We were fooled by Rarible. Apparently, some unlockables are not locked at all.

Today I will share a fun story of how a big NFT minting platform did a very amateur job with the design of their smart contracts in the past, stayed silent about it, and fooled their users, regarding one of their unique features.

When you watch/read a tutorial on how to write a smart contract and develop a dApp, you often see/hear a disclaimer: smart contracts are unstoppable when you deploy them, and one tiny mistake in the code or design may cause huge problems in the long term after deployment, and what’s done is done; you can’t change or revert your mistake in the code afterwards.

Heard of unlockable NFTs? It was one of the reasons I was involved with Rarible.com, alongside it being an open marketplace. So, with the unlockable feature, you can mint a NFT, and hide a text content inside it, which may contain a url to a file, or a thank you message, or anything minter wants to put in. And “only” the owner of that NFT can unlock this text to see what is inside.

Except… That wasn’t actually the case at all, when they presented this feature to users. Apparently, between a period of time; I assume between February 2020 and June 2020 (I am making this assumption regarding the first and last NFTs I could find on Rarible’s own smart contracts), how Rarible handled unlockable contents was to include them in the public token metadata, instead of hiding this data somewhere private and encrypted.

I noticed this first, with some unlockable NFTs I had minted in the past on Rarible. While I was working on the website of Bastard Gan Punks; I found out that I could see all the unlockable content of some of my early mints, just in the token metadata. All I needed to view them was to make a function call to smart contract (which you can try out very easily by navigating to etherscan.io, and call tokenURI function with the token id), and get the IPFS metadata link.

Here you can see my genesis token’s metadata visible from smart contract. Alongside the name, description, link to image file and other token details, you can see that there is a key called “locked”. The value of that key is what I had put in the secret unlockable.

{

“name”:”GΞNΞSIS BGANPUNK #00",

“description”:”Yaaaaaaay I am the first BGANPUNK\n\nI carry some genes from some cccryptopunks, but I don’t know my parents.\n\nMy original 32x32 photo is lost. But I include an unlockable ipfs link of my sibling’s 32x32 photo.”,

“image”:”https://ipfs.daonomic.com/ipfs/QmaNa9fQwmtu6dKAKzwm2knpvGyLwr3NZJf5DmyRbFgB2p",

“attributes”: [{“key”:”id”,”trait_type”:”id”,”value”:”0"},{“key”:”original-size”,”trait_type”:”original-size”,”value”:”32x32"},{“key”:”code-name”,”trait_type”:”code-name”,”value”:”seed3875457.png”}],

“collection: {“raw”:”0x9126b817ccca682beaa9f4eae734948ee1166af1"},

“price”:”50.000000",

“saleable”:true,

“lockable”:true,

“locked”:”https://gateway.pinata.cloud/ipfs/QmU2MkeihjtnfC2WwtVLtNqUXfDXgq6hrrEX8j1sTwQ9JR/seed3875457.png"

}

You can also view it from the link here -> https://ipfs.daonomic.com/ipfs/QmVwt5rSw6WcA9m16eGE5bXiQcJCtPqaBoxJz9FjJSGU83

I sold this NFT for 1 Ether. I wonder; would the collector be happy to hear that the secret unlockable content, that normally only they can view, actually is visible publicly by anyone who just queries the smart contract?

Rarible fixed this implementation for the later ERC721 NFTs, and moved the unlockable content to probably a private server where no one but them can reach. I still don’t know how exactly they are implementing this feature nowadays, but it is certain that it was very poorly designed by Rarible developers in the past (and told nothing about this to users), and they owe an explanation to creators and collectors of the platform ASAP.

RARILEAK | some unlockables are not locked at all — NFT COLLECTIBLE ON RARIBLE https://app.rarible.com/token/0x60f80121c31a0d46b5279700f9df786054aa5ee5:71293:0xc5e08104c19dafd00fe40737490da9552db5bfe5

I minted a critical NFT work on the Rarible ERC721 smart contract, where I am exposing all unlockable content I could fetch from Rarible’s own smart contracts 0x6A5Ff3CEEcaE9CeB96E6ac6c76B82aF8B39f0Eb3 & 0x60F80121C31A0d46B5279700f9DF786054aa5eE5. I wrote a short Python script which gets all the metadata in the smart contract, and filters the ones with “locked” key. It just took less then a hour to fetch all these info. Which means that, anyone else can also do that.

I think I am not doing an unethical thing at all by exposing this; because this data is not something I stole or hacked; it was always publicly visible for everyone, allowed by Rarible themselves. I think creators and collectors of this platform should know about this, and raise awareness of how badly designed decentralized applications may fail to deliver their promises and exploit their users.

This NFT only includes the data fetched from the original Rarible ERC721 smart contracts (I found 2 of them). So I highly suggest creators to check their own ERC721 smart contracts created on Rarible to see whether their past unlockable contents are visible in the metadata or not. Apparently since ERC1155 smart contracts are implemented later, I haven’t noticed this issue in them, but it is good to also check them anyways.

Unfortunately what happened is happened; we can’t change the metadata of tokens we minted, and can not burn them after we transfer them to someone. We had the illusion that we secured the unlockable content of our tokens, and it wasn’t the case at all. Rarible has no excuse to defend themselves about this. This is an unforgivable mistake that made me lose majority of my trust for the platform. And I am also very curious, how this stupid design choice was allowed in the first place.

Please share this text with the creators and collectors of Rarible to spread the word, and make them know about this. If you happen to find any other tokens created after June 2020, with their unlockable content exposed in the metadata, please send them to me via https://twitter.com/berkozdemir or hello@berkozdemir.com . It would help a lot for my research on this topic.

Cheers all,

Berk

--

--

--

Love podcasts or audiobooks? Learn on the go with our new app.

Recommended from Medium

Business Logic Error Methodology (easy way) + PoC-s

Security Incidents Inventory|April 2022

{UPDATE} Solitaire Classic - Klondike! Hack Free Resources Generator

Assignment 5: Privacy

How did I get access to Printers of a reputed American University?

8 Password Attacks and Simple Things You Can Do to Protect Yourself

Top 10 Winners of BTFS Storage Space Mining Competition on August 12

Disclaimer

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Buddha Snorlax

Buddha Snorlax

More from Medium

♾️| Meta’s Logo Infringes 🔗 Blockchain Group’s 👁️‍🗨️ Trademark

Rob Enoch is the creator of the multiverse.

A middle school student explains Bored Ape Yacht Club/BAYC

What What is Web 3.0?