EIP-5006 and Solana-based wallet hack | Weekly Insights

Aug 05, 2022

#1 EIP-5006 is coming but very different!

EIP-5006 is an extension of ERC-1155. EIP-5006 proposes an additional role (user) that can be granted an address. The user role represents the permission to "use" the NFT, but cannot transfer it or set up the operator.

Many NFTs are now managed by adding controller/operator roles. It is conceivable that as NFT applications expand further, the issue of usage rights management will become more prevalent, so we need a uniform standard to facilitate collaboration among all applications.

Going back to the previous interpretation EIP-4907 of the role rental implementation under the 721 standard, the core principle is to add an additional associated attribute to the core data of the aforementioned 721 standard, i.e. the user with the specified ID and the expiration time.

It must be emphasized that EIP-4907 does not include the calculation of the lease revenue, nor the value measurement for NFT pricing, even if the user can be understood as the leased user or lending collateral. There is an only mandatory in the prevention of bugs, when the owner sell its NFT then the previous authorization will be invalid.

1155 standard has more than one owner of this ID, so EIP-5006 imitates the data structure of 1155 and adds three additional pieces of data to represent the nested asset role leasing relationship, setting the amounts of each NFT ID owning or leasing.

These four interfaces are provided to manage 1155 lease relationships:

balanceOfUser : query which NFT-ID of which user leased to how many

frozenAmountOfOwner: query the owner of an NFT-ID whose token has been rented out how many (to freeze out to prevent repeated rentals)

balanceOfUserFromOwner: query how many tokens are leased to a certain user under a certain owner of an NFT-ID

setUser: set a certain owner under a certain NFT-id, set the number of tokens to a certain user

Although EIP-5006 leads to higher application costs for the owner compared to EIP-4903, it makes the minimum convergence of the mandatory, which can be achieved only through the management of the owner's frozen data to prevent over-rental of the bug.

EIP-5006 further strengthens the separation of ownership and usage rights around the "user creation application scenario", and clarifies the direction of expanding the application value of NFT, which will lead to more rich playing methods, application scenarios and derivatives.

#2 Solana-based wallet hack saw millions drained: What we know so far

Reviewing the event

The popular blockchain Solana confirmed the attack in a tweet on Wednesday, saying approximately 8,000 (up from 7,767 earlier) wallets have been affected with Solana’s sol token and USDC being stolen.

Most were Solana "hot" wallets—those connected to the internet—notably, Phantom, Slope, and Trust Wallet. "There is no evidence hardware wallets are impacted," wrote Solana. The value of the assets stolen is not clear but analysts estimate the losses are worth as much as $8 million (€7.8 million) in digital coins.

How did this happen?

Crypto security firms share SBF’s hunch that the exploit was not the result of a vulnerability with the Solana blockchain itself. Instead, they suspect the exploit was due to a mass compromise of users’ private keys, or passwords, by a third party.

Anatoly Yakovenko, cofounder of Solana, thinks the exploit is the result of a "supply chain attack", a type of cyberattack where an attacker can access a victim’s account by targeting a third-party vendor.

What should Solana need to reflect on？

Solana touts itself as a faster alternative to the Ethereum blockchain, offering smart contracts—which are collections of code that execute a set of instructions on-chain—that power non-fungible tokens (NFTs) and various decentralized applications (dApps). In the last year, Solana’s cryptocurrency SOL rose to be among the top 10 by market value. However, it hasn’t all been peachy for Solana, as we’ve seen this week and in the recent past. Most commonly, the network has experienced multiple outages and downtime, causing concern surrounding its network reliability, security and stability.

Solana defenders are quick to point out that fault for the hacks lies with external applications and not the blockchain’s core protocol. This is correct, but also raises the question of why the Solana ecosystem is so vulnerable to these sorts of large scale attacks in the first place. Can’t the community do more to ensure Solana’s infrastructure isn’t riddled with vulnerabilities? Can’t they improve how the protocol interacts with third parties, or do more to promote bug bounties and other security measures? The venture capital influence may also explain some of the shortcomings of Solana, particularly its neglect of security and push for growth at all costs.

Solana also seems different from Blockchain and Ethereum when it comes to maintaining its core protocol. The communities around the latter blockchains are hyper-attentive to every upgrade and potential weakness in their chain’s code. If Solana doesn’t start paying attention to fundamentals, in particular security, it could land in serious trouble.

What should crypto owners do to protect themselves?

While the hacks involved discrete entities, blockchain bridges and hot wallets also underline what many crypto enthusiasts say is so appealing about the form: ease of use. And cold storage, while safer, would seem to undercut what lies at the heart of crypto’s appeal, which is to allow for transfers without the delays and waits of traditional bank transactions. Finding solutions might mean making sacrifices within the goals envisioned by crypto idealists.

“One of the advantages to opening up the banking system this way is the speed and lower barrier to transactions,” said William Callahan III, a former Drug Enforcement Administration special agent who now serves as director of government and strategic affairs for a company called the Blockchain Intelligence Group. “But what these hacks show is we need to take a step back and question that idea of accessibility, since speed is also part of the problem. We need to balance speed with security.”