There has been a lot of buzz recently about Stanford’s exit exam award NFT. There were early reports of the Stanford blockchain research group participating in the layout. Even if you don’t study in it, or are not a partner in the college. All can understand what NFT is and why the current hot NFT is causing a buzz. There is also no shortage of colleges and universities that constantly have books on NFT for lectures, and how these will impact for the future.

Why would anything be willing to spend hundreds of thousands of dollars or millions to buy a picture.What they buy is the bragging rights. They can go around to people and brag and say, ‘Hey, you can download, that’s fine. But I am the owner.’

CS 251

Cryptocurrencies and Blockchain Technologies

Cryptocurrencies, blockchains, and smart contracts Autumn 2021

The course covers all aspects of blockchains and cryptocurrencies, including distributed consensus, smart contracts, economics, scalability, and applications. We will focus on Bitcoin and Ethereum as case studies.

Course NFT: Students who completed the course received a course NFT

https://opensea.io/collection/stanford-cs-251-nft-autumn-2021

Q4 The Hashmasks re-entrency bug.

In Lecture 8 and in Section 3 we discussed solidity re-entrency bugs. In this question we will look at an interesting real world example. Consider the following solidity code snippet used in a drop of 16384 NFTs. A user can claim up to twenty NFTs at a time by calling the mintNFT() function on this NFT contract. You may assume that all the internal variables are initialized properly by the constructor (not shown).

$function mintNFT(uint256 numberOfNfts) public payable {require(totalSupply() < 16384, "Sale has already ended");require(numberOfNfts > 0, "numberOfNfts cannot be 0");require(numberOfNfts <= 20, "You may not buy more than 20 NFTs at once");require(totalSupply().add(numberOfNfts) <= 16384, "Exceeds NFT supply");require(getNFTPrice().mul(numberOfNfts) == msg.value, "Value sent is not correct");for (uint i = 0; i < numberOfNfts; i++) {uint mintIndex = totalSupply(); // get number of NFTs issued so far_safeMint(msg.sender, mintIndex); // mint the next one} }function _safeMint(address to, uint256 tokenId) internal virtual {// Mint one NFT and assign it to address(to).require(!_exists(tokenId), "ERC721: token already minted");_data = _mint(to, tokenId); // mint NFT and assign it to address to_totalSupply ++; // increment totalSupply() by oneif (to.isContract()) {// Confirm that NFT was recorded properly by calling// the function onERC721Received() at address(to).// The arguments to the function are not important here.// If onERC721Received is implemented correctly at address(to) then// the function returns _ERC721_RECEIVED if all is well.bytes4 memory retval =IERC721Receiver(to).onERC721Received(to, address(0), tokenId, _data);require(retval == _ERC721_RECEIVED, "NFT Rejected by receiver");} }$

Let’s show that _safeMint is not safe at all (despite its name).

A) Suppose 16370 NFTs were already minted, so that totalSupply() == 16370. Explain how a malicious contract can cause more than 16384 to be minted. What is the maximum number of NFTs that the attacker can cause to be minted? Hint: what happens if onERC721Received at the calling address is malicious? Examine the minting loop carefully and think of re-entrency bugs.

B) Write the code for a malicious Solidity contract that implements your attack from part (a), assuming the current value of totalSupply() is 16370.

C) What single line of Solidity would you add or change in the code on the previous page to prevent your attack? Note that a single transaction should not mint more than 20NFTs

About NFT

The world’s most coveted NFT,If NFTs Could Change Education.A New Kind of Diploma?NFTs tap into an emerging trend that many students are curious about,they can help build community in a class.

NFTs are also blurring the line between a hobby and an investment. Many collectors grow their collection as a hobby, with no intention of selling or trading away their prized digital possessions.

Disclaimer

The views and opinions expressed by the author are for informational purposes only and do not constitute financial, investment, or other advice. NFA DYOR (Not Financial Advice Do Your Own Research)

MetaCreat

Twitter: https://twitter.com/MetaCreats

Medium: https://medium.com/@MetaCreats

Mirror: https://mirror.xyz/0x2519b80f3c38433a4eB73A5fd0E7bfd122C4D97f

Mirror中文：https://mirror.xyz/0xe327aeEa2b52fCB1e2498b5B0F08a7F425f1e7A7