How to stop bots from automatically signing transactions?

[0xMukesh]

Hey! I'm core backend engineer at CandyPay, we're trying to bring the seamless mobile-native UX to Solana's NFT ecosystem. We have recently created a Gasless NFT drop for Dilli Hackerhouse, but unfortunately, all the NFTs got minted and drained our payer's wallet funds.

The attacker had sent mass POST requests to our API's /mint route and fetched the raw base58 transaction object from the route's response. The attacker had simulated and signed the transaction programmatically via newly-created wallets. The minted NFTs are been then listed on MagicEden.

Is there any way to stop such attacks in the future?

Additional context

1. https://twitter.com/umang_veerma/status/1568123608031166465
2. https://magiceden.io/marketplace/dilli_hackerhouse

[0xMukesh]

It seems that MagicEden has taken down the NFT collection 🎉

[github-actions[bot]]

Hi @0xMukesh, Thanks for your question! We want to make sure to keep signal strong in the GitHub issue tracker – to make sure that it remains the best place to track issues that affect the development of Solana itself. Questions like yours deserve a purpose-built Q&A forum. Unless there exists evidence that this is a bug with Solana itself, please post your question to the Solana Stack Exchange using this link: https://solana.stackexchange.com/questions/ask --- This automated message is a result of having added the ‘question’ tag.

[jordaaash]

Spam or fraud prevention from your API is out of scope for the protocol. Using a QR code that doesn't change with an API that doesn't authenticate requests is likely to lead to issues. Check out https://github.com/solana-labs/octane for some of the spam prevention methods you might consider.

As for minting NFTs, it sounds like roughly what you want is a program that your API needs to sign, or else minting will fail. Then your API would perform checks on the wallets that make Solana Pay requests, and provide partially signed transactions for requests you determine to be legitimate.

[0xMukesh]

Making the /mint route protected isn't possible as the wallets would send a plain HTTP GET and POST requests to the /mint route.

If we try to make the route protected, the API request sent by the wallets would fail immediately and it would become impossible for the users to mint the NFT via QR code.

[jordaaash]

I didn't suggest making the route protected. There are lots of ways to perform authentication of requests. Single-use URLs that you generate on the server and publish to the client, checking the account / assets / lifetime of the wallet, rate limiting. Please think about the problem harder, but this Github issue isn't the place to do it.