HardlyDifficult
commented
2 years ago This is exactly how we intend the system to be used.
Yes it's possible to reveal the content sooner, that's an option we have left in there for the creators that want it. It's also useful for collections which do not sell out... creator's wouldn't want to leave the few buyers they did get hanging forever.
The normal flow is to post a prereveal image for the collection, list the collection for sale, wait for the collection to sell out, and then reveal the content. This seems to match what the warden recommends here.
HickupHH3
Lines of code
https://github.com/code-423n4/2022-08-foundation/blob/792e00df429b0df9ee5d909a0a5a6e72bd07cf79/contracts/NFTCollection.sol#L238
Vulnerability details
Impact
Detailed description of the impact of this finding.
Historical lession:
Meebits was a highly anticipated NFT mint of 20,000 unique 3D characters from Larva Labs, the creators of CryptoPunks.
Larva Labs knew savvy users could use a collection’s metadata to calculate rarity and snipe rare NFTs. To combat this, they designed their website in a way that allowed buyers to see the complete metadata of each Meebit, but only after it had been minted.
While the website explicitly hid unminted Meebits, someone inspected the source code to see that LarvaLabs pulled the metadata from IPFS. Using this information, they scraped IPFS to extract the metadata of unminted Meebits anyway, identifying the most desirable ones.
In this system design, we have updatePreRevealContent, and reveal function. need to not set real nft baseURI before the review.
Proof of Concept
Provide direct links to all referenced code in GitHub. Add screenshots, logs, or any other relevant proof that illustrates the concept.
https://www.paradigm.xyz/2021/10/a-guide-to-designing-effective-nft-launches#phase-4-metadata-reveal
Tools Used
Recommended Mitigation Steps
Make sure use updatePreRevealContent before reveal nft. Only use reveal after the mint.