Tips on reading NFT smart contracts-FOMO,(NO)
Since the current NFT meta is free mints with no roadmap, Here are some quick primers on ways to be safe with mints and some tips on reading NFT smart contracts.
0x02 Tip 1: always use a burner wallet.
FYI: A burner wallet is a second (temporary) wallet from your primary wallet (Vault), typically used for minting NFTs or communicating with an unaudited dApp. A burner wallet is created the same way as any other wallet but is used for a particular purpose, such as minting NFTs or connecting with an unaudited project.
This has been said many times, but use a wallet with minimal ETH and no valuable assets in it. One wrong signature and your 50k ape disappears. On a related note, don’t keep your valuable NFTs in a hot wallet, please move to a hardware wallet.
0x03 Tip 2: mint from a contract whenever possible.
There have been many scams where a project advertises a free mint on their site but changes the mint button to a signature request for you to approve transfers to your valuable NFTs. This is how you get your NFTs stolen quickly.
When you mint from a contract, you’re able to call the exact (mint) function that you want to call. This reduces the chance of you signing something you didn’t intend to. However, this means you’ll need to know how to read contracts at a basic level.
0x04 Tip 3: gain a basic understanding of smart contract code.
The first example we’ll look at is the below contract, which was a free mint a couple of weeks ago:
For context, almost all NFT smart contracts have dependencies. Most of these dependencies are just popular libraries that the contract relies on. Common examples include ERC721A, Ownable, and anything OpenZeppelin.
Because of this, you’ll often time find a lot of code that is irrelevant to the actual project mint. You’ll want to search directly for the mint function. Projects can upload these dependencies to etherscan in single or multiple files, the former being a bit harder to navigate.
The Goblin contracts were all uploaded as a single file which means you’ll have to ctrl+f a bit.
here is a multi-file upload that is easier to search through:
For the goblin contract, the mint function is called makingobblin. You can figure this out by searching for _mint( or _safeMint(. You’re also looking for a function that doesn’t have the “onlyOwner” modifier because that’s reserved for the contract owner.
Once you’ve found the mint function, you’ll want to do your best to determine that there’s no malicious code. My general take is that mint functions for free mints should only include required statements, a _mint/_safeMint call, and sometimes a write to a mapping.
The goblin contract meets those requirements, line 1634 is just logging to make sure a user doesn’t mint more than allowed.
This contract is even easier to read, we can see that the mint function is literally called “mint” (line 43 in WAGDIE.sol). Again, the only thing this contract is doing is running some requires, writing to a mapping to log number of mints (line 48), and calling _safeMint.
That was just an intro to reading NFT smart contracts, and is not a proof way of avoid malicious code. In case you have some form of protection when deciding to degen a free mint.
We still highly recommend waiting for an expert to confirm the safety of a contract whenever possible, especially if you see code outside of the criteria above. Obviously with all the free mints going on this won’t be possible, so use the tools above to guide yourself.
0x05 Tip 4: if the contract is unverified on etherscan
if the contract is unverified on etherscan run far away from this,Here’s an example unverified contract: You’ll find that there’s no readable code on the etherscan page.
For a free NFT mint, this almost guarantees something malicious is going on. Unless you know how to read through decompiled bytecode, we highly highly highly recommend not minting. You also won’t be able to mint directly from the contract.
always use a burner wallet for degen mints. Worst case you lose a small amount of ETH. When going for mints, try to mint from the contract directly and do your best to understand the code ahead of time. Good luck and don't stay FOMO.