Tag Archives: airdrop

Vault
contracts

Delegate.cash Contract Review

Leave a comment

Delegate.cash is a new protocol intended to make airdrops and token claims safer. If you have vaulted NFTs, you strongly want to avoid using that vault wallet to interact with any contracts. And if you have to move NFTs back & forth between your vault wallet and hot wallet to make claims, then you probably won’t. foobar, one of the authors of delegate.cash, has a great write up on why this kind of protocol needs to exist. Let’s take a look at the code

(note that the code blocks below contain some intermixed code from different parts of DelegationRegistry.sol and IDelegationRegistry.sol for clarity of explanation)

Delegation

There are 3 types of delegation:

  1. ALL – the vault wallet delegates all actions to the delegate wallet
  2. CONTRACT – the vault wallet delegates all actions on a specific contract to the delegate wallet
  3. TOKEN – the vault wallet delegates all actions for a specific token (on a specific contract) to the delegate wallet

There are delegation functions for each of these delegation types that allow you to enable or disable the delegation (based on value). These functions must be called from the vault wallet (vault = msg.sender), but they are quite straightforward and safe:

  1. Compute a delegationHash
  2. Set DelegationInfo values for that delegationHash
enum DelegationType {
	NONE,
	ALL,
	CONTRACT,
	TOKEN
}

function delegateForAll(address delegate, bool value) external override {
	bytes32 delegationHash = _computeAllDelegationHash(msg.sender, delegate);
	_setDelegationValues(
		delegate, delegationHash, value, IDelegationRegistry.DelegationType.ALL, msg.sender, address(0), 0
	);
	emit IDelegationRegistry.DelegateForAll(msg.sender, delegate, value);
}

function delegateForContract(address delegate, address contract_, bool value) external override {
	bytes32 delegationHash = _computeContractDelegationHash(msg.sender, delegate, contract_);
	_setDelegationValues(
		delegate, delegationHash, value, IDelegationRegistry.DelegationType.CONTRACT, msg.sender, contract_, 0
	);
	emit IDelegationRegistry.DelegateForContract(msg.sender, delegate, contract_, value);
}

function delegateForToken(address delegate, address contract_, uint256 tokenId, bool value) external override {
	bytes32 delegationHash = _computeTokenDelegationHash(msg.sender, delegate, contract_, tokenId);
	_setDelegationValues(
		delegate, delegationHash, value, IDelegationRegistry.DelegationType.TOKEN, msg.sender, contract_, tokenId
	);
	emit IDelegationRegistry.DelegateForToken(msg.sender, delegate, contract_, tokenId, value);
}

Delegation Hash

The delegationHash is where the authors got clever. Not only does the hash make delegation lookups faster and more efficient, it makes revoking delegations very cheap for gas. Every vault wallet has a numeric vaultVersion, which is initially 0. If this gets changed, then the delegationHash will change. There is a similar numeric delegateVersion for (vault, delegate) pairs. Revoking (covered more below) is just a matter of changing those version numbers, therefore changing the hash.

/// @notice A mapping of wallets to versions (for cheap revocation)
mapping(address => uint256) internal vaultVersion;

/// @notice A mapping of wallets to delegates to versions (for cheap revocation)
mapping(address => mapping(address => uint256)) internal delegateVersion;
	
function delegateForAll(address delegate, bool value) external override {
	bytes32 delegationHash = _computeAllDelegationHash(msg.sender, delegate);
	_setDelegationValues(
		delegate, delegationHash, value, IDelegationRegistry.DelegationType.ALL, msg.sender, address(0), 0
	);
	emit IDelegationRegistry.DelegateForAll(msg.sender, delegate, value);
}

function delegateForContract(address delegate, address contract_, bool value) external override {
	bytes32 delegationHash = _computeContractDelegationHash(msg.sender, delegate, contract_);
	_setDelegationValues(
		delegate, delegationHash, value, IDelegationRegistry.DelegationType.CONTRACT, msg.sender, contract_, 0
	);
	emit IDelegationRegistry.DelegateForContract(msg.sender, delegate, contract_, value);
}

function delegateForToken(address delegate, address contract_, uint256 tokenId, bool value) external override {
	bytes32 delegationHash = _computeTokenDelegationHash(msg.sender, delegate, contract_, tokenId);
	_setDelegationValues(
		delegate, delegationHash, value, IDelegationRegistry.DelegationType.TOKEN, msg.sender, contract_, tokenId
	);
	emit IDelegationRegistry.DelegateForToken(msg.sender, delegate, contract_, tokenId, value);
}

Delegation Info

When delegating, a DelegationInfo object is created and stored by delegateHash. This DelegationInfo contains the following data:

  • vault: the vault wallet
  • delegate: the delegate or hot wallet
  • type_: the DelegationType, which can be ALL, CONTRACT, or TOKEN
  • contract_: the contract address for CONTRACT & TOKEN types, or the 0 address for ALL
  • tokenId: the token number for the TOKEN type, or 0

If value is false, then the delegateHash and corresponding DelegationInfo are deleted, thereby revoking a specific delegation. However, there are cheaper ways to revoke delegation, covered next.

/// @notice Info about a single delegation, used for onchain enumeration
struct DelegationInfo {
	DelegationType type_;
	address vault;
	address delegate;
	address contract_;
	uint256 tokenId;
}

function _setDelegationValues(
	address delegate,
	bytes32 delegateHash,
	bool value,
	IDelegationRegistry.DelegationType type_,
	address vault,
	address contract_,
	uint256 tokenId
) internal {
	if (value) {
		delegations[vault][vaultVersion[vault]].add(delegateHash);
		delegationHashes[delegate].add(delegateHash);
		delegationInfo[delegateHash] =
			DelegationInfo({vault: vault, delegate: delegate, type_: type_, contract_: contract_, tokenId: tokenId});
	} else {
		delegations[vault][vaultVersion[vault]].remove(delegateHash);
		delegationHashes[delegate].remove(delegateHash);
		delete delegationInfo[delegateHash];
	}
}

Revoking

The contract provides very cheap ways to revoke delegation, by changing the vaultVersion or delegateVersion.

  • revokeAllDelegates would be called from the vault wallet, and invalidates all delegations for that wallet
  • revokeDelegate would also be called from the vault wallet, to invalidate a specific delegate wallet
  • revokeSelf would be called from a delegate wallet, to invalidate all delegations from a specific vault wallet

As mentioned above, instead of a complicated and gas expensive deletion of DelegationInfo, by incrementing a version number the delegation hash computation is changed. Technically this means the old DelegationInfo remains in the contract storage, but it is no longer accessible and cannot be used by any delegation lookups. There is also a theoretical limit of 2^256-1 for the number of times you can revoke and change either of the version numbers, but you’d have to try extremely hard and spend a lot of gas to do this.

function revokeAllDelegates() external override {
	++vaultVersion[msg.sender];
	emit IDelegationRegistry.RevokeAllDelegates(msg.sender);
}

function revokeDelegate(address delegate) external override {
	_revokeDelegate(delegate, msg.sender);
}

function revokeSelf(address vault) external override {
	_revokeDelegate(msg.sender, vault);
}

function _revokeDelegate(address delegate, address vault) internal {
	++delegateVersion[vault][delegate];
	// For enumerations, filter in the view functions
	emit IDelegationRegistry.RevokeDelegate(vault, msg.sender);
}

Delegation Lookups

There are a number of different ways to lookup delegations. I’ve included the function signatures below, but not the complete functions, as they are complicated, highly optimized loops iterating over the delegations created by the functions covered above. They are view only functions and therefore safe to call.

function getDelegatesForAll(address vault)
    external view returns (address[] memory delegates)

function getDelegatesForContract(address vault, address contract_)
    external view override returns (address[] memory delegates)

function getDelegatesForToken(address vault, address contract_, uint256 tokenId)
    external view override returns (address[] memory delegates)

function getContractLevelDelegations(address vault)
    external view returns (IDelegationRegistry.ContractDelegation[] memory contractDelegations)

function getTokenLevelDelegations(address vault)
    external view returns (IDelegationRegistry.TokenDelegation[] memory tokenDelegations)

function checkDelegateForAll(address delegate, address vault)
    public view override returns (bool)

function checkDelegateForContract(address delegate, address vault, address contract_)
    public view override returns (bool)

function checkDelegateForToken(address delegate, address vault, address contract_, uint256 tokenId)
    public view override returns (bool)

These functions are designed to be called from other contracts or dapps, to enable the delegation protocol. For example, if a delegate wallet wants to make a claim for a NFT, it could provide a vault wallet and tokenId to the claim contract. The claim contract would then do the following:

  1. Confirm the vault wallet owns tokenId
  2. Call checkDelegateForToken(delegate, vault, contract_, tokenId)
  3. Proceed with the claim if checkDelegateForToken returns true
  4. Deny the claim if checkDelegateForToken returns false

For the best UX, you’d probably want to call these functions initially from the dapp, but for security, you definitely want to verify everything within the claim contract.

Slither Analysis

Unfortunately, slither 0x00000000000076A84feF008CDAbe6409d2FE638B doesn’t work because the openzepplin contract dependency paths are different than how etherscan structures things. To make slither work, I did the following:

  1. git clone --recurse-submodules https://github.com/0xfoobar/delegation-registry.git
  2. cd delegation-registry/lib
  3. slither ../src/DelegationRegistry.sol --print human-summary
  4. slither ../src/DelegationRegistry.sol
Human summary of slither analysis

As you can see, it’s in pretty good shape. The 4 medium issues are all unused returns in _setDelegationValues when adding or removing delegation hashes from a set. The add and remove functions just return a bool if the set was changed, which doesn’t really matter for this contract, so ignoring the return value is totally fine.

The 1 optimization issue is that checkDelegateForToken should be declared external. It is actually external in the IDelegationRegistry interface, so I’m not sure why it’s public in DelegationRegistry. Maybe it’s just a simple oversight, but not really a big deal either.

Some of the informational issues are about inline assembly in some of the delegation lookups. Assembly should definitely be used with care. In this case, the assembly is in view only functions, in a way that helps reduce the computation cost.

Conclusion

Delegate.cash does exactly what it claims to, in a very straightforward way. However, it’s useless on its own. For this protocol to work, developers have to start including it in their own contracts and dapps, then recommending it to their users. The team behind delegate.cash are attempting to make an official standard with EIP-5639. But the best thing they can do is to provide easy to use libraries and sample code for integrating the protocol into other contracts and dapps. Ideally this would go as far as re-usable React components and a sample claim contract to demonstrate an entire user & wallet flow. If developers can essentially copy & paste to give their users more secure options, then adoption will be much easier.

contracts

Creyzies Contract Review

Leave a comment

Creyzies is the official companion collect to mfers, by Reylarsdam. Every mfers holder received an equivalent amount of Creyzies in a surprise airdrop on 4/20/2022, with all expenses paid by Sartoshi, the creator of mfers.

The contract was written by West Coast NFT, who also wrote the mfers contract. Let’s take a look at the code, which begins with a giant ascii creyzie.

Airdrop

    struct SendData {
        address receiver;
        uint256 amount;
    }

 ...

    function airdrop(SendData[] calldata sendData) external onlyRole(SUPPORT_ROLE) nonReentrant {
        uint256 ts = baseContractAddress.totalSupply();

        // loop through all addresses
        for (uint256 index = 0; index < sendData.length; index++) {
            require(totalSupply() + sendData[index].amount <= ts, 'Exceeds original supply');
            _safeMint(sendData[index].receiver, sendData[index].amount);
        }
    }

The airdrop function receives an array of SendData structs, each of which specifies a receiver address and an amount of tokens to airdrop. Before this function was called, the devs did a snapshot of all mfers owner addresses, and counted how many mfers were owned by each address, to create this SendData array. Then they called this function 14 times to perform the airdrop, for a total gas cost of ~15 ETH. Sartoshi deposited 20 ETH to fund the airdrop, then withdrew 5 ETH when the airdrop was complete.

The baseContractAddress is the mfers contract address, which you can see in the Constructor Arguments below the code. So the first line of the function gets the total number of mfers from the mfers contract. Then, looping through the array of SendData, there’s a requirement that the current supply + the amount to be minted is less than or equal to the total mfers supply. The amounts should have been calculated correctly during the snapshot, but this is a good way to enforce the supply limit. Finally, the amount of tokens is minted to the receiver address. The Creyzies contract uses ERC721A, so minting multiple tokens at a time is very efficient.

There’s no token ownership checks at mint time, so this does all assume that the SendData was calculated correctly from a snapshot. Some addresses were explicitly left out of the airdrop – these were known smart contract addresses such as a Gnosis Safe or NiftyGateway. The devs knew the airdrop may not work for them, so they setup a claim site and implemented a redeem function.

Redeem

    function setUnclaimedTokenIds(uint256[] calldata tokenIds) external onlyRole(SUPPORT_ROLE) {
        for (uint256 index = 0; index < tokenIds.length; index++) {
            unclaimedTokenIds[tokenIds[index]] = true;
        }
    }

    function redeem(uint256[] calldata tokenIds) external nonReentrant {
        uint256 numberOfTokens = tokenIds.length;

        for (uint256 index = 0; index < numberOfTokens; index++) {
            require(unclaimedTokenIds[tokenIds[index]], 'Token has already been claimed');

            try baseContractAddress.ownerOf(tokenIds[index]) returns (address ownerOfAddress) {
                require(ownerOfAddress == msg.sender, 'Caller must own NFTs');
            } catch (bytes memory) {
                revert('Bad token contract');
            }

            unclaimedTokenIds[tokenIds[index]] = false;
        }

        uint256 ts = baseContractAddress.totalSupply();
        require(totalSupply() + numberOfTokens <= ts, 'Exceeds original supply');

        _safeMint(msg.sender, numberOfTokens);
    }

Sartoshi posted claim instructions to redeem unclaimed tokens that were not airdropped. setUnclaimedTokenIds was called immediately after the airdrop, and sets a flag to true in unclaimedTokenIds. Then, when an owner goes to creyzies.art to claim their token(s), the redeem function is called. For each token attempting to be redeem, the function checks that

  1. The token hasn’t been claimed already
  2. The redeemer (msg.sender) owns the corresponding mfers token.

If those checks pass, the token is marked as claimed. But before it is minted, there is one final check that minting these tokens won’t exceed the total mfers supply. The devs definitely put some extra effort into the contract to double check their work, to ensure that Creyzies tokens went to the right addresses and never exceeded mfers supply.

Royalties

Often, royalties from sales are handled by secondary marketplaces, using info from royaltyregistry.xyz. However, this contract implements ERC2981, which defines a royalty standard specified in the contract. Like with mfers, the default royalties are set fairly low, to 2.5%. The royalties are sent to 0x750314177EF0a319DCdC959599C76D63964729f1, which appears to be another contract that splits the royalties automatically.

Provenance

Like with The Picaroons, a provenance hash was set before minting, to 3307bc0bd06029bba4a826856f2e19db62d6df5b7f70d447fa5262117256c46c. They also published a page proving the fairness of the drop.

Token URI

While some NFTs exist fully on chain, most are token numbers in a contract that point to a URI. This URI points to metadata, which is where to find the NFT image and properties. For mfers, the token URI is on ipfs, a distributed filesystem, where the JSON metadata for each mfers token is stored. Creyzies, though, currently points to a web app on heroku.

The token URI for Creyzies #1 is https://minting-pipeline-10.herokuapp.com/1

This is not great, because it means that the Creyzies metadata depends on a Heroku app running correctly and being available. ipfs, being distributed, is a more decentralized and resilient location, and any files stored there can’t be changed without changing the URI. Metadata being served from a web app can be changed very easily. Hopefully there’s a plan to put all the metadata into ipfs as well; the images are there already. If that is done correctly, then the devs can call setBaseURI with the new ipfs URI, just like they did to set the heroku base URI. However, if there is some other surprise planned that requires changing the metadata, then keeping the token URIs pointing to a web app make sense.

    function setBaseURI(string memory baseURI_) external onlyRole(SUPPORT_ROLE) {
        _baseURIextended = baseURI_;
    }

    /**
     * @dev See {ERC721-_baseURI}.
     */
    function _baseURI() internal view virtual override returns (string memory) {
        return _baseURIextended;
    }

Slither Analysis

In order to make slither work this time, I had to tweak the code for one of the dependencies, crytic-compile. Using my branch, you can run slither to analyze the contract.

$ slither 0x19bb64b80cbf61e61965b0e5c2560cc7364c6546 --print human-summary

The issues can all be seen by running slither 0x19bb64b80cbf61e61965b0e5c2560cc7364c6546. I think the way this contract calls baseContractAddress.ownerOf within a try-catch block might be a little unusual, since slither says the return value is unused, when that’s not really the case. The other medium issues are within ERC721A._mint, and look ignorable. However there is an issue about costly operations inside a loop within ERC721A._mint, for _currentIndex = updatedIndex. This is within an unchecked block, which is the same thing that the Counters library does. The Azuki gas optimization analysis was pretty extensive, so there may not be any more that can be done to optimize gas in this case.

Conclusion

This is a very nice & unexpected gift to all mfers holders, and it looks like the devs did excellent work to ensure accuracy and minimize airdrop costs. The Crezies art is cc0 just like mfers, and it’s definitely worth checking out more of Rey’s work.