Unburnable frozen NFT scams

[zpalmtree]

Hello,

I'm the dev for https://www.sol-incinerator.com, which allows you to burn tokens, and is often used to burn scam NFTs users are sent.

Recently, I've had a few users report they have been sent a token which they cannot burn, and on investigation, it appears that they have been sent these scam NFTs and had the token account frozen in the same transaction.

Since the account is frozen, they cannot burn, close, or transfer the scam NFTs elsewhere.

Surely this is not desired behavior? In this token-2022 pull request, it's mentioned that untransferable scam NFTs should be burnable: https://github.com/solana-labs/solana-program-library/pull/2912

Transaction link where NFT was transferred and frozen: https://explorer.solana.com/tx/TXVSZgYaAcVFo3dsuMUtcnBU6z9gsXE1Dsr1xGfo9r8kAkEKbXDvPkxgtcmmRyBTY7EzDReDKvDR8BJWSaZw44S

Is there any way for me to let my users unfreeze or burn these tokens?

[mvines]

Unfortunately it's not really possible. Looks like it's finally time for wallets to support the ability to hide scam tokens. A good starting point would be for wallets to simply hide all frozen tokens

[21e8]

we should open a door for option to burning tbh, most uses i can imagine with this combo are totally harmful

[21e8]

gonna cite someone else here but:

"With SOL , need to treat wallets like email boxes, need spam filters."

low fee coming in as a disadvantage here

[21e8]

plus, we love to think this just affects wallets, really affects every dapp that loads meta. had antivirus go off at a legit (staking) site for trying to load phishing NFTs, hosted on centralized servers.

[absynthe714]

Cmon, these scam nft's NEED to be transferable to a burn wallet. Re-enable send on these? Or have a seperate send button that you can pick nfts that cant be clicked on, like in the coin section of the wallet. I want these OUT of my wallet. Every scam story I have read has resulted in Phantom/Solana saying that there is nothing that can be done. I betcha if someone transferred millions of solana out of the developers main wallet to another Solana wallet that they would do something. I understand being decentralized, but scam nfts just sitting in your wallet are unacceptable. I would like to be able to get rid of them. I'm not asking to get any stolen funds back, although reported thieves and rugs should be pursued. Just to be able to send a scam nft away. So correct me if I am wrong, but the developers indifference to these scammers and their victims means that this is not a crime, its a job.

[millionsols]

any updates on this issue?

[biccsdev]

we need this feature, frozen scam tokens are very harmful for the ecosystem

[mvines]

Updating the existing SPL Token program for a non-loss-of-funds issue is going to be very difficult to build support for.

Instead if the major wallets can just each take the simple and low-risk step I suggested last June and that'd likely cover the majority of the problem here: https://github.com/solana-labs/solana-program-library/issues/3295#issuecomment-1169485892

[mvines]

@joncinque - just to double check, token-22 has a way to deal with this?

[joncinque]

@mvines no, not this specific issue. If someone sends you a token then freezes it, you still can't do anything with it. You can't burn frozen tokens, and you can't close a frozen account.

[joncinque]

For token-2022, an idea that's been floated is to require more lamports in the account when freezing. For example, the account must have 1 SOL + rent-exemption in order to allow the freeze to go through. This means that the scammer must put up a much more SOL to carry out their scam, without burdening legitimate use-cases of freezing tokens. This will encourage people to use the token-2022 extensions that still leave control to account owners.

[jordaaash]

@joncinque Hmm, would that make legitimate uses of freezing tokens very expensive?

I do want to point out that there's nothing SPL Token-specific about this issue though. It's easy to create an ERC20 token that can't be burnt or transfered at all, including to address(0).

To me, this underlines that this is a problem for wallets and indexers to solve. Not displaying links from unrecognized tokens would go a long way toward avoiding scams.

[joncinque]

@joncinque Hmm, would that make legitimate uses of freezing tokens very expensive?

It definitely could, which is why we would need to tune that number carefully. 1 SOL is probably way too much, but it's an example amount.

To me, this underlines that this is a problem for wallets and indexers to solve. Not displaying links from unrecognized tokens would go a long way toward avoiding scams.

Yeah, that would be amazing!

[Theonlyghost1]

So if iread through the lines, what al the developers basically want is we all only use a burner wallet so if scam get send there (since that is only wallet we use then with connecting to for example lmnft ) if it get filled with frozen crap we just delete the wallet and make a new . So we have to keep making wallets and keep sending good nft's around ??

Just give the option to BURN a FROZEN NFT if there Frozen cause of being staked etc Fine.. But we all want to be able to BURN Crap .... But of course that is my own personal opinion!

[samuelvanderwaal]

So if iread through the lines, what al the developers basically want is we all only use a burner wallet so if scam get send there (since that is only wallet we use then with connecting to for example lmnft ) if it get filled with frozen crap we just delete the wallet and make a new . So we have to keep making wallets and keep sending good nft's around ??

Just give the option to BURN a FROZEN NFT if there Frozen cause of being staked etc Fine.. But we all want to be able to BURN Crap .... But of course that is my own personal opinion!

How do you know, programmatically, on-chain, if it's frozen because of staking or because it's a scam?

[Theonlyghost1]

no-one would burn a NFT that is staked at-least not if they good in there mind We all want to be able to BURN if it is crap So make Frozen still able to be Burned

I assume Since it is programmatically possible to see what payed royalty and it can see if it is staked , then it should be possible programmatically able as well to set it that it can be burned ... perhaps time to make special Burn address so it can be written in it .. making a exception on the frozen to be able to send it specific to that special address . eth got a burn address As we all know (burn is not really burn it just be send to a address that only has a in not a out)

[samuelvanderwaal]

no-one would burn a NFT that is staked at-least not if they good in there mind We all want to be able to BURN if it is crap So make Frozen still able to be Burned

I assume Since it is programmatically possible to see what payed royalty and it can see if it is staked , then it should be possible programmatically able as well to set it that it can be burned ... perhaps time to make special Burn address so it can be written in it .. making a exception on the frozen to be able to send it specific to that special address . eth got a burn address As we all know (burn is not really burn it just be send to a address that only has a in not a out)

Staking isn't the only use-case for freezing. Escrowless lending, for example, would not work at all if an angry user could burn their frozen token when they defaulted on a debt. The whole point of freezing is to prevent a user from being able to perform certain actions, burn being one of them. I get that it's frustrating, but trying to get consensus to change the non-updateable Token Program via a validator runtime update isn't the way to go, IMO.

I'll refrain from further comment here on the Github thread but invite you to ping me on Twitter if you want to discuss the issue and ideas to solve it as it's definitely a major annoyance in the ecosystem. @samvwaal

[faisalridhomp]

Any update how to burn this trash i have nft and token that i can't burn it on my lovely wallet ?

[bayrodi]

still no update?

[buffalojoec]

At this point I think it's clear that we aren't going to change SPL Token (legacy) or SPL Token-2022 to support burning frozen NFTs/tokens. The drawbacks of such a change far outweigh the benefits, considering most wallets now support custom "hide" lists.

I'm going to close this issue unless any other maintainers feel differently.