Alex Atallah

Alex is the co-founder of OpenSea, the first and largest marketplace for non-fungible tokens (NFTs). https://twitter.com/xanderatallah

OpenSea’s ecosystem investments

by Alex AtallahAnnouncement

We’re at the beginning of a brand new internet: NFTs are the consumer entry point to crypto and represent the basic building blocks for the peer-to-peer economies of the future. Our long-term vision is to empower creators and communities of all kinds to achieve economic independence in a new digital economy. While empowerment comes in many forms, we believe that deeper connections and collaboration among the NFT community is crucial.

So today, we’re excited to announce two new community investment programs – Ecosystem Grants and OpenSea Ventures – aimed at supporting the creators, teams, and emerging technologies advancing the global growth of web3 and NFTs.

Introducing OpenSea Ventures

Launched today, OpenSea Ventures is our brand new investment arm supporting the next generation of founders building protocols, companies, teams, and ideas that will power the future of open web3 economies. Led by OpenSea co-founder Alex Atallah, OpenSea Ventures will help the most promising developers and creators realize their visions to grow Web3 through NFTs, decentralized systems, and other novel blockchain uses. OpenSea Ventures will invest across the web3 ecosystem but focus investments across four main themes:

  • The continued shift to a multichain world, both for fungible and non-fungible items
  • Creating and supporting NFT-related protocols
  • Social and gaming projects serving as distribution mechanisms for crypto and NFT elements
  • The emergence of NFT aggregators and analytics supporting activity on OpenSea and other NFT marketplace platforms

As the world’s leading peer-to-peer marketplace for NFTs, we’re excited to back builders who share our vision for the role of NFTs in web3 adoption, and who align with our core operating principles of trust, inclusivity, and choice.

Benefits for portfolio companies

In an effort to advance the future of NFTs, OpenSea Ventures will offer strategic capital, backed by resources and connections across our global partners. Specifically, teams will have:

  • Direct access to OpenSea leadership
  • Access to OpenSea’s most helpful strategic and venture partners, including a16z, Paradigm, Standard Crypto, Animoca Brands, Electric Capital, Alchemy Ventures, A* Capital (Kevin Hartz), 1confirmation, Katie Haun, 3LAU, and more
  • Assistance with NFT security and improving NFT standards, and integration with docs.opensea.io, where appropriate
  • Guest blog posts on opensea.io/blog, where appropriate
  • Connections with leading NFT creators and OpenSea Ecosystem Grant recipients 

We hope that OpenSea Ventures will provide Web3 developers and NFT creators around the world with the resources they need to build new decentralized economies that give creators, developers, and consumers greater freedom and ownership.

…and our ecosystem grants program!

Also introduced today, we’re thrilled to share our new Ecosystem Grants program: aimed at elevating creators, developers, and passionate community members working to enrich and expand the NFT ecosystem. 

We see Ecosystem Grants as a way to kickstart community ideas and provide ongoing financial support to initiatives that we believe have the potential to expand web3 and the NFT universe. In the spirit of our company mission, we look forward to allocating grants across three main categories, which we plan to broaden as we receive community feedback: 

  • Usability and tooling: Improving the user experience of buying, selling and transferring NFTs, as well as tooling that empowers and unlocks creativity for NFT creators.
  • Community Education: Resources and support to onboard and educate new users to make NFTs and web3 more approachable.
  • Accessibility and inclusivity: Creating a space where all individuals have access to the opportunity and promise of NFTs.

Given the range and diversity of eligible projects, funding amounts will vary. We will review and distribute Grants through a rolling selection process, considering project scope and relevance, potential impact, team composition, long-term sustainability, and speed (we’re looking for projects that can be initially executed within at least 2 quarters of receiving the grant). Our ambition is to make the review process as transparent and interactive as possible: we’ll start the program by selecting our review committee, refining our funding criteria, then we’ll introduce opportunities to engage with the committee, meet OpenSea grantees, and shape future categories and challenges.

We’re building toward a future in which creators and communities are empowered to achieve economic independence in a new digital economy. We’re excited to introduce OpenSea Ventures and Ecosystem Grants programs to help us forge deeper, more collaborative relationships with the community of Web3 and NFT builders.

This space moves quickly, and so will we. More to come here soon! In the meantime, if you’re a builder, founder, or creator focused on advancing the NFT and Web3 space, we’d love to meet you. For more information about OpenSea Ventures, click here. To get involved with Ecosystem Grants, apply here.

We look forward to helping advance the NFT ecosystem and building alongside talented community members who share similar dreams.


alex
Alex Atallah
Alex is the co-founder of OpenSea, the first and largest marketplace for non-fungible tokens (NFTs). https://twitter.com/xanderatallah

Wyvern 2.3: Developer Upgrade Guide

by Alex AtallahDevelopers / Guide

Wyvern 2.3 will soon be the new marketplace contract for OpenSea, and is located here.

We will be making some platform changes to go along with the new contract. These changes have implications for developers building on top of the OpenSea.js SDK and our API. The primary takeaways:

  • orders made on OpenSea now require v2 of the SDK to fulfill,
  • new orders will require v2 on February 18th and old orders will stop functioning on February 25th,
  • we’re introducing cursor-based pagination for events on the API, and
  • a few API parameters will be changing.

Read below to learn more about the upgrade and how you might be affected.

About the Upgrade

On February 1, we deployed and proposed the upgrade of OpenSea’s marketplace contract, called Wyvern. OpenSea has leveraged Wyvern to conduct sales of NFT since March of 2018; since then, it has grown to the most-used smart contract on Ethereum:

Wyvern was the first smart contract we found with an off-chain order architecture for NFTs. It offered a flexible view for the future of NFT liquidity, including gas-free listings and schema-agnostic transfers, so we used it as our contract. But in the past few years, it started to show some limitations, including the inability to cancel offers in bulk.

Wyvern 2.3 fixes some of these limitations, introducing:

  • EIP-1271: Smart contract wallets can now sign orders and submit them to OpenSea without paying gas. This also enables a host of new apps to work with OpenSea, including Argent, Skyweaver’s Sequence wallet, and many others.
  • Bulk cancellations: You can listen to the new NonceIncremented event yourself to see when a user bulk-cancels orders

Timeline

On February 4, we initiated a mandatory two-week on-chain switchover period to transition to the new contract.

On February 18th, the old contract for Wyvern 2.2 will begin a seven-day shutdown process. Older versions of our SDK will no longer be able to post orders to OpenSea (more on that below).

On February 25th, orders made on the old contract will no longer be fulfillable on-chain, and we will no longer make them available to consumers of our API.

SDK Changes

Today we launched a new version (2.0) of our SDK to take advantage of Wyvern 2.3. While function signatures have not changed, there are a few breaking changes that require an update:

  1. Prior versions of the SDK will continue to function, but orders created using the new SDK (and on opensea.io starting yesterday, Feb 9) will not be fulfillable using the old SDK. An upgrade will be required to match them.
  2. On February 18th, versions of the SDK older than 2.0 will no longer be able to create new orders. OpenSea will not accept them. This new version of the SDK will start automatically signing and submitting orders for Wyvern 2.3.
  3. The Ethereum provider passed into the SDK must either support eth_signTypedData or eth_signTypedData_v4. It will try v4 first and then fall back to the former.

Read more about our SDK here: https://github.com/ProjectOpenSea/opensea-js

API Changes

We’re making three changes to our API: introducing cursor pagination, removing last-sale sorting parameters, and creating a scrollable endpoint to get orders on a single item.

1. Cursors

We will be rolling out an update to one of our API endpoints, the events API, to introduce cursor-based pagination.

We are taking a slow and steady approach of enabling backwards compatibility for a few weeks to transition over and give developers the opportunity to slowly switch.

This means that existing requests won’t suddenly fail; they’ll just stop behaving the way they normally do. We will fully deprecate these fields and you should expect them to no longer work by March 1, 2022.

What changes were made? The /events endpoint will now by default return next and previous cursors, which will be ready-to-use links to the next page in the resulting dataset.

This will lead to significantly faster API response times for you and less intensive APIs for us (and therefore less platform instability!). If you choose to, you will be able to continue using limit, offset, and occurred_after for a period of time in order to not break any existing API calls you might be making now. The occurred_before field will remain to allow you to start your search at a particular point in time.

Eventually, we will deprecate these fields completely. These four fields, which are being used by API users to get the next page of results, will now only be retained for backwards compatibility. The API response for this endpoint will now have two new fields:

{
	"asset_events": [...], <- existing field with data
	"next_page:": "<https://api.opensea.io/api/v1/events?cursor=cj0xJnA9MjAyMi0wMi0wMiswMiUzQTQ1JTNBMTIuNjQ3MDM2>", <- new field
	"previous_page": "<https://api.opensea.io/api/v1/events?cursor=cD0yMDIyLTAyLTAyKzAxJTNBNDglM0EzNC4xMzE4Nzk%3D>", <- new field
}

When users want to get to the next page, they will need to use the next page as the request endpoint.

Why? This update not only simplifies things for users wanting to get to the next page but also leads to much faster response times. Additionally, you will also not be restricted to a smaller result dataset of 10,000 with this change. This is a design limitation of how offset-based queries work, which is not the case with cursor-based pagination.

We are focused on improving operational excellence this will improve the experience for our users, leading to improved performance and reliability.

We plan on eventually rolling cursor pagination to all our list endpoints. You can read more about the advantages of cursor pagination here.

2. Removing Last-Sale Sorting

What: We are deprecating and eventually removing sale_date, sale_count, and sale_price as sort options from /assets

👉🏽 https://docs.opensea.io/reference/getting-assets

Why: A very small percent of requests for the /assets/ endpoint use these as sorting options. However, they lead to some of the slowest and least efficient queries on our platform. This leads to a poorly optimized OpenSea.

In the near future, we will be rolling our cursor pagination to the /assets endpoint, which means these ordering options will not work.

In the long run, this will lead to an enhanced developer experience with improved API requests, and a more reliable platform. We will evaluate re-introducing the ability to fetch assets ordered by these options in the future.

Developer Action: If you are currently relying on sale_date, sale_count, and sale_price as sort options from /assets for your API requests you will need to update your logic to stop relying on them. For now, you may continue using these ordering options, but eventually requests with these ordering inputs will fail.

3. New Orders Endpoint for Items

What: We are rolling out a new endpoint for fetching the open orders on an asset /asset/:contract_address/:token_id/orders, and eventually deprecating and removing orders returned in the /asset/:contract_address/:token_id and the /assets endpoint

Edit: Instead of a single endpoint for orders, we’ve rolled out two separate endpoints to fetch listings (/asset/:contract_address/:token_id/listings) and offers (/asset/:contract_address/:token_id/offers).

Why: Returning detailed asset information including a full list of orders has led to underperforming APIs on our platform.

This resulted in reduced platform performance as a whole, and we are working to improve OpenSea’s reliability. You will still be able to access the same data from an optimized dedicated endpoint.

The orders returned for each asset were also limited to 50 orders per asset. There is currently no way to fetch additional pages of these orders, leading to a less than ideal experience for developers. The new orders endpoint will have cursor pagination enabled, meaning that you will be able to see greater than 50 open orders for an asset.

Developer Action: In the coming weeks, we will slowly be rolling out the new /asset/:contract_address/:token_id/orders endpoint. If you rely on the /asset/:contract_address/:token_id endpoint for finding all the orders for an asset, we recommend you prepare to move your logic to call the new endpoint.

We will continue returning orders on the original /asset/:contract_address/:token_id endpoint until March 1st.  After this date, we will only return orders on that endpoint if you also pass in include_orders=true as a query parameter to the original endpoint. After March 21st, we will stop returning orders altogether on the /asset/:contract_address/:token_id endpoint. At that point, the only way to fetch those orders will be with the new /asset/:contract_address/:token_id/orders endpoint.

Reminder About API Keys

To request an API Key, please visit https://docs.opensea.io/reference/request-an-api-key 

We’ve listened to our community and understand that speed matters, and we are committed to a five-day processing of all API Key requests. For API updates, follow us on Twitter @APIOpenSea and join our Developer Discord Channel

Coming Soon

In addition to the new features from Wyvern 2.3, the new SDK lays the tracks for allowing users and developers to create orders with advanced criteria. Stay tuned for some exciting updates on the types of orders you can create!

Note: a consequence of this change is that orders created on Wyvern 2.2 and 2.3 have their target set to a special new validator contract and will proxy matches through it.

Check out our docs for some interesting tips and tutorials that leverage the SDK and our free API for NFTs: https://docs.opensea.io/. We added a new tutorial for creating your own NFT smart contract, usable on any marketplace.

We’ll be around in the #developers channel in our Discord to help with the migration.

alex
Alex Atallah
Alex is the co-founder of OpenSea, the first and largest marketplace for non-fungible tokens (NFTs). https://twitter.com/xanderatallah

Important updates for listing and delisting your NFTs

by Alex AtallahSafety & Security

One of the most challenging things about building in the crypto space is that we’re constantly learning about novel and unexpected edge cases for which there are not clear, established product solutions. One such issue has garnered a lot of attention from the community over the past several weeks: when a user transfers an NFT out of a wallet (“Wallet 0xABC123”) while a listing is active, that listing is not automatically canceled–and if the user transfers the NFT back into Wallet 0xABC123, that listing will still be active. In some cases, that listing may now be for an amount below the current floor price for NFTs in that collection.

This issue has been discussed as an “exploit” or a “bug,” but the reality is that it’s a fundamental feature of blockchain marketplaces: only the person who lists an item for sale can cancel that listing (i.e. OpenSea cannot cancel a listing on behalf of any user). This is, in many instances, a very good thing and an important aspect of what makes web3 special: your NFTs are completely in your control. 

There is a shared responsibility in the NFT community to educate newcomers to the benefits — and unique pitfalls — that come with interacting with blockchains. But as early members of the NFT space, we have a disproportionate share of that responsibility, and hold our product to a higher standard than most. We wish we had been clearer and more proactive in educating users on the risks of leaving orders uncancelled before transferring an NFT.

As soon as we became aware of this issue earlier this month, our product team identified and began building a number of improvements to help users avoid it. Over the past two weeks we have:

1. Changed the default listing duration on our site from 6 months to 1 month to limit the  number of listings that remain active long after they’re relevant.


2. Built a dashboard into the user profile where a user can see all of their listings and cancel any that are no longer relevant.


3. Created an alert to flag when a user transfers an NFT out of their wallet that has an active listing associated with it, so they are made aware and can cancel the listing upon transferring the item.

Our support team has also been working tirelessly to reach out to affected users and reimburse them until our product experience can make this risk clearer. We understand the community’s frustration that we haven’t been more public in our communication on this topic. Simply put, we were concerned that the more attention we drew to this mechanism, the more it could be abused by bad actors. As a result we focused our efforts on reaching out 1:1 with affected users rather than announcing this news more broadly.

It is a huge responsibility to help create standards for a new space, and it’s one we take very seriously. We’ll continue to work to live up to the high bar our community sets for us, and to find ways to make it right when we fall short.


alex
Alex Atallah
Alex is the co-founder of OpenSea, the first and largest marketplace for non-fungible tokens (NFTs). https://twitter.com/xanderatallah

Introducing the NFT Security Group

by Alex AtallahAnnouncement / Safety & Security

Last year, the world woke up to NFTs: the first digital product standard that is platform agnostic. They represent the basic building blocks for brand new peer-to-peer economies, giving more freedom, portability and ownership over digital goods, and allowing developers to build powerful, interoperable applications that provide real economic value and utility to users across all blockchain-enabled platforms. They introduce a brand new, exciting surface area through which consumers, creators, developers, brands and communities can interact – and with that comes a responsibility for the platforms enabling it to keep consumers safe.

Today, consumers are expected to have significant knowledge and blockchain background in order to onboard and participate safely. Many platforms building on top of web3 are dis-intermediating themselves from the property, controls, and responsibilities expected of their users, and no one (including OpenSea) yet has all the right tools in place to help consumers navigate the complexities of NFT security independently. 

We believe the security implications of web3 extend across platforms, and that the inevitable trend toward dis-intermediation comes with security implications and responsibilities for everyone involved. Simply put: more collaboration in this space is required to tackle security and safety challenges at the highest level, which is why we’re announcing the creation of a private NFT Security Group.

Originally announced at NFT.NYC, the NFT Security Group began modestly by gauging interest and inviting other companies in the space. We plan to extend invitations to others collaboratively. Current participation includes:

  1. Adobe
  2. Alchemy
  3. Arweave
  4. Bitski
  5. Blockade Games
  6. Coinbase
  7. Foundation
  8. Horizon Blockchain Games
  9. Immunefi
  10. Protocol Labs (IPFS)
  11. KnownOrigin
  12. Ledger
  13. MakersPlace
  14. Manifold
  15. MetaMask
  16. Nifty Gateway
  17. OpenSea
  18. Polygon
  19. Rarible
  20. Showtime
  21. SuperRare
  22. WalletConnect
  23. Zora
  24. 0x

Let’s discuss the purpose of the group, the kinds of issues that members will discuss, and how you can get involved.

Goals of the NFT Security Group

To start out, this group will be proactive, community-driven, close-hold – and most importantly, focused on cross-platform safety:

  • Proactive: Members should expect to share and learn about vulnerability reports that have not yet been publicly announced, or that have yet to impact their respective user base. That way, they can focus on fixing impending problems before they happen, as opposed to just reflecting backwards. 
  • Community-driven: Members of this group should submit vulnerabilities and fix specs early, when they are reported and understood, and even before a fix is launched. We will help identify the clearest opportunities to be proactive and drive impact.
  • Close-hold: This will be a private working group that maintains strict confidentiality principles. Members should expect confidentiality from others in the group, and membership is restricted to dedicated Security teams from each member project. This goal requires the group to be invite-only.
  • Focused on cross-platform safety: Most importantly, this security council aims to safeguard users universally by spreading awareness and fixes to other companies and ecosystems in good faith.

Membership in this group requires an invitation from the committee, and a commitment to the shared goal of collective improvement to drive mainstream adoption. We seek to have impact through collaboration and accountability, and we understand that consumers will always have many options when choosing their NFT and web3 platforms. Vulnerabilities across specific platforms will persist and impact the industry, unless we can tackle them together.

Security Group Topics

From what we’ve seen to date, NFT security can be broken down into five main buckets:

  • Blockchain consensus security: Is the chain secure at a foundational level? Are transactions forgeable? Are forks dangerous for consumers? How likely is a denial-of-service attack?
  • Smart contract security: Are the programs that manage token ownership and metadata secure? Do they do what they claim and only what they claim? How much do they rely on a central wallet authority for administration?
  • Wallet security: Are the extensions or libraries for interacting with wallets resistant to exploits? Are the user interfaces prone to phishing attacks or other forms of deception? Are the programs behind smart contract wallets secure?
  • Metadata security: Are the images, animations, traits, and other metadata for an NFT safe to display to all users? Are they deceptive? Are they resistant to the potential compromise of any third party systems?
  • Interoperability: This is a more future-oriented sector, since we haven’t seen much interoperability in the space but expect more to come. When one project incorporates another’s NFTs, are users aware of the implications? Are they able to grant consent to cross-project NFT actions, where appropriate?

For many of these sectors, proper user education and UX guidance will be critical. We still operate in a paradigm of company-owned digital goods, and most people do not understand that companies like OpenSea cannot move their items for them, or that another company can interact with their listings and items just like OpenSea can. We will need others’ help to push the new paradigm forward.

How you can get involved

To help members feel comfortable disclosing as many vulnerabilities as possible up front, membership in this group will be invite-only for now. Members will have the opportunity to vote on and collectively extend invitations to new members.

However, there are several ways that individual security contributors can assist:

In the new year, we will also ramp up the security content we publish here on our blog. We are at the forefront of a new and more powerful web. We welcome the best minds in security to join us.

alex
Alex Atallah
Alex is the co-founder of OpenSea, the first and largest marketplace for non-fungible tokens (NFTs). https://twitter.com/xanderatallah

OpenSea’s bug bounty program

by Alex AtallahAnnouncement / Safety & Security

At OpenSea, we’re on a mission to build the world’s most trusted and inclusive NFT marketplace – and a key aspect of “trust” implies knowing and understanding our technical vulnerabilities, so we can anticipate and prevent attacks from ever happening in the first place.  Luckily for us, OpenSea has a vibrant community of passionate and highly skilled users who we’ve partnered with to develop OpenSea’s Bug Bounty Program! 

This program has existed informally for some time, and we brought on HackerOne in October 2021 to help us formalize it. Today, with our continued growth and visibility, we’re now ready to make the program public and expand the participation to anyone wanting to make a meaningful security impact on OpenSea. As we scale the program, we’re focused on empowering our community members to identify and flag any security vulnerabilities so the OpenSea team can act quickly to review and patch improvements to our site.

Since its launch, OpenSea’s Bug Bounty program has allowed us to quickly address vulnerabilities, improve our defenses, and help keep our platform secure alongside our own teams’ efforts. Engagement has been tremendous – and since May of 2020, we’ve resolved and paid bounty for more than 25 proven vulnerability reports.

How it Works

In exchange for vulnerability reports, we will be providing rewards in a tiered model based on the severity of the issue reported. The bounties range between $500 and $50,000, depending on the severity of the vulnerability and impact. All bounties are subject to be paid out at higher rates at the discretion of the OpenSea team depending on severity of the reported vulnerability.

When we receive a report, we commit to responding to and triaging new bug bounty submissions in less than 4 days, issuing bounties for confirmed vulnerabilities in less than 25 days, and resolving any proven vulnerabilities as quickly as possible.

OpenSea is committed to a true partnership with the community to find and resolve any vulnerabilities that might exist on our platform. Every report will be reviewed by a security expert and responded to in a timely fashion – we deeply appreciate the effort and vigilance of those who contribute! You can find more about the bug bounty policy and how to report issues at OpenSea’s HackerOne page: https://hackerone.com/opensea

alex
Alex Atallah
Alex is the co-founder of OpenSea, the first and largest marketplace for non-fungible tokens (NFTs). https://twitter.com/xanderatallah

OpenSea collaborates with Check Point Research to improve NFT security

by Alex AtallahSafety & Security

We recently pledged to increase transparency and community education around security matters that could impact OpenSea and its users. If you haven’t read our first blog post in the series, we encourage you to check it out. 

A vulnerability was brought to our attention that reinforces how important it is to stay informed and follow security best practices while navigating the NFT space–or anywhere online. Thanks to Check Point Research (CPR) and our own independent efforts, the vulnerability was patched and there are no known victims. 

However, this presents an opportunity for our team and our community to learn, so let’s talk about what happened.  

What was the vulnerability and how did OpenSea find out about it?  

CPR chose to look into OpenSea after users reported falling victim to attacks triggered by malicious NFTs. While these reported attacks ultimately did not leverage a vulnerability within OpenSea, the investigation led to the discovery of a security flaw in our platform that, if exploited, could have led to the users approving malicious transactions. It’s important to note had an attacker attempted to take advantage of this flaw, the end-user would have needed to approve the malicious transaction through a wallet signature.    

Here’s what a theoretical attack using the vulnerability would have looked like:

  • A hacker creates and transfers a malicious gift NFT, which includes an SVG file, to a target victim. For context, an SVG (Scalable Vector Graphics) is a type of image on the web that can be interactive and run scripts.  
  • The victim right-clicks the image from the malicious NFT and opens it in a new tab or window, which triggers a pop-up from a third-party wallet provider from the OpenSea storage domain (i.e. storage.opensea.io) requesting a connection to the victim’s third-party wallet. This is an abnormal event because third-party images on OpenSea do not result in a request for a wallet connection.
  • The victim then can choose to click to connect their third-party wallet.  
  • If the victim connects their wallet, the victim will then be presented with a final pop-up (depicted further below in this blog) asking the victim to sign a transaction that will transfer items or funds to the attacker. An informed user may recognize the threat and mitigate it by rejecting the transaction, instead of signing it.
  • However, if the victim had not recognized the threat and performed the above actions, the end result is the potential theft of items in the user’s wallet.  

CPR disclosed its findings to OpenSea on Sunday, September 26, 2021, and we’re thankful for their swift and collaborative action. OpenSea fixed the vulnerability within an hour of receiving CPR’s findings. We additionally collaborated with Jay Niffley, an independent security researcher, who reported a related vulnerability to the storage.opensea.io domain.

In total, we analyzed over 73 million objects, 4.4 million SVG files, finding only 77 that were potentially related to the vulnerability and confirming they were not malicious. We shared these 77 SVG files that had characteristics of the vulnerability from our storage domain with CPR and all vulnerability vectors were confirmed closed by CPR.  

Did OpenSea fix it?  

In less than an hour of disclosure, we fixed the issue and verified the fix was effective. CPR worked closely and collaboratively with us to ensure the fix worked correctly. 

We also worked diligently to analyze relevant reports from OpenSea users who indicated they might have been exploited by a malicious NFT. However, we have yet to identify a single instance where a malicious file was leveraged. 

What can users do to protect against these types of threats? 

While signing wallet actions is required to take certain actions on OpenSea, you should always be careful when receiving requests to sign a transaction with your wallet online. Before you approve a request for your signature, you should carefully review what is being requested and consider whether or not the request is abnormal or suspicious. If you have any doubts, you should reject the request. 

For example, in the signature screen below, you can examine who the transaction is between (“USER” and “ATTACKER” would instead have wallet addresses of the relevant parties), what action will be taken, and what the cost (if applicable) of the action will be. If you do not recognize the transaction, then it is important to reject the requested transaction.  

Screenshot of a malicious NFT created by CPR prompting a user to complete a transaction

Additionally, you should check if the signature request correlates with an expected action. In this theoretical attack, the user is asked to connect their wallet and then sign the transaction after opening an image from a third party in a new tab. This is unexpected behavior on OpenSea since it is not correlated to services provided by OpenSea, such as buying an item, making an offer, or favoriting an item.

Users should note that OpenSea does not request wallet signatures for viewing or clicking third-party photos or links. Such activity is highly suspicious and users should not sign transactions that are unrelated to the specific actions on OpenSea listed above. 

What happens now? 

To help promote platform safety as we scale, OpenSea has been doubling down on community education around security best practices. This disclosure and post-mortem is the latest post in a series highlighting safety tips and developments in the NFT space. 

Whether you are new to the blockchain world and absorbing this information for the first time, or an old salt using this as a refresher course, our goal with this content is to empower the community to detect, mitigate and report attacks in the blockchain ecosystem.


alex
Alex Atallah
Alex is the co-founder of OpenSea, the first and largest marketplace for non-fungible tokens (NFTs). https://twitter.com/xanderatallah

Decentralizing NFT metadata on OpenSea

by Alex AtallahAnnouncement

An NFT is a unique token with decentralized ownership. The answer to the question “who owns this token?” is stored and tracked on many different computers simultaneously, preventing unauthorized changes to its possession.

But the media attachments and properties associated with NFTs (collectively called “NFT metadata”) have not been consistently decentralized due to the gas costs associated with storing and modifying data directly on smart contracts. Without decentralization, collectors can’t count on the integrity and immutability of a token’s metadata.

OpenSea has supported NFTs with decentralized metadata since we launched in 2017. Today, we’re announcing the ability for creators to decentralize their metadata using the Interplanetary File System (IPFS) and Filecoin when creating on the platform. We’re also providing a way for collectors to see when the metadata for an NFT is immutable or not, further augmenting the toolkit that OpenSea collectors have at their disposal when valuing NFTs.

Keep reading for info on how it all works and why decentralizing metadata matters, and check out our help center tutorial if you want to learn how to decentralize your OpenSea-made NFTs.


Decentralized vs frozen metadata


If you aren’t familiar with NFT metadata, the overview in our ever-popular NFT Bible is worth a read; otherwise, here’s a look at the technical details.

For Ethereum-based tokens, the smart contract that governs an NFT usually specifies the location of the metadata using a function:

  • For the ERC721 standard: function tokenURI(uint256 _tokenId) external view returns (string memory)

  • For the ERC1155 standard:  function uri(uint256 _id) external view returns (string memory)

The value returned by this function is often a URL in Google Cloud, Amazon Web Services, or some other form of centralized storage that can go offline or be mutated by the developer.

This is in contrast with decentralized storage solutions like IPFS, Filecoin and Arweave, which replicate metadata across storage nodes in a decentralized network.

Centralized storage is subject to two weaknesses:

  1. Impermanence: The server can go down or offline, making it hard to find the image (unless it was mirrored by an NFT index like OpenSea).

  2. Mutability: The developer can modify the image to something a collector does not expect.

There are four types of metadata storage for NFTs. Here’s a handy grid:

The concept of “frozenness” is distinct from centralization. Even when they are stored in a decentralized manner, it’s often still possible for the creator to make a transaction and change the metadata associated with an NFT. We call NFTs that have unchangeable metadata “frozen”.

Without better visibility on which NFTs are frozen and which are not, collectors can’t know if what they’re buying will be the same in 1, 10, or 100 years.

Not all NFTs fit cleanly into just one quadrant. Let’s go through them with some examples:

  1. Centralized: Most NFTs have a function on their smart contract to return the metadata associated with a particular token identifier. The result is often a URL on a web server run by the developer (e.g. example.com/nft/2). When the properties and media of an NFT are all controlled by a server like this, the NFT is centralized, and will be subject to impermanence and mutability problems.

  2. Centralized and verifiable: One of the earliest NFTs, CryptoPunks by Larva Labs, stores its images in a centralized server. However, the smart contract stores the hash of this image in the smart contract. This means that while CryptoPunks may be subject to impermanence, any modification to its images can be checked against this hash, so we can “verify” if a CryptoPunk image is original or modified.

    Other projects, like CrypoKitties (API docs), have variations of this system, such as storing NFT traits on-chain but renderings of the traits in a centralized server. In this variation, the images can be modified, but the kitty “genes” and rarity information cannot.

  3. Decentralized: Instead of storing metadata in a central server, developers have the option to store it directly in the smart contract or in a file-friendly decentralized network. Two of the best options are IPFS with Filecoin and Arweave.

    Arweave requires miners to refer to data that was previously stored, similar to a blockchain (called their “blockweave”). IPFS allows peers to store, request, and transfer verifiable data with each other, and can be used with Filecoin to incentivize miners to continue storing data persistently with verifiable proofs.

    An example of this kind of project is Bored Ape Yacht Club. The metadata is stored in IPFS, though the root URI used for IPFS is changeable by the contract owner.

  4. Decentralized and frozen: It’s tricky to know when an NFT’s metadata is frozen or not, as there are usually multiple ways of changing it. This is a manual process, but OpenSea now shows when NFTs made on OpenSea have been frozen and when many NFTs outside of OpenSea are immutable as well:


    Clicking “Frozen” above takes you to the decentralized URI for the item if it’s on a file storage network, supporting IPFS and Arweave (including `ipfs://` and `ar://` URLs).

    Some examples of decentralized and frozen projects include:
    SuperRare (IPFS)
    Sandbox (IPFS)
    Uniswap (on-chain)
    1111 by Kevin Abosch (Arweave)

Note: some projects store their metadata directly in the smart contract. For example, a different project by Larva Labs, Autoglyphs, returns character art directly from the contract, and was the first NFT to do so. It does not depend on any other system aside from Ethereum to render the image, so we call it decentralized, on-chain, and (in this case) frozen.

There are benefits and drawbacks to all four approaches. But it’s helpful for collectors to know more about NFT implementation when making value-based decisions. That’s why we’re introducing a new event type to augment the ERC1155 and ERC721 standards so that developers can tell platforms like OpenSea when they intend to mark a specific NFT as “frozen”.


Permanent URIs


To solve the tension between frozen and unfrozen metadata, this new event will tell OpenSea to register a URI change as a “permanent” one, called PermanentURI. Here’s the event signature:

event PermanentURI(string _value, uint256 indexed _id);

After a PermanentURI event is emitted by an NFT smart contract, no one should be allowed to change the URI for the specific token ID again. More information is available in our docs. Like most standards in crypto, this is an ongoing development and subject to change based on community feedback.


Freezing NFTs on OpenSea


In December 2020, we launched a gas-free NFT creator to drastically reduce the barriers to entry for artists looking to sell their work on the blockchain. At the time, we added pre-emptive support for metadata freezing to the smart contract, meaning creators can now freeze the metadata for any unsold tokens in collections they’ve made over the last six months.

To get started, head to your collection’s “Edit” page and press the pencil icon in the top right corner of one of your NFTs (you can find them under the search bar below the “Add New Item” button). Click the Freeze Metadata toggle, and you’ll see a window pop up, as shown below. Tick the box if you’re happy to proceed, then click Submit Transaction. While OpenSea doesn’t charge anything, you’ll need to pay a gas fee to save the new metadata URL to the smart contract:

Once you freeze an NFT, you cannot unfreeze it or change its metadata. It will be available for as long as Ethereum and Filecoin exist.

After you’ve frozen an NFT, you can view its IPFS URL directly from its OpenSea page. You can also view more information about how many Filecoin deals have been made for it using the NFT.Storage API in combination with your NFT’s IPFS content hash. For example: https://api.nft.storage/check/bafkreiem4twkqzsq2aj4shbycd4yvoj2cx72vezicletlhi7dijjciqpui


The Future of Decentralized Metadata


One of OpenSea’s missions is to provide a source of truth for any NFT, regardless of the blockchain, metadata format, or decentralized storage solution used to implement it. The future is going to be chaotic, and there will be many ways to create NFTs. We’re excited to bring more transparency to it.

Gas-Free Freezing


For the last six months, we’ve been excitedly launching support for the Polygon sidechain to provide users with a gas-free experience on OpenSea. For those with access to the private beta NFT minter, you can now freeze your Polygon NFTs to IPFS and Filecoin as well.

Just like with Polygon trading, there is no associated gas cost to save the IPFS URI to the NFT’s smart contract – OpenSea will pay it for you. Stay tuned for the larger release soon, and let us know what you think on Discord!


P.S. If you’re passionate about the nuances in NFT metadata, we’re hiring. Be sure to check out our open positions: https://opensea.io/careers


The featured image used for this article is part of the Art Blocks collection and is called Subscapes #638. It was created by Matt DesLauriers

alex
Alex Atallah
Alex is the co-founder of OpenSea, the first and largest marketplace for non-fungible tokens (NFTs). https://twitter.com/xanderatallah

Create NFTs for Free on OpenSea

by Alex AtallahAnnouncement / Developers / Digital Art / TutorialsLeave a Comment on Create NFTs for Free on OpenSea

The first way to make & sell Non-Fungible Tokens for free, without paying gas

For the last month, we’ve been testing a new technique for creating non-fungible tokens (NFTs) on OpenSea that eliminates the need for creators to pay gas. It’s the first truly-free NFT maker, and today it works directly on Ethereum.

While we already had some existing tools for developers and a no-code NFT minter as well, it required users to pay the gas to deploy a smart contract and then pay gas to mint each NFT. Gas is the fluctuating price that miners charge to write new data on a blockchain. The gas price of minting an NFT on any platform ranged from $2 on a calm day to $32 on a crazy day like today. If you’re an artist creating just ten NFTs per month, this would have cost you about $100 per month.

Today, we’re announcing the Collection Manager on OpenSea, allowing you to create your own NFTs completely for free, without paying any gas. Selling these NFTs is also gas-free — you just have to initialize your OpenSea account once.

Click Create in the upper right to get started. TIP: You can even view and manage collections you’ve made on other platforms!

How does it work, and how do I use it?

The new collection manager allows creators to make NFTs without any upfront gas cost, as the NFT isn’t transferred on-chain until the first purchase or transfer is made.

We call this lazy minting. It unbundles the on-chain issuance of your NFTs from the metadata.

Even collections are now free and instant to make. To begin, create a new ERC-1155 collection at https://opensea.io/collections.

Managing a collection’s items.
TIP: You can edit an item’s image after creating it. Locking metadata is coming soon.

After you create a collection and select it, you’ll see an Edit button and an Add New Item button (pictured above).

Use the Edit button to:

  • Configure your logos, social media links, and display settings
  • Configure your commission that you take on primary or secondary sales
  • Choose which currencies (including social tokens) you want to allow on your store
Creating a new NFT. Many image, video, audio, and 3D model file types are supported, with a maximum size of 40MB.

Use Add New Item to create a new NFT.

When you create an NFT, you encode your address and its total supply in the token’s ID. That way, no one except you can mint more of them, and buyers can count on a hard cap on supply that’s enforced by code.

If you want to deploy your own contracts, manage the way they look on OpenSea, or set currencies and sale commissions for contracts you made on other platforms like Mintbase or Rarible, you can do that all through the same interface!

NFTs made with the Collection Manager follow the ERC-1155 standard, partly to help with gas-free minting and partly to help us add exciting features in the near future…

Note: Even before they exist on-chain, these NFTs can be sold on any platform. The smart contract returns the correct results for your balance of each NFT you make, publicly, and conforms to the ERC-1155 standard so they can be sold and transferred off-platform! Some reasons for selling them on OpenSea can be found here.

Other features of the Collection Manager

Aside from making NFT creation free and instantaneous, the Collection Manager has a couple other new features:

  • Collections are now multiplayer! Every authorized editor can create new items, in addition to changing settings on the collection.
  • The Payouts page has been rebuilt and redesigned. Now you can more easily see all the secondary payments you’re due and how much commission you’ve earned from each NFT sale or bundle sale.

Results of the November Beta: $400/creator

To iron out the kinks and refine the new gas-free collection manager, we released it to a limited audience over the course of a month.

The idea of just an ERC1155 minter received substantial public interest. Thirty days later, 80 distinct creators made over 1000 NFTs for free, generating 58 ETH in revenue over 506 sales, with testers earning $400 on average that month.

One creator made 12 ETH for charity, and two prominent crypto artists moved collections over to the new collection manager.

Why are we doing this?

While a lot of crypto today is merely about currency speculation, the NFT art market is independent and real.

In just the second half of 2020, the volume of artistic NFTs and user-created content sold has grown from $1 million per month to over $20 million per month. That’s a 20x increase in just six months.

The number of art sellers has grown over 500%, from 1,395 in June to over 8,770 today.

A few other recent statistics:

  • Art NFT sellers have averaged 9.7 ETH per user over the past six months. At the exchange rate of $650/ETH, lower than today’s rate, that’s over $1000 / wallet / month.
  • For just their own NFTs, creators have sold 5.4 ETH (over $3,500) on average over the past six months. In just the Art category, 9.7 ETH ($6,300) was sold per artist on average. (Primary art sellers averaged 7.4 ETH, and secondaries were 9.1 ETH.)
  • In just the past 6 months, 45 different artists have each exceeded 100 ETH in primary sales of their artwork. These super-artists averaged 44 ETH of sales per month, or over $28,000 per month per artist in primary sales of their own work. For this elite group, it’s like having a salary of $340k per year.
  • There are now 12 NFT millionaires, or wallets have sold over $1 million USD in NFTs, with Sorare taking the crown at $6 million. One NFT trader claims to have grossed $650,000 from just a $600 deposit.

An entirely new industry has just been born, and on top of being fun, safe, and pandemic-friendly, it’s remarkably equitable. You can now create a viable creative business no matter where you are, which language you speak, or which banking infrastructure you have access to.

All you need is creativity and the internet.

Tagged :
alex
Alex Atallah
Alex is the co-founder of OpenSea, the first and largest marketplace for non-fungible tokens (NFTs). https://twitter.com/xanderatallah

Now open: ERC1155 Marketplace!

by Alex AtallahAnnouncement / EnjinLeave a Comment on Now open: ERC1155 Marketplace!

Today, OpenSea is announcing a new type of tradable digital assets on the marketplace: ERC-1155 items. In short, these are like ERC-721 items, but they have different behavior and more flexibility, which we’ll explain below. It’s a new Ethereum token standard and a new type of dapp on OpenSea!

ERC-1155 items have been tradable on OpenSea for a while now (there are over 200,000 that you can find already), but today they get the full attention that they deserve. Let’s start with what’s new in 1155. Then we’ll explain how you can get started trading, which games are already supported (17 so far!), and how developers can make 1155-compliant dapps!

What is ERC-1155 and What’s New

The ERC-1155 token standard provides a way to make one smart contract govern almost an unlimited number of tokens — technically, 2²⁵⁶ token types with up to 2²⁵⁶ copies of each. Additionally, each token is semi-fungible. Unlike ERC-721 non-fungible tokens (NFTs), which can only be owned by one address each, semi-fungible means:

  1. Each token type can be owned by multiple addresses
  2. One address can own multiple copies of each token

This expands the design space for building game economies and provides efficiency benefits as well. ERC-1155 is a result of the combined efforts of multiple companies working together to achieve these two goals, including EnjinHorizon Games, and The Sandbox.

What’s needed now is a marketplace for the (at the time of writing) 208,319 new semi-fungible assets on Ethereum! And that’s what’s here today:

How to Trade ERC-1155 Tokens on OpenSea

Check out your OpenSea account page to see which items you already own, or visit the supported collections on OpenSea (listed below) to buy one.

To sell an ERC-1155 item, it’s as simple as clicking Sell, and then specifying the total price and quantity you want to sell. If you specify an end date, the price will decline to the amount you want until the end date is reached, and then your listing will be automatically cancelled (expired) for free.

You only have to pay gas the first time do you sell an item (which may include approving the token for trading). If you want to sell for Enjin ENJ, Sandbox SAND, or another payment token, click the dropdown below and set your price:

Selling an ERC-1155 item on OpenSea. Available payment tokens depend on the developer’s preferences.

Placing Offers

As with other tokens on OpenSea, you can place offers on 1155 items by clicking “Make an Offer” on the item’s page. Offers are non-binding, but because an item can have multiple owners now and any owner can accept it for you, many people will consider your offer at once!

ERC-1155 Games on OpenSea

Even before this official launch announcement, there are already 17 games on OpenSea using mainnet ERC-1155 contracts, and many are already ranked in the top fifteen dapps by volume. Special thanks to all of them for working with us to make a great marketplace experience.

You can also see these games with the “new” label on the OpenSea rankings page, ranked by weekly volume. Here are three examples:

Age of Rust Marketplace on OpenSea: Buy, sell, and explore digital assets

Year 4424: The search begins for new life on the other side of the galaxy. Explore abandoned space stations, mysterious caverns, and ruins on far away worlds in order to unlock puzzles and secrets! Beware the rogue machines!

Spirit Clash Marketplace on OpenSea: Buy, sell, and explore digital assets

Spirit Clash is a battle for supremacy. You must clash your way through the three spiritual cores of Mind, Body, and Soul to claim victory. The first player to control two of the cores wins the game, but your opponent won’t let you take them easily. Summon Followers that will clash for your Overlord.

The Six Dragons Marketplace on OpenSea: Buy, sell, and explore digital assets

Welcome to The Six Dragons, the first Open World RPG powered by Blockchain Technology. Discover 64km2 of Open-World full of surprises, escape 1 billion dungeons, craft items that you truly own and participate in a player-owned, decentralized economy with real-world value.

How to Create ERC-1155 NFTs on OpenSea

Updated Jan 13, 2021

If you’d like to quickly make ERC1155 items without coding or paying gas, read this blog post introducing our new Collection Manager.

Information for Developers

Interested in deploying an ERC-1155 contract on OpenSea? If you already have an 1155 contract on mainnet or the Rinkeby testnet, there’s a chance that OpenSea automatically discovered your items! You can also use the Get Listed flow to have OpenSea re-crawl the items and add them to the marketplace:

Mainnet: https://opensea.io/get-listed

Rinkeby: https://rinkeby.opensea.io/get-listed

Don’t have a contract yet?

We can help you get started. Here’s a work-in-progress tutorial and codebase for creating your own ERC-1155 contract.

Contact us in the #developers channel on Discord or on Telegram! We’re very responsive 🙂

What’s Coming Next

Crowdsales, gas-free pre-sales, and whitelisted airdrops using ERC-1155! Stay tuned using any of the following channels, ranked by signal-to-noise ratio 😉

Sam from Spirit Clash in their Telegram
alex
Alex Atallah
Alex is the co-founder of OpenSea, the first and largest marketplace for non-fungible tokens (NFTs). https://twitter.com/xanderatallah

Introducing eBay-style Auctions for Crypto Collectibles

by Alex AtallahAnnouncementLeave a Comment on Introducing eBay-style Auctions for Crypto Collectibles

What’s the best way to sell crypto collectibles? Their value is based on market demand, which is hard to measure, and there’s no “Kelley Blue Book” for pricing them. So you have to put them on auction, and until now, only the seller was setting the price curve.

Now, on OpenSea, you can let buyers compete to find the best price for your item or bundle of items!

Two main types of auctions

There are two main types of auctions: “English” and “Dutch.” The paradigmatic type of auction that you see for existing crypto collectibles like CryptoKitties, Etheremon, and MyCryptoHeroes has been the Dutch Auction. In this form, a seller lists an item for immediate sale, but sets the price to change over time. Buyers make purchases hoping they see these listings at the right time.

But the type of auction that most people think about is the English Auction, where you list your item for a minimum price and accept the highest bid after a set time period. This is the type of auction made popular by eBay* that you see for physical items there, and now it’s available on OpenSea. Here’s what the two price graphs look like, side-by-side:

Why English Auctions can be better

The primary benefit of an English Auction is that the seller doesn’t have to know the market value of their item when they price it; instead, they can low-ball a guess, and the market will drive the price up to the seller’s benefit.

What about buyers? Buyers love English Auctions, which feel like games with winners and players. Most importantly, as long as the starting price is low, buyers don’t have to know the market value.Dutch Auctions essentially require buyers to know the true value because buyers purchase hoping that they saw the item at the right time, and therefore the right price. In reality, determining price involves a conversation between more than just one buyer and one seller, and English Auctions enable that.

For example, let’s say a CryptoKitty with a market value of 0.5 ETH is currently on sale for 1 ETH and declining to 0 ETH over 2 months. Along comes a buyer who doesn’t know how much it’s worth. The buyer might purchase the item out of fear that someone else will snag it later, even though it’s currently too high of a price. In an English Auction, the seller will list the CryptoKitty for a low-ball guess (e.g. 0.4 ETH), and if demand for the kitty truly is high, then its price will naturally rise to 0.5 ETH as buyers outbid one another. It’s a multi-party conversation about value where every party has skin in the game, which has until now hasn’t had a first-class experience on OpenSea.

Gas-free for both buyers and sellers

Why not just ask buyers to make offers on your items, like OpenSea has allowed for months? Because an English Auction guarantees that the highest bidder will win the item when the auction expires, regardless of whether the seller is awake or not. And we’ve added a nice feature that makes this guarantee possible: OpenSea will auto-match the highest bid with the auction, so neither sellers nor buyers have to pay gas!

How does this work? It’s a three-step process. First, sellers create auctions by creating and signing an off-chain sell order, which OpenSea stores off-chain with the OpenSea API. This involves no gas as long as the seller has already approved those assets for trading.

Second, buyers create buy orders in the same way, which also only requires signatures. To bid on an item for sale in an ERC-2O token like DAI (a stablecoin pegged to $1 USD), they just need to approve the token and have enough of it. If the item is on sale for ETH, buyers need to wrap ETH into W-ETH, which can be done when bidding or any time using the W-ETH Station on OpenSea. This allows the trade to happen when the buyer is asleep, without the need to escrow ETH into some non-standard contract, and the seller will receive W-ETH instantly that they can unwrap into ETH at their discretion.

Finally, when the sell order expires, OpenSea’s servers look for the highest buy order that’s at least the minimum amount specified by the seller, and pays the gas to match the two together. For the first time ever, no user (not even the order taker) needs to pay gas to fulfill the final transaction!

Bundle Offers

With this new auction ability comes another highly requested feature on OpenSea: making offers on bundles. Now buyers will be able to suggest prices they’re willing to pay for your bundles on Dutch Auctions and fixed-price listings.

As an added bonus, if your bundle expires or you cancel it without finding a buyer, it’ll still be available for buyers to find and make offers! And a new “Re-list this Bundle” button makes it easy for you to quickly bring it back to auction and renegotiate a price. We hope this will make it easier for everyone to trade complex bundles and talk $ to sellers without spamming them.

Give it a try!

We’re very excited about English Auctions, so give them a try and put an asset on sale by visiting your account: https://opensea.io/account. OpenSea doesn’t escrow your items, so you never lose hold of them!

If you’re a developer, we’ve also added support to the OpenSea SDK for programmatically creating English Auctions, querying for them, and bidding on them. You can even add an address as a referral address and claim referral bounties, both through the SDK and by creating referral links.

For more information, or if you have any feedback, contact us on Discord or email us at [email protected]!

* Despite the widespread belief that all eBay listings are English auctions, most eBay listings are fixed-price now.

alex
Alex Atallah
Alex is the co-founder of OpenSea, the first and largest marketplace for non-fungible tokens (NFTs). https://twitter.com/xanderatallah
Stay in the loop
Join our mailing list to stay in the loop with our newest feature releases, NFT drops, and tips and tricks for navigating OpenSea.
Join the community
OpenSea
OpenSea
The world’s first and largest digital marketplace for crypto collectibles and non-fungible tokens (NFTs). Buy, sell, and discover exclusive digital assets.
Marketplace
All NFTsNewArtMusicDomain NamesVirtual WorldsTrading CardsCollectiblesSportsUtility
My Account
My ProfileMy CollectionsMy FavoritesMy Account Settings
Stats
RankingsActivity
Resources
Help CenterPartnersSuggestionsDiscord CommunityBlogDocsNewsletter
Company
AboutCareers

© 2018 - 2021 Ozone Networks, Inc

Privacy PolicyTerms of Service