator), they can artificially place the creator’s address in the “from” field of a Transfer Event. On the surface, it would appear as if the famous creator legitimately transferred an NFT to the scammer.
  3. The scammer now holds an NFT that appears to be authentically created and previously owned by a famous creator, and they can sell that NFT at a higher price.

I would also recommend reading this great walkthrough of a real Sleep Minting attack.

Thanks to Forta, I built an agent that helps detect potential NFT Sleep Minting. Forta created a network for real-time web3 threat detection! Developers can build Forta agents (or threat-detection bots) to alert any suspicious activity on the blockchain. The agent checks to see if the address that sent a transaction to transfer an NFT differs from the “from” address emitted in a Transfer Event log. If they are different, there is a possibility that the NFT in question was sleep minted.

You can see a live monitor for my agent here and the agent code here

Subscribing to NFT Sleep Minting alerts may help prevent you from collecting a fraudulent NFT. If you ever see an agent alert referring to a specific NFT contract address on the Forta Explorer Agent page, you may want to think twice before purchasing an NFT from that contract.

Our crypto newsletter is coming soon

Sign up to be the first to get it.