Paradigm and Hasu’s latest research: NFT efficient startup mechanism design guide

Blockchain has completely subverted the fundraising method of open source software, but not all new models will work well from the beginning. In fact, most of the initial coin offerings (ICOs) in 2016-2018 have become very bad cases, and the project founders can cash in the wealth they have raised before delivering any products. The crypto community has learned many lessons since then. Current projects will first come up with a runnable product before token issuance, currency issuance incentives and decentralized governance.

It turns out that non-fungible tokens (NFTs) are another product that clearly fits the crypto product market, but they are experiencing their own growth pains. The life cycle of each NFT begins with the initiation of the NFT (sometimes called casting/mint or airdrop/drop). Specific to the start of NFT, the first is to create a new series of NFT, sell it and distribute it to buyers, and then the buyer decides to hold it or trade on the secondary market.

Like any first-selling product, the launch of NFT faces a pricing challenge: how to price a product that has never been priced before. But unlike most other merchandise sales, NFT is more difficult to occur in a highly adversarial environment. The large number of characteristics of these environments (public chains) has turned out inexperienced users. Therefore, developers must design effective and sound mechanisms for development work.

This article starts with an analysis of real-world startup examples (which have hurt their users) to determine what indicators a good NFT startup should meet. Next, we will disassemble the startup concept into separate steps and explore the design space of each step. Finally, we provide a startup mechanism that we think is well-designed for the community to use and improve day by day.

Examples of harming users

Over time, we began to notice that certain design patterns in the NFT launch will always give users bad results.


When the new series of NFTs is launched, users can interact with their smart contracts to create NFTs with random attribute sets. These attributes often have different scarcity, making some combinations rarer and more valuable than others. For example, only 9 out of 10,000 CryptoPunks have ultra-rare “alien” attributes, and the cheapest one is currently listed on the market at 35,000 ETH.

Different people participate in the casting of the new NFT for various reasons. Many people enjoy the excitement of buying blind boxes and drawing hidden rare items. In this sense, NFT casting is just a continuation of the popular gashapon (blind box) mechanism in the analog world (for example, a booster pack for trading card games) and the digital world (for example, equipment boxes in video games).

People who participate in gashapon games often make an important assumption: they draw from randomly distributed items and have a real (albeit small) chance of obtaining very rare varieties. Unfortunately, past NFT minting projects often failed to satisfy this assumption and create true randomness. In practice, highly technical and motivated groups can use cheating mechanisms to snipe the rarest categories in the collection and take them away from honest participants.

We will share two cases where NFT minting projects were exploited through this model. Both exploits relied on the same two-step process:

  • The exploiter extracts the metadata of the collection so that the relative frequency of all features is displayed in a single rarity score table. Using this score sheet, they can quickly find the NFT with the highest value in the set.
  • Then, the exploiters break the randomness of the casting contract and only cast the rare NFT with the highest value they want.

Loot derivatives and original data exploitation on the chain

Recently, a project called Loot swept the NFT world with a hurricane. The project seems simple, but it contains 8,000 loot bags, consisting of breastplate, foot armor, hand armor, helmet, neck, ring, waist, and weapons of different rarities.

All attributes of each item slot are directly stored in the contract, and the mint receives a pseudo-random Bag, and the Bag ID is used as the hash value. Although these equipment will exist forever as long as Ethereum exists, the metadata stored on the chain also exposes the pseudo-randomness of Loot to the cheaters. By simulating the randomization function locally, they quickly grabbed the metadata of all 8,000 Bags and obtained the entire series of pictures (and the rarity of derivatives). With this information, they only need to take advantage of the last remaining weakness of the contract: able to accurately cast the ID they want, and only snipe the rarest equipment Bag.

However, although this vulnerability attack is very simple, there is reason to believe that no one can really exploit the NFT cast by the original Loot:

Paradigm and Hasu's latest research: NFT efficient startup mechanism design guideSource:

We have been observing the rarity of the equipment bag until the very last moment when the coin is minted. We found that the rare items are well distributed throughout the time of the coin, which shows that there has not been a serious case of exploitation.

Loot is not exploited, there are two possible explanations:

  • This is a brand new contract, so people are not ready or have time to discover loopholes.
  • The extractable value (EV) of the casting Loot is unclear, as the value of the collection exploded in the secondary market a few days later. This nNFT series took 2.5 hours to be sold out, further supporting this hypothesis.

However, as the price of Loot continues to rise, a series of derivative projects such as More Loot and Extension Loot have begun to appear, most of which are just small forks of the original Loot contract. The new NFT series inherited Loot’s weak links, but has a higher market value and attracted a higher degree of attention. The fairness (or lack of fairness) of these NFTs has a great impact.

More Loot

Comparing the distribution of the rare items in More Loot and the original Loot based on the casting time, it can be found that the signs of cheating in More Loot have become very obvious. After just a few blocks, all the rare NFTs have been minted, and the miners after that can only eat the leftovers. Basically they don’t know that experienced users have already started the NFT.

Paradigm and Hasu's latest research: NFT efficient startup mechanism design guideSource:

Below: The red line indicates the point in time when Anish announced his rarity score on Twitter , and the competition for the available rarity package kicks off.

Paradigm and Hasu's latest research: NFT efficient startup mechanism design guideSource:

In addition, due to the continuous expansion of the supply of More Loot, it can be expected that cheaters will pre-mark the equipment dais that will appear in the future and race to cast high-scoring equipment bags.

Extension Loot

Similar to More Loot, Extension Loot has a single address to mint five of the ten rarest equipment bags (all minted NFTs are highlighted in red). The unique thing is that these coins are hidden from close sight, because the cheaters will distribute them and the available equipment bags over time, and then continuously target the rare equipment bags.

Paradigm and Hasu's latest research: NFT efficient startup mechanism design guideSource:

Meebit NFT and off-chain original data cheating

Meebits was once a highly anticipated NFT minting project consistingof 20,000 unique 3D characters providedby Larva Labs , creator of CryptoPunks.

Larva Labs knows that savvy users can use metadata sets to calculate rarity and snipe rare NFTs. To solve this problem, they designed their own website so that buyers can see the complete metadata of each Meebit NFT, but these data can only be found after it is minted.

Although the site clearly hides the uncast Meebit, someone checked the source code and discovered that Larva Labs extracted metadata from IPFS. They use this information to crawl IPFS to extract the metadata of the unminted Meebit NFT, and find the most desired individual NFT from it.

However, Larvalabs still does not make it easy for developers: unlike Loot, users cannot create a specific Meebit ID. On the contrary, the use of randomness on the chain to generate hashes (which in theory can still be cheated by mining) makes it more difficult for this particular user to mint the rare Meebit.

However, the cheaters are “devil’s height.” They wrote a contract of purchase Meebit NFT , view their ID, and “initial brush.” Specifically, the Meebit contract is an ERC721 standard contract with the mint() function, which returns a random Meebit ID. The developer’s contract will call mint, check the returned Meebit ID according to their rarity list, and if it does not exceed a certain rarity score, the transaction will be restored ( sample code ). Using this technique, they only need to pay about 0.03 ETH to check each ID instead of spending 2.5 ETH to buy each Meebit directly.  

Although the attackers consumed many failed transactions in this process and incurred gas fees as a result, they made a profit of about 400 ETH. Today, the same cheaters can bundle their transactions through Flashbots and only pay miners when they get one of the IDs they want-making transaction restoration completely free.

Paradigm and Hasu's latest research: NFT efficient startup mechanism design guideThe attackers minted and sold Meebit #16647, which has the super rare “visitor” characteristics

Gas Auction

In September, the basic cost per gas of Ethereum exceeded 1,250 gwei in seven epochs. Shockingly, all these seven incidents were due to the much-anticipated NFT release that caused the Ethereum network to be paralyzed.

Paradigm and Hasu's latest research: NFT efficient startup mechanism design guideFrom left to right: G’EVOLS, The Sevens, Sipher, Galaxy Eggs, Omnimorphs + ArtBlocks Democracity, Galactic Apes, King Frogs

Most of these NFT startups use a fixed price, first come, first served (FCFS) mechanism. Due to low prices and excessive demand, the competition for obtaining such NFTs has changed from contract sales to gas auction competition in the memory pool.

One example is the The Sevens NFT airdrop event, which is a highly anticipated NFT collection of 7,000 dystopian characters’ avatars. The initial price of each NFT is 0.07 ETH, and eager participants are eager to access the contract. In just 6 minutes, the Gas price reached a peak of 12,246 gwei, the median participant paid about 1.49 ETH for each NFT, and the highest 5% of individuals only used to mint the NFT from the contract to pay for each NFT The Gas fee of more than 2.44 ETH.

Paradigm and Hasu's latest research: NFT efficient startup mechanism design guideDuring the Sevens NFT minting period, the basic cost of the block soared rapidly

The problem with gas auctions is not only to make the use of Ethereum more challenging, but by “misusing” the public memory pool in this way, they create negative externalities for all Ethereum users. It also forced users to pay different amounts for the same NFT, causing thousands of transactions to fail due to insufficient bids, causing harm to users.

Advantages of highly skilled users

As we have fully seen before, Ethereum is a dark forest (remarks: translation version of the chain ), and highly skilled adversarial characters are always looking for profiteering opportunities everywhere. NFT minting projects, especially rare minting projects that buyers hope to obtain a premium in the secondary market after minting, provide a profitable opportunity for skilled parties to outperform ordinary participants.

These participants directly interact with the NFT minting contract through robots and automated strategies, usually bypassing the front end and sometimes even the memory pool.

The TIMEPieces NFT airdrop is a good practical example. The hacker manipulating the advanced robot checked the front-end source code before the NFT casting process. In this way, they can find deployed minting contracts on the mainnet and build robots hours in advance. Therefore, these robots have a significant advantage during the NFT casting period, and this batch of NFTs was completely sold out in less than three minutes. When ordinary participants connected to their wallets and submitted transactions, there was no receipt.

In addition, some participants use Flashbots to bypass the Ethereum public memory pool and submit transactions directly to the miners. Although the TIMEPieces contract limits participants to min 10 NFTs per address, the robot operator 0x35…ce5 planned in advance to allocate funds to five wallets and snipe 50 NFTs in a single Flashbots package. Even if a tip of 20 ETH was paid to miners (making their average minting cost reach each NFT/0.5 ETH), when this batch of NFTs began to enter the secondary market, the robot operator could still make a profit of nearly 120 ETH.

Paradigm and Hasu's latest research: NFT efficient startup mechanism design guideThis bundle includes minting transactions from five different addresses, bypassing the limitation that each address can only mint 10 NFTs

In addition, since this participant uses Flashbots (which can recover failed transactions at zero cost), they will not be affected by the failed transactions we demonstrated earlier. The other nearly 10,962 participants were quite different. They performed 12,743 attempts in 100 blocks. Because their attempts were unsuccessful, they lost a total of 252.62 ETH (nearly 800,000 USD) in transaction fees.

The pursuit of fairness leads to high gas costs and low efficiency

An efficient NFT casting mechanism means that it is easy to use for all participants-ideally, only a few steps and simple implementation. One of the common pitfalls of minting projects that implement alternatives to the first-come, first-point distribution model is that they introduce complexity and increase the number of on-chain transactions that users must conduct.

An example is the auction of Jay Pegs Auto Mart $DONA on Miso . Although this minting activity created a batch auction NFT distribution, effectively showing how fair metadata generation looks like in practice, it does so at the cost of high gas fees and sacrificing transaction efficiency.

To participate in the NFT casting process, users must conduct at least four on-chain transactions within eight days:

  • Initially, users submit ETH to Miso for batch auction without knowing how many DONA tokens they will receive (depending on the final liquidation price)
  • After the auction ends, users must claim their $DONA tokens
  • At this time, the tokens obtained by all users are either too few to mint NFT, or just enough, or too much. According to the results of the survey of 1,363 coin minters participating, we found that 273 people got too little, 0 people were just enough, and 1,090 people were too much (the excess of minting a token).
  • Users with too few tokens must trade to obtain the necessary surplus from Sushiswap.
  • Users with too many tokens can choose to approve $DONA tokens for trading, and then trade through Sushiswap to sell their surplus tokens.
  • When users have enough DONA to mint an NFT, they can approve the NFT contract to spend their DONA, and then burn their DONA tokens to mint NFT.
  • Finally, the metadata will be distributed to the NFT in batches, and it is impossible to unilaterally reveal the specific content of a person’s NFT.

Although this mechanism strives to be fair, it makes it very difficult for users to participate, and the gas cost is high and the efficiency is low.

Exclusive coinage

The Obenbenbenne project pursues fairness by assessing the value of the collection by NFT collectors and enthusiasts, which is based on the strength of its community. Usually this involves measuring the concentration of tokens among token holders. The ideal collection situation tends to be less concentrated, which is conducive to individual participants, rather than being controlled by a giant whale.

However, in recent minting projects, there has been a new trend of introducing batch minting, where participants can mint more than one token at the same time in a transaction. Through this mechanism, giant whale casters can cast many NFTs with less gas overhead.

An example in practice is the Stoner Cats airdrop, which is a collectible NFT minting project used to support Hollywood actress Mila Kunis and her friends to make animated short films, allowing up to 20 NFTs to be minted at a time. In view of the existence of this function, 89% of the NFTs are cast by the batch casting function, and nearly 31% of Stoner Cats are all produced in batches by wealthy people who cast 20 NFTs at a time.

Paradigm and Hasu's latest research: NFT efficient startup mechanism design guide

In addition, all NFTs sold at a fixed price implicitly keep out the threshold of people whose funding ability is lower than the liquidation price. Considering the high cost of casting, this reduces the fairness of distribution and benefits those with stronger financial resources.

Trusted operator

Whether implementing a centralized lottery mechanism to prevent gas wars or through Chainlink to improve fairness, a common trade-off is to introduce trust assumptions to third parties. The more off-chain infrastructure that NFT minting projects must rely on, the more users need to trust centralized off-chain entities.

Small goals for a perfect start

By observing these startup activities and analyzing the problems people encounter in practice, we can now draw what we believe to be the six ideal attributes of NFT startup. We do not expect this to be a perfect list, but it is a starting point.

The fairness of inability to cheat: NFT activation must be truly random to ensure that cheating users cannot attack the rarest items at the expense of less mature users.

There are no competitive conditions: Whenever an NFT (or actually any commodity) is sold at a price lower than its fair market price, it becomes what Ethereum co-founder Vitalik Buterin calls “an auction of other means.” In practice, buyers race to get their transactions to be mined into blocks as soon as possible, or attach large bribes to motivate miners. Anyone who auctions by other means has a deep understanding of the blockchain, and can use power tools such as robots, private relays such as Flashbots or Eden, or even submit it directly to miners.

Not restricted by time zone: Usually the “first come first served” model is released at a specific block height, and then sold out in a short time. No matter what block height is selected, it will always be detrimental to users in other time zones who are currently sleeping or busy at work. Therefore, the release time span should not be too short, so that people can participate in it without changing their daily lives.

Save Gas: The cost of transactions on the chain (especially on Ethereum) is very expensive, so a good NFT startup should minimize the number of transactions that users must conduct.

Inclusiveness and resistance to sybil attacks: Generally, it is in the best interest of ensuring NFT creators to ensure that the release is open to different groups of token holders, even if it initially leads to a slightly slower market clearing speed. This is because a vibrant community will ultimately promote the value of collectibles in the secondary market. 

No trust: Of course, in summary, the startup mechanism should be able to maintain the attributes of the underlying blockchain. This means that it must provide the aforementioned benefits without being subject to regulation or requiring excessive trust assumptions on operators.

“Not open is safe” should not be an excuse for poorly designed activation mechanism

In theory, most NFT startups have one or more of the above problems, but in practice, there is insufficient demand for these problems at the same time. This is an example of “secret is safe”.

For example, if the market perception value of a new NFT series is low, there may be no competitive conditions leading to bidding wars in the memory pool, there is no need to purchase priority block space, and predatory users have no incentive to cheat on it. Similarly, if there is too much demand for a new NFT series, the series may be sold out so quickly that there is no time to write custom software for it or cheat on its fairness.

Although too few security requirements are a problem, we believe that people should always design their NFT launches to remain robust under all market conditions, especially not to rely too much on fast-selling product lines as a way to protect them from cheating means.

NFT startup details dismantling

Although we now know that we need an excellent release, we still don’t know how to achieve it. This path can be slowly revealed by disassembling what is actually happening behind the scenes (or, as we will see, there will be many paths).

Each NFT startup consists of four steps:

  • Bidding: The sale is activated, and the user submits a bid to the operator (which can be a smart contract).
  • Liquidation: The operator matches the collected bidding bids with the remaining supply, determines the liquidation price, and selects the winning bidder.
  • Distribution: The winner of the bid can receive their newly minted NFT (or receive it from the operator).
  • Original data disclosure: The operator discloses NFT attribute data.

Take Loot as an example. Loot’s first-come, first-served sale is online at block 13,108,877. The creator of the collection, dom, set the sales price to zero in the smart contract, but the user still has to bid for the auction through gas. For each block, miners will settle new bids for the remaining supply and determine who wins and who loses. When the user bids successfully, he will receive the NFT in the same transaction.

Most users only understand the specific properties of NFT after receiving it. However, in practice, a highly skilled user can read the attributes of the NFT from the smart contract before casting, allowing them to snipe the rarest items in the collection. This means that regardless of whether the other steps occur sequentially or continuously, the metadata can only be displayed after the item is purchased and finally liquidated.

Next, we will explore the options that NFT developers have in each of the four steps. We discuss the impact of each option on the ideal properties, so as to filter out the bad choices and optimize the good design choices.

Step 1: bidding

At this stage, operators collect bids (for example, purchase requests) from their users. 

Continuous vs. Sequential Liquidation

First, operators must decide whether they want to continuously bid and liquidate in the same or two non-overlapping phases.

Any first-come, first-served, fixed-price sale (most NFT startups so far are in these forms) is an example of continuous liquidation. For each block, the miners will check the bids and liquidate them based on the remaining supply.

There are several problems with this mechanism: If the operator overestimates the NFT liquidation price, the NFT price is too expensive and may not be sold out. If operators underestimate the clearing price of NFTs, these NFT prices are too cheap, and users will compete through speed (who has the most direct access to the block space) or gas price (who can pay the most fees to miners for their transactions). As discussed in the previous article, this can lead to a large amount of economic losses due to transaction failures and greatly benefit highly skilled participants. If necessary, the first option can be alleviated by routing all user transactions to Flashbots RPC, and letting the auction proceed in an environment where failed transactions are cost-free.

When the second option is adopted, bidding and liquidation occur in two non-overlapping stages. In practice, the operator first collects all bids, then matches them to available supplies and liquidates them at a fair price. This method includes mechanisms such as batch auctions or lotteries. An example of this approach is Jay Pegs Auto Mart, which gives users a week to submit their bids before the market clears.

The sequential approach has several advantages, which are consistent with our stated goals:

  • No race conditions: users have enough time to submit their bids, and the result depends on how much the user is willing to pay, not on their speed or skill.
  • Free of time zone constraints: This method respects people who work or live in other time zones.

In addition, since there is no Gas auction, there are no negative externalities to other network users.

However, this method has disadvantages, such as requiring more on-chain transactions (depending on the auction design) or reducing the fun of the participants, because they now have to wait longer. We suggest not to let the bidding period be too long to alleviate the latter concern, perhaps it is best not to exceed 48 hours.

On-chain bidding vs. off-chain bidding

After deciding on continuous or sequential liquidation, the next choice is whether users submit their bids on-chain or off-chain.

As we will see, the current NFT startup usually collects bids on the chain because it is the simplest and can efficiently allow miners to liquidate the winning bidder and declare the remaining bids as failed. If we assume that the network itself is uncensored, it also means that there is a strong guarantee that no valid bid will be missed from the sale.

However, it is also possible to collect bids off-chain. In this process, users use their private key to sign a message that contains information such as their on-chain address, the number of tokens or tickets they want to buy, and their highest bid. They send this message to the operator without executing it on the chain, using their signature to prove its validity.

However, operators can use these bids to clear the off-chain market, or bundle winning bid transactions and submit them to a contract for execution on the chain. No matter which method is adopted, the buyer needs to have a certain degree of trust in the operator to ensure that the correct bid is executed.

The last method combines off-chain collection of bids and on-chain selection of successful bidders, combining a robust, gas-efficient and flexible approach. The only thing users need to believe is that when they submit a bid on the chain, the operator will not miss any bids-this is a relatively weak assumption.

Who is allowed to participate in the bidding?

The third decision to be made is who is allowed to bid and how many people are allowed to participate. As discussed in the goal of inclusiveness and resistance to sybil attacks, the project party may want to ensure that different user groups buy their items. In this regard, they limit the number of NFTs provided to users with specific characteristics, or reserve a portion of the NFT specifically for holders of the existing NFT community.

When bidding takes place off-chain, such KYC rules are easy to implement-only require users to prove certain information before submitting a signature to the server. KYC chain is more complex, but Gitcoin of privacy proof and other projects is in progress.

Even if a project does not want any form of KYC, they can still take measures to ensure that large users and small users can buy the same amount of tokens with the same funds. When the contract allows users to purchase or receive many NFTs in the same transaction, this principle is usually broken, because the giant whale can share the same gas cost by buying more tokens, so compared with small users, they Less fees are paid for each token. To alleviate this situation, it is usually a good idea to limit the number of tokens purchased per address or per transaction.

Bidding cost

In addition, the operator must decide when users must pay for NFT tokens-together with the bid, or after the market is cleared?

In the latter case, users only need to reserve the tokens during the bidding phase and wait for the market to clear, and then they can complete the purchase within a certain time window. One project that uses this method combined with off-chain bidding is Parallel . Although it works well in a quieter market, this model may become a competitive condition when demand is very high, and users want to keep as many tokens as possible because there is no cost to do so.

In order to alleviate the problem of competitive conditions, the bid itself should be linked to cost. The best solution here is to allow users to submit bids only after locking the funds in the smart contract from the same address. Then if the bid is unsuccessful, the operator can decide whether to refund the funds (similar to an exchange’s limit order) or keep the bid (similar to an unpaid lottery ticket).

Bidding granularity

Finally, they must decide how granular they want users to express with their bids. When there is a failed bid (because demand exceeds supply), further decisions must be made: how to be a winner and how to be a loser. Here are three viable options:

  • “Fool-style” batch auction”: People promise a certain amount of ETH without further instructions. In the liquidation phase, the number of NFTs is divided by the total amount of submitted ETH, and everyone will receive fragmented tokens in the form of ERC-20, which can then be exchanged for ERC-721 NFT. Jay Pegs Auto Mart uses this method, and its advantage is that there are no failed bids. However, its disadvantage is that it requires three additional on-chain transactions-two for selling or buying tokens to reach a useful amount (for example, a “full” ERC-20 token), and one transaction for Redeem NFT. Most importantly, this method does not allow buyers to express a bid for a certain number of tokens they want-and almost every market expects this feature.
  • “Smart” batch auctions: Many years ago, SpankChain used a similar method in its ICO, but it can even be said to be better. Unlike Jay Peg, SpankChain collects bids for each token price for a specified number of tokens. After the bidding phase is over, they calculate an off-chain execution price and submit it to the smart contract together with the winning bid price. Those who win the bid can withdraw SPANK, and if they fail to win the bid, they can withdraw ETH. The disadvantage of this method is that it has to match all bids, and its computational complexity is so huge that it can only be done off-chain, which requires a certain degree of trust in the operator.
  • “Loot lottery”: Finally, people can play lottery or lottery mode, and users can bid by buying tickets or booking. Then the winner is randomly selected from all the ticket pools. In this way, the user will either receive a complete token or get nothing, thereby saving gas fees for three additional transactions like Jay Peg’s $DONA. This means that users with weaker financial resources can also enter the market. However, it introduces randomness in sales, and some users may prefer it, while others may not.

Step 2: liquidation

At this stage, the operator (or someone operating in the name of the operator) matches the bid and the available supply, and decides who will buy the NFT and who cannot buy the NFT. 

On-chain liquidation vs. off-chain liquidation

The last major node is who can choose the winner from all bid pools. In the first-come, first-served model, this is done by miners, as we have explained, it is prone to corruption in several ways.

In Jay Peg’s clearing mechanism, the computational complexity is very low, low enough to be performed on the chain in a completely trustless manner.

In the SpankChain model, the winner is selected entirely off-chain. Although bidders cannot trade at a price higher than they want (smart contracts ensure this), they still have to trust that operators will not push them to their highest transaction price, similar to a decentralized exchange How the sandwich attack works.

The “lottery” method is the easiest to clear because you only need a random number (for example, from Chainlink VRF). However, the requirement for randomness also introduces another trust hypothesis: people who produce this randomness may prefer their own bids over others. Conversely, when the winning bid is only the highest bid, this is impossible.

Step 3: distribute

After the market is cleared, operators must mint tokens and hand them over to users. If they adopt this model, they need to return all funds for failed bids. This step usually involves Gas efficiency and preventing race conditions.

Simultaneous vs. interval settlement

If operators want to prevent their users from claiming NFTs at the same time, causing gas costs to soar, they can reuse the same randomness as in the liquidation process, allowing people to claim them in batches. This solves the problem of soaring Gas fees caused by collective actions, because users are better not to claim all NFTs at the same time. Nevertheless, curiosity is everywhere, hoping to understand their metadata, and who will be the first person to resell NFTs in the secondary market, anyway, it may always create competitive conditions. This means that interval settlement will also increase the waiting time for users.

Claim vs. Receive NFT Tokens

The only other thing to mention in the distribution is: Do users have to claim the tokens themselves, or the operator can simply send them to them over time. The latter is a variant of interval settlement, but has the added advantage that the user does not need to do anything. The Parallel startup mentioned earlier uses this method, and the effect is very good, but the user is required to add “shipping” when initially paying for the NFT.

Step 4: Disclosure of original data

Finally, once the NFT tokens are distributed, their metadata can be displayed. In the four stages of NFT startup, this step must be placed at the end. It also cannot share the last step with other steps (for example, by bundling payment, distribution, and original data display in the same transaction, just like Meebit does), because bad actors can “scratch the initial” by replying to the transaction and undermine fairness. Sexually cheating. There must be at least one block gap between payment and metadata display to make transaction rollback impossible, although you can also choose to increase this gap to prevent reorganization attacks.

When to disclose metadata

We have now determined that casting an NFT and disclosing its metadata cannot occur in the same transaction, which raises the question of when to disclose. This is not only important for ensuring fairness, but also for user experience and gas efficiency. Generally speaking, there are three options:

Complete set disclosure: In the complete set disclosure, the operator will wait until all the NFTs of the set have been cast, and then disclose the metadata. This method has a very high gas efficiency, only a random number is needed, and then the random number can be used to disrupt the metadata of the ticket ID without the user taking further action.

However, it has obvious disadvantages. In other words, users must wait until all NFTs have been minted to view the metadata of their tokens. If an upper limit is set for when to disclose metadata (for example, 24 hours), some users may still not be able to cast in time, resulting in NFT collections that cannot be sold out.

NFT disclosure one by one: In order to improve the UX disclosed in the complete works, operators can also allow users to show randomness for NFT one by one. This is more attractive because users can “open” their NFT shortly after purchase. It also allows “unopened” NFTs to be traded in the secondary market (this is popular in trading card games such as MTG). 

However, this method brings the burden of requiring users to perform additional on-chain transactions, such as calling Chainlink VRF and applying random numbers to their own NFTs. Even for users who are not particularly eager to disclose metadata or are not interested in trading unopened NFTs, this is an inevitable fee.

Bulk disclosure: We put forward the concept of bulk disclosure as a potential middle ground. In this method, users can mint indefinitely, but if they wish, they can also disclose their NFT metadata in the next block. Each new random number received will automatically disclose the metadata of all minted and pending NFTs, and disclose them at almost the same constant cost.

Therefore, users with high time preferences can choose to pay for additional on-chain transactions to disclose metadata, which benefits all their previous users. If no user chooses to disclose, the operator can also follow a certain schedule, such as every hour.

Sources of Randomness

After deciding when to disclose metadata, the remaining question is where to obtain randomness. The two recommended options are to use Chainlink VRF or commit-reveal scheme .

Using the former, you can access verifiable sources of randomness on the chain on demand. Using any disclosure mechanism, you can call Chainlink to request randomness, and once it is met, use randomly generated numbers as input values ​​for metadata calculations. This will ensure that it is random for each NFT.

For the latter mechanism, the operator can create a random number (for full disclosure) or multiple random numbers (for each NFT or batch disclosure) before selling and submit its hash value in advance. Once the NFT is minted, the operator can reveal these numbers so that anyone can verify its authenticity through the hash. Nevertheless, this method requires a certain degree of trust in operators, trusting that they will not use advance insight of random numbers to create the best NFT. In order to minimize the need for trust, we recommend still performing some independent randomization in the casting order.

In addition, for off-chain metadata, operators can choose to submit a hash of the complete metadata (all the id-related attributes of the NFT) instead of submitting a random number. This ensures that the metadata is predetermined and cannot be tampered with during or after the casting process. Nevertheless, independent randomization in the casting sequence is also necessary to prevent operators from using the right to know to cheat.

Our practical reference manual

We provide a hands-reference manual , in this manual, we consider a good balance between all the properties, and easy to understand and adjust.

Bidding: In our practical reference manual, users can bid by buying lottery tickets. The draw time is determined by the operator (we recommend 24-48 hours). The price of each ticket includes the gas fee and the price of each NFT specified by the operator. The latter acts as a “margin” and refunds all the tickets of the losers after the market is cleared. Anti-Sybil attacks are generated in three ways: gas per transaction, capital cost of locked funds, and the maximum number of votes per address.

Liquidation: After the auction period ends, winners equal to the number of available NFTs must be drawn from all ticket pools. First of all, anyone can call collectEntropy()to obtain a random number from Chainlink VRF. This randomness is used in “shuffleEntries()”, which uses the Fisher-Yates lottery mechanism . Anyone can call this function to ensure liveness and make the gas cost social (for example, borne by the giant whale).

Distribution: After all the winners are drawn, users can claim NFT from their winning lottery tickets indefinitely, and they will receive a refund for the lottery they lost. Both happened in the same transaction. Operators can now start withdrawing the proceeds of winning lottery tickets.

Metadata disclosure: Users can disclose their NFT metadata in the block after claiming the NFT. Anyone can request a new random number, and it will automatically disclose the metadata of all minted and pending NFTs. Users with high time preference can pay immediately to disclose metadata for the benefit of all users.


In this article, we give real-world examples to show how poorly designed NFT launches can lead to sub-optimal results for users. However, when a project clearly defines their goals, and takes time to deconstruct the actual steps of the release, many designs become possible—and almost all designs are more fixed-price, first-come-first-served, network-based designs than we are accustomed to. Crowded NFT sales are much better.

If you want to gain anything from this article, please follow the following three rules:

  • Non-cheating fairness is the most critical attribute of NFT startup with random metadata. Use strong randomness and never reveal the metadata of the NFT before it is purchased and settled.
  • Competition conditions will hurt users, including users who participated in coin minting and users who did not participate. Use sequential bidding and clearing (for example, lottery draws or batch auctions) to solve this problem.
  • Consider cost-effectiveness from the first minute. Keep asking yourself whether any steps currently occurring on the chain may also occur off-chain in order to save money for your users. Assuming that users can establish a certain degree of trust in operators, off-chain steps can include bidding and market clearing. Consider batch disclosure in the metadata disclosure stage.

We would love to see NFT developers start experimenting with some of these ideas to launch more types of products in reality. Finally, we would like to express our gratitude to those big Vs who have been sharing their suggestions with the NFT community to help improve the quality of NFT startup:

  • Vitalik —Thanks for his explanation of the FCFS fixed price sales problem
  • FairDrop — share their proof -of-concept design for a fair lottery
  • dotta -suggestions for building a great front end
  • Jay Pegs Auto Mart and SpankChain -testing novel auction methods
  • Parallel -fully demonstrates the best practice of off-chain lottery
  • 0xmons -suggestions and tools for designing a fair start

Posted by:CoinYuppie,Reprinted with attribution to:
Coinyuppie is an open information publishing platform, all information provided is not related to the views and positions of coinyuppie, and does not constitute any investment and financial advice. Users are expected to carefully screen and prevent risks.

Like (0)
Donate Buy me a coffee Buy me a coffee
Previous 2021-10-17 11:40
Next 2021-10-17 11:45

Related articles