Paradigm: Design Guidelines for Efficient NFT Issuance

Blockchain has brought revolutionary changes to the financing of open source software, but not everything will work in the first place. In fact, ICOs in the 2016-2018 period are often severely problematic mechanisms that allow founders to cash out any products before they are delivered. Since then, we have learned many lessons, and today’s project has a working product before issuing and distributing tokens to incentivize usage and decentralized governance.

NFTs proved to be another product market match that clearly applies to cryptocurrencies, but they are experiencing their own growing pains. The life of every NFT begins with an NFT issuance (sometimes called minting or airdrop). An NFT issuance means that a new collection is created, sold and distributed to buyers for the first time, who will then decide whether to hold or trade in the secondary market.

Like any first-sale product, the issuance of NFTs faces the challenge of pricing things that have never had a price. But unlike most other things, they have an additional difficulty, that is, they are carried out in a highly adversarial environment full of unique characteristics that have made it difficult for inexperienced users to approach. This environment is public. Blockchain. Therefore, developers must design efficient and robust mechanisms to prevent damage.

This article starts with cases of NFT issuance that have harmed the interests of users in the real world to find out which goals a good issuance should meet. Next, we break down the issuance into individual steps and explore the design space of each step. Finally, we provide a reference implementation that we believe is a well-designed issuance mechanism for the community to use and build on its foundation.

Examples of harming the interests of users

Over time, we have noticed that certain design patterns issued by NFTs have consistently brought undesirable results to users.

Destructible fairness

When a new collectible is launched, users can interact with its smart contract to cast an NFT with random attributes. These attributes often have different rarities, making some combinations scarcer and more valuable than others. For example, only 9 out of 10,000 CryptoPunks have ultra-rare “alien” features, of which the cheapest one on the market now has a price tag of 35,000 ETH .

Although different people participate in casting for various reasons, many of them enjoy the excitement of not knowing which one they will get and how rare they are. In this sense, forging NFTs is nothing more than a gashapon mechanism that has long been popular in the analog economy (such as the enhancement pack in trading card games) and the digital economy (such as the loot boxes/boxes in video games). Continuation.

People who participate in gashapon games often make an important assumption: they draw from a random distribution of items, and they really have a chance (albeit small) to draw a very rare one. Unfortunately, the past NFT casting often failed to satisfy this assumption and could not create true randomness. In practice, this allows all parties familiar with the technology and motivated to use casting for their own profit, snatching the rarest ones in the collection, making it impossible for honest participants to obtain it.

We share two cases of this model, in which NFT casting was destroyed in this way. Both cases rely on the same two-step process:

1. The looter extracts the metadata of the collection so that they display the relative frequency of all attributes in a single rarity score. Using this score, they can then determine the highest value NFT in a collection.

2. Then, the looters break the randomness of the casting contract to only cast the rare, highest-value NFT they want.

Loot derivatives and use on-chain metadata to snatch Loot

Recently, a project called Loot has taken the NFT world by storm. Seemingly simple, this item contains 8,000 loot packs, consisting of chests, feet, hands, heads, necks, rings, waists, and weapons items of different rarities.

All the attributes of each item slot are directly stored in the contract, and the mint gets a pseudo-random loot package with the package ID as the hash value. Although they will exist forever as long as Ethereum exists, storing metadata on the chain also exposes the pseudo-randomness of Loot to looters. By simulating the randomization function locally, they quickly grabbed the metadata of all 8,000 packages and obtained the entire series of pictures (and also obtained the rarity). With this information, they only need to take advantage of the last remaining weakness of the contract: to be able to accurately cast the ID they want, and only target the rarest packages.

However, although the destruction is simple, there is reason to believe that no one will destroy the original Loot.

Paradigm: Design Guidelines for Efficient NFT Issuance


If we observe the rarity of the last loot bag until the casting, the distribution of rare items throughout the casting process is good. This shows that there are no obvious cases of snatching.

There are two possible explanations for why Loot was not destroyed:

1. This is a brand new contract, so people are not ready yet or lack time to find loopholes

2. The expected value of casting Loot is not clear, because the value of collectibles will only explode in the secondary market in the next few days. The collection takes about 2.5 hours to sell out, which further supports this hypothesis.

However, as the price of Loot continues to rise, a series of derivatives like More Loot and Extension Loot begin to appear, most of which are just small forks of the original Loot contract. The new collection inherits Loot’s weaknesses, but has a higher market value and gets more attention. This has a great impact on the fairness of these collections.

More Loot

Comparing the distribution of rare items with the casting time between More Loot and the original Loot, the evidence of snatching becomes very obvious. After just a few blocks, all the rare NFTs have been minted, and only some worthless ones are left for future minters, who basically don’t know that experienced users have already robbed the issuance.

Paradigm: Design Guidelines for Efficient NFT Issuance


Below: The red line refers to when Anish announced his rarity score on Twitter, he began to compete for the block height of the rare package.

Paradigm: Design Guidelines for Efficient NFT Issuance


In addition, as the supply of More Loot continues to expand, it can be expected that looters will pre-rate the packages available in the future and race to cast them.

Extension Loot

Similar to More Loot, Extension Loot has a single address that can mint 5 of the 10 rarest bags (all minted NFTs are marked in red). The unique thing is that these NFTs are hidden in obvious places, because the looters will slowly distribute them and the available packages before continuously targeting the rare packages.

Paradigm: Design Guidelines for Efficient NFT Issuance


Meetbits and using off-chain metadata to snatch Meebit

Meebits is a highly anticipated NFT launched by Larva Labs, creator of CryptoPunks , with 20,000 unique 3D characters.

Larva Labs knows that savvy users can use the metadata of the collection to calculate the rarity and then snatch the rare NFT. To solve this problem, they designed their website in such a way that they allow buyers to see the complete metadata of each Meebit, but only after the NFT is minted.

Although the site clearly hides the uncast Meebits, someone looked at the source code and found that Larva Labs was extracting metadata from IPFS. Using this information, they searched IPFS, extracted the metadata of uncast Meebits, and found the ones they wanted the most.

However, Larvalabs still hasn’t made it easy for looters: unlike Loot, users cannot cast NFTs with specific Meebit IDs. On the contrary, the randomness on the chain is used as a hash value (in theory, miners can still use it), making it more difficult for this particular user to mint a rare Meebit.

However, predators know how to achieve the best results in bad situations. They wrote a contract to buy Meebits, checked their IDs, and then “disrupted” them. Specifically, the Meebit contract is an ERC721 with a mint() function, which returns a random Meebit ID. The snatcher’s contract can call mint, compare the returned Meebit ID with their rarity list, and roll back the transaction if it does not exceed a certain rarity score (sample code). With this trick, they only need to pay about 0.03 ETH to view each ID, instead of spending about 2.5 ETH to buy Meebit directly.

Although the attackers burned a lot of failed transactions in this process, they also burned a lot of gas fees, and they finally got about 400 ETH in revenue. Today, the same predators can send transactions through Flashbots’ transaction bundles, and if they get the ID they want, they pay the miners—making rollback transactions completely free.

Paradigm: Design Guidelines for Efficient NFT Issuance

The attacker minted and sold Meebit #16647, which has extremely rare “visitor” characteristics.

Gas auction

In September, there were 7 special periods when the basic cost per gas of Ethereum exceeded 1,250 gwei. What is shocking is that all of these 7 occurrences were caused by the high-profile NFT issuance that disrupted the network.

Paradigm: Design Guidelines for Efficient NFT Issuance

From left to right: G’EVOLS, The Sevens, Sipher, Galaxy Eggs, Omnimorphs + ArtBlocks Democracity, Galactic Apes and King Frogs

Most of these issuances use a fixed price, first come, first served (FCFS) mechanism. Due to low prices and excessive demand, the competition to obtain these NFTs has changed from contract sales to gas auctions in the trading pool.

One example is the airdrop of The Sevens NFT, a much-watched collection of collectibles with 7,000 collections of dystopian characters as personal avatars. Since the initial price of each NFT is 0.07 ETH, enthusiastic participants rushed to the contract to mint. In just 6 minutes, the gas price reached a peak of 12,246 gwei. Only above the gas fee for contract casting, the median payment of participants was about 1.49 ETH per NFT, and the highest 5% of people per NFT 2.44 ETH was paid.

Paradigm: Design Guidelines for Efficient NFT Issuance

In the Seven Minting, the fast-rising block basic fee

The problem with gas auctions is not only that they are more challenging to use, but that by “abusing” the public transaction pool in this way, they create negative externalities for all Ethereum users. They also forced users to pay different amounts for the same NFT, causing thousands of under-bid transactions to fail, harming users’ interests.

High-tech threshold

As we have seen before, Ethereum is a dark forest, with many high-level, hostile actors always seeking opportunities. NFT casting, especially the rare ones, buyers expect to get a premium in the secondary market after casting, which provides more profitable opportunities for skilled parties than ordinary participants.

These participants directly interact with the minting contract through robots and automated strategies, often bypassing the front-end and even occasionally the trading pool.

The TIMEPieces NFT airdrop is a typical example of this. Advanced robot operators check the front-end source code of before starting casting. In this way, they can find deployed casting contracts and built robots on the main network a few hours in advance. Therefore, these robots have a significant advantage in casting—all sold within three minutes. By the time ordinary participants connect their wallets and submit transactions, it is already too late.

In addition, some people use Flashbots to bypass the transaction pool and submit transactions directly to miners. Although the TIMEPieces contract limited participants to min 10 NFTs per address, the robot operator 0x35…ce5 planned in advance, divided the funds into 5 wallets, and robbed 50 NFTs in a Flashbots transaction bundle.

Paradigm: Design Guidelines for Efficient NFT Issuance

This transaction bundle contains 5 minting transactions from different addresses, avoiding the limit on the number of minting for each address.

In addition, because this participant used Flashbots (which made the cost of rolling back the transaction 0), they did not encounter the failed transaction situation we had in the example above. This is different from nearly 10,962 ordinary technical participants who lost a total of 252.62 ETH (nearly 800,000 USD) in transaction fees in 12,743 rollback transactions in 100 blocks, because their attempts failed.

Low gas efficiency

An effective NFT casting mechanism should be easy to use for all participants-preferably with few steps and simple implementation. For the implementation of NFT casting which is different from the first-come, first-point distribution model, a common problem is that it introduces complexity and increases the number of transactions that users must make on the chain.

An example is Jay Pegs Auto Mart’s $DONA auction on Miso. Although the casting pioneered a batch auction NFT distribution method and effectively demonstrated the fairness of metadata generation in practice, it was at the expense of gas and transaction efficiency.

In order to participate in the casting process, users must perform at least 4 on-chain transactions within 8 days:

1. First, users submit ETH to a Miso batch auction without knowing how many USD $DONA tokens they will receive in exchange (depending on the final settlement price)

2. Once the auction is over, users must claim their $DONA tokens

3. At this time, all users are in three situations: not enough tokens to mint one NFT, just enough and too many tokens. Based on the 1,363 minters participating, we found that 273 were not enough tokens, 0 was just enough, and 1090 tokens were too much (a fraction of more than one token).

  • Users with too few tokens will have to trade to obtain the necessary remaining tokens from Sushiswap.
  • Users who have too many tokens can choose to agree to trade with $DONA tokens and then trade through Sushiswap to sell their surplus.

4. When users have enough $DONA to mint an NFT, they can agree to the NFT contract to spend their $DONA, and then burn their $DONA to mint an NFT.

5. Finally, metadata will be distributed to NFTs in batches, and the metadata of a certain NFT cannot be disclosed.

Although this mechanism strives for fairness, it increases the difficulty of user participation and consumes a lot of gas.

Exclusive casting

One way for NFT collectors and enthusiasts to evaluate the value of their collections is through their community power. Typically, this involves measuring the concentration of token holders. Ideal collections tend to have low concentration and benefit individual participants rather than many giant whales.

However, in recent minting, there has been a new trend of introducing batch minting, that is, participants can mint more than one token in a single transaction. Through this mechanism, giant whale casters will be incentivized to cast many NFTs with less gas overhead.

An example in practice is Stoner Cat’s airdrop, which is a collection of NFT casting that supports the production of animated short films by Mila Kunis and friends, allowing up to 20 NFTs to be cast at a time. With this function in mind, 89% of NFTs are cast by the batch casting function, and nearly 31% of Stoner Cats are cast in batches of up to 20 NFTs.

Paradigm: Design Guidelines for Efficient NFT Issuance

In addition, all NFTs sold at a fixed price implicitly prevent individuals from participating in activities below the settlement price. This reduces the fairness of the distribution and makes the balance leaning towards those giant whales, especially considering how expensive it is to manufacture.

Trusted operator

Whether implementing a centralized lottery to avoid gas wars or using Chainlink to provide fairness, a common trade-off is to introduce the assumption of trust in third parties. If NFT casting must rely on more off-chain infrastructure, users must have more trust in centralized off-chain entities.

The goal of a good distribution

By observing these issuances and analyzing the problems that people encounter in practice, we can now come to the six ideal characteristics that we think NFT issuance should have. We have no ambition to say that this list is complete, but it is a beginning.

Unbreakable fairness: The distribution must be truly random to ensure that predatory users cannot rob the rarest items at the expense of less skilled users.

There are no competition conditions: Whenever an NFT (or any product, really) is sold at a price lower than its fair market price, it becomes what Vitalik Buterin said it would be auctioned in other ways. In fact, buyers race to get their transactions to be mined as quickly as possible, or attach a large remittance to miners. Any “bidding in other ways” is beneficial to those who have a deeper understanding of the blockchain and can use private relays like bots, such as Flashbots or Eden, or even direct contact with miners.

Regardless of time period: A common situation is that first-come, first-served issuance will be announced at a specific block height and then sold out in a short time. No matter what block height is selected, it will always be detrimental to users in other time zones who are currently sleeping or working. Therefore, the release time should not be too short so that people can participate without changing their daily lives.

Gas saving: On- chain transactions (especially on Ethereum) are very expensive, so a good issuance should minimize the number of transactions that users must make.

Inclusiveness and resistance to sybil attacks: Under normal circumstances, it is in the best interest of the creators of the NFT to ensure that the issuance of NFTs is open to diverse holders, even if this results in the initial settlement price of the market being a bit low. This is because a vibrant community is the ultimate driving force for the value of collectibles in the secondary market.

No need to trust: Of course, having said so much, the issuance mechanism should be dedicated to maintaining the attributes of the underlying blockchain. This means that it must provide the aforementioned benefits without becoming a need for hosting or an excessive trust assumption for the operator.

Achieving security through concealment is bad design

Most distributions have one or more of the above-mentioned problems in theory, but in practice, there is not enough demand to make these problems surface. This is to achieve security through obscurity (security by obscurity).

For example, if the perceived market value of a new collectible is very low, there may not be a competition situation leading to a bidding war in the trading pool, there is no need to purchase priority block space, and predatory users have no incentive to use it. Similarly, if the demand for a new collection is too great, then the collection may soon be sold out, so that there is no time to write custom software for it or to undermine its fairness.

Although the security issues caused by too little or too much demand are worthy of attention, we believe that people’s design of distribution should always be robust under various market conditions, especially not relying on the rapid sale of collectibles. Means to protect them from looting.

Break down NFT issuance

Even though we now know what we want in a good release, we still don’t know how to achieve it. We can slowly reveal this path by breaking down what is actually happening at the bottom (or, as we will see, there are many paths).

Every NFT issuance has four core steps:

1. Bidding: When the sale goes online, users submit their bids to the operator (it can be a smart contract).

2. Settlement: The operator matches the collected bid with the remaining supply, determines the settlement price, and selects the bid that won the bid.

3. Distribution: The successful bidder can claim their newly minted NFT (or get them from the operator).

4. Reveal metadata: The operator reveals the attributes of the NFT.

For example, take a look at Loot. Loot is sold at block 13,108,877 on a first-come, first-served basis. The creator of this collection, dom, set the selling price to 0 on the smart contract, but users still need to bid through gas. In each block, miners settle new bids based on the remaining supply and decide who wins and who loses. When the bid is awarded, the user receives the item in the same transaction.

Most users only know its characteristics after receiving the item. However, in practice, an experienced user can read the characteristics of their items from the smart contract before casting, so that they can grab the rarest collectibles. This means that regardless of whether other steps occur sequentially or continuously, metadata must be revealed after the item has been purchased and the final settlement has been completed.

Next, we will explore the choices of NFT developers in each of these four steps. We discuss the impact of each choice on the desired attributes, and select good design choices from bad ones.

Phase 1: Bidding

At this stage, the operator collects bids from its users (for example, purchase requests)

Continuous settlement vs. Sequential settlement

Before doing other things, operators must decide whether they want bidding and settlement to be in the same or two non-overlapping stages.

Any first-come, first-served fixed price sale (this is the way most NFT issuances have been so far) is an example of continuous settlement. For each block, the miner looks at the bids and settles them based on the remaining supply. There are several problems with this mechanism: If the operator overestimates the NFT settlement price, the item may not be sold if the price is too high. If the operator underestimates the NFT settlement price, the item may be too cheap, and users compete by speed (the person who can directly access the block space) or gas price (the person who can pay the most transaction fees to miners). As discussed, this resulted in a net loss from trading failures and largely benefited technically proficient participants. If you have to do this, the former can be resolved by routing all user transactions to Flashbots RPC, and allowing auctions to proceed in an environment where failed transactions do not consume costs.

When the second scheme is adopted, the bidding and settlement points are carried out in two non-overlapping stages. In practice, the operator first collects all the bids, then matches them with the available supply, and settles them in the market at a fair price. This method includes mechanisms such as batch auctions or lotteries. An example of this approach is Jay Pegs Auto Mart, which gives users a week before market settlement to submit their bids.

The sequential method has several advantages that meet our above goals:

1. No competition: users have enough time to submit their bids, and the results are determined by how much users are willing to pay, not by their speed or skill.

2. Regardless of time zone: This method respects people who work or live in other time zones

In addition, because there is no gas auction, there is no negative externality to other network users.

However, this method also has disadvantages, such as requiring more on-chain transactions (depending on the design of the auction) or reducing the fun of participants who now have to wait longer. We suggest not to extend the bidding period too long to alleviate the latter worry. It may not exceed 48 hours.

On-chain vs. off-chain bidding

After deciding whether to settle continuously or sequentially, the next choice is whether users submit their bids off-chain or on-chain.

As we will see, today’s issuance often collects bids on the chain, because this is the simplest, which can effectively allow miners to settle the winning bids and let the rest fail. If we assume that the network itself is not censored, then there is a strong guarantee that no valid bid will be missed in the sale.

However, it is also possible to collect bids off-chain. In this process, users use their private keys to sign a message containing things like their on-chain address, the number of tokens or the tickets they want to buy, their highest bid, etc. They send this message to the operator instead of executing it on the chain, using their signature to prove its validity.

Then, the operator can use these bids for settlement in the off-chain market, or bundle the winning bids and submit them to the execution contract on the chain. No matter which method is adopted, a certain degree of trust in the operator is required to execute the correct bid.

The last method combines off-chain bid collection and on-chain selection of winners, which is robust, gas-saving and flexible. The only thing users need to trust is that operators will not miss out when submitting bids on the chain-this is a relatively weak assumption.

Who can bid

The third decision to be made is who can bid and how much. As discussed in Target Inclusion and Resistance to Sybil Attacks, the project may want to ensure that different users can purchase their items. To this end, they may limit the number of items that users with specific characteristics can purchase, or reserve items specifically for holders of the existing NFT community.

When bidding happens off-chain, such KYC rules are easy to enforce-you only need to ask users to prove certain information before they submit their signatures to the server. On-chain KYC is more complicated, but Gitcoin’s privacy protection measures Proof of Personhood are making progress.

Even if a project does not want any form of KYC, they can still take steps to ensure that one dollar can buy the same number of tokens for large users and small users. This rule is often violated when the contract allows users to purchase or claim many NFTs in the same transaction, because the giant whale can amortize the gas fee among more tokens, so each token pays less than small users. In order to mitigate this impact, it is a good idea to set an upper limit on the number of tokens for each address or transaction.

Bid cost

In addition, the operator must decide when the user pays for the token-together with the bid, or after the market settles?

In the latter case, users only keep the tokens in the bidding stage, the market settles, and then they can complete the purchase within a certain time window. The Parallel project uses this method, plus off-chain bidding. Although it works well in a relatively quiet market, when the demand is high, this model will enter a competitive state, and users will want to keep as many tokens as possible because there is no cost to do so.

In order to alleviate the problem of the competition situation, the bid itself should involve a cost. The best solution here is to allow users to submit bids only after locking funds in the smart contract at the same address. The operator can then decide whether to refund the funds (similar to an exchange’s limit order) or keep the bid (similar to a raffle ticket that has not been paid) if the bid is unsuccessful.

Granularity of bids

Finally, operators must decide how granular they want users to express in their bids. When there are unsuccessful bids (because supply exceeds demand), people must further decide on the definition of winners and unsuccessful bidders. There are three possible options:

“Fool-style” batch bidding: People submit a certain amount of ETH without further instructions. In the settlement stage, the number of items is divided by the total ETH submitted, and then everyone gets fragmented tokens in the form of ERC-20, which can then be exchanged for ERC-721 NFT. Jay Pegs Auto Mart uses this method, and its advantage is that there are no failed bids. However, its drawback is that it requires three additional on-chain transactions-two for sale or purchase of tokens to reach a useful quantity (for example, a “full” ERC-20), and one for redemption NFT. Most importantly, this method does not allow buyers to express that they want the price of a certain number of tokens-this is a feature that people expect in almost every market.

“Smart” batch bidding: A few years ago, SpankChain used a similar but arguably better method for its ICO. Unlike Jay Peg, SpankChain collects bids that allow specifying the number of tokens and the unit price of tokens. After the bidding stage, they calculated an off-chain execution price and mentioned a smart contract together with the winning bid. If they win, people can propose SPANK, and if they fail, people can withdraw ETH. The disadvantage of this method is that the calculation of matching all bids is so complicated that it can only be done off-chain, which requires a certain degree of trust in the operator.

Lottery draw: Finally, operators can use a lottery draw, where users make bids by buying tickets or booking. Then the winner is randomly drawn from the pool of all votes. In this way, the user will either get a complete token or get nothing, saving the three additional transactions required for Jay Peg’s $DONA. Those small wallets that are difficult to pay for a full NFT can also participate. However, it introduces randomness in the sale, some users like it, and some don’t.

Phase 2: Settlement

At this stage, the operators (or their representatives) match the bids based on the available supply and decide who can buy the items and who cannot.

On-chain vs. off-chain settlement

The last major node is who will select the winning bidder from all bid pools. In the first-come-first-served model, this is done by the miners, and we have already explained the problems with this method.

In Jay Peg’s settlement mechanism, its computational complexity is low enough to be performed on the chain in a completely trustless manner.

In the model of SpankChain, the winning bidder is selected completely off-chain. Although bidders cannot trade at a price higher than they want (smart contracts ensure this), they must trust that the operator will not push them to the highest transaction price, similar to the sandwich attack in decentralized exchanges. working principle.

Lottery is the easiest way to settle, because you only need a simple random number (for example, Chainlink’s VRF). However, the need for randomness also introduces another trust hypothesis: whoever generates this randomness may be biased towards their own bids rather than others. On the contrary, it is impossible for the winning bid to be the highest bid.

Phase 3: Distribution

After settlement, operators must cast tokens, distribute them to users, and return all failed bids if they choose this model. This step is generally related to gas efficiency and preventing competition from happening.

Instant settlement vs. interval settlement

If operators want to prevent their users from receiving NFTs at the same time, causing gas fees to skyrocket, they can use the randomness of the settlement process again to allow people to receive them in batches. This solves the problem of collective action, because users are better not to collect them all at the same time. Nevertheless, the curiosity about metadata and the idea of ​​being the first to sell on the secondary market may end up in competition. In other words, the interval settlement method will also increase the waiting time for users.

Receive vs. Receive Token

The only thing to mention in terms of distribution is whether users have to collect the tokens themselves, or the operator can simply issue tokens to users within a period of time. The latter is a variant of interval settlement, but it has the additional benefit of users not having to do anything. The Parallel release mentioned in the previous article used this method, and it worked well. They only required users to add a “delivery fee” when they paid the NFT at the beginning.

Phase 4: Reveal the metadata

Finally, when a token is distributed, its metadata will be revealed. In the four stages of NFT issuance, this step must be the last. It also cannot be carried out with other steps at the end (for example, bundle payment, distribution, and disclosure in the same transaction like Meebit), because by rolling back transactions to re-disrupt items with bad attributes, fairness will be affected. destroy. There must be at least one block interval between payment and reveal, making re-scrambling impossible. Of course, you can choose to increase this interval to prevent reorganization.

When to reveal the original data

We have now determined that casting an NFT and revealing its metadata cannot occur in the same transaction, which raises the question of when to reveal it. This is not only important for fairness, but also related to user experience and gas efficiency. Generally speaking, there are three options:

Reveal the complete collection: In a complete collection reveal, the operator waits until all the NFTs in the collection set have been cast before revealing the metadata. This method is very gas-saving, only a random number is needed, and then it can be used to shuffle the metadata of the ticket ID without further operation by the user.

However, it has a significant disadvantage, that is, users have to wait until all NFTs have been minted to see the metadata of their tokens. If someone sets an upper limit on when to reveal the metadata (for example, 24 hours), some users may not have time to cast, and the entire collection of collections cannot be sold.

NFT reveal one by one: In order to improve the user experience of revealing the complete collection of collections, operators can also allow users to reveal randomness one NFT by one. This is more attractive because users can “open” their items immediately after purchase. It also allows “unopened” items to be traded on the secondary market (this is popular in trading card games such as MTG).

However, the burden of this method is that users need to perform additional on-chain transactions, such as calling Chainlink VRF and applying a random number to their NFT. This is inevitable even for users who don’t feel particularly eager to reveal or are not so interested in the unopened items in the transaction.

Batch disclosure: As a potential middle ground, we propose the concept of batch disclosure. In this way, users have an indefinite period of time to do casting, but they can also reveal it in the next block if they want. Each new random number requested will automatically reveal the metadata of all minted and awaiting distribution items, and the cost of revealing them is almost the same and constant.

Therefore, time-conscious users can choose to pay for additional on-chain transactions to reveal metadata, which is good for all their previous users. If no user chooses to reveal, the operator can also reveal according to a certain timetable, for example, once every hour.

Sources of randomness

After deciding when to reveal, the remaining question is where to obtain randomness. The two recommended options are to use Chainlink VRF or a commit-reveal scheme.

Using the former, you can access a verifiable source of randomness on the chain. Using any disclosure mechanism, you can call Chainlink to request randomness, and once it is satisfied, use the randomly generated number as an input for your metadata calculation. This will ensure that it is random for each NFT.

For the latter, operators can create a random number (for complete disclosure) or several random numbers (for individual NFT or batch disclosure) before the sale, and then submit their hash value in advance. When an NFT is minted, the operator can reveal these numbers, allowing anyone to verify their authenticity through the hash value. Nevertheless, this method also requires a certain degree of trust in operators, assuming that they will not use the privilege of knowing random numbers to cast the best NFTs. In order to minimize the need for trust, we suggest that a certain degree of independent randomization is required in the casting sequence.

In addition, for off-chain metadata, the operator does not submit a random number, but chooses to submit a hash value of the completed metadata (the id of all NFTs to the characteristics). This ensures that the metadata is predetermined and will not be modified during or after the casting process. Nevertheless, independent randomization in the casting sequence is necessary to prevent operators from exploiting their knowledge of the sequence and characteristics for profit.

The reference implementation we give

We have provided a reference implementation, which we believe is a good balance of all features and is easy to understand and adjust.

Bid: In our implementation, users can bid by buying raffle tickets. The duration of the lottery draw is determined by the operator (we recommend 24-48 hours). The price of each coupon includes gas and the price of each NFT, which is specified by the operator. The latter is used as a “margin” and all failed coupons will be refunded after market settlement. There are three ways to resist witch attacks: gas per transaction, capital cost of locked funds, and the upper limit of the number of coupons per address.

Settlement: Once the bidding period is over, a winner equal to the number of NFTs must be drawn from the pool where all the coupons are located. First, anyone can call collectEntropy() to obtain a random number from Chainlink VRF. This randomness is used in’shuffleEntries(),’ which performs Fisher-Yates Shuffle. Anyone can call this function to ensure that the liveness and gas cost can be socialized (such as the giant whales).

Distribution: After all the winning bidders are drawn, users have an indefinite period to receive NFT from their winning coupons and get a refund for the failed coupons. This situation all happened in the same transaction. Operators can now start withdrawing the proceeds of winning tickets.

Revealing metadata: Users can reveal the metadata of the NFT in a block after receiving it. Anyone can request a new random number, and it will automatically reveal the metadata of all items that have been minted and are waiting for distribution. This allows time-conscious users to pay for immediate disclosure, but benefits all users.


In this article, we give some real examples to illustrate how poorly designed NFT issuance can bring sub-optimal results to users. But when someone clearly defines their goals and takes time to deconstruct the actual steps of a release, many designs become possible-and almost all of them are more fixed-price, first-come-first-served, and network congestion than we are used to today. The sale came well.

If you have nothing to gain from this article, you can take a look at the following three rules:

  • Indestructible fairness is the most critical feature of NFT issuance with random metadata. Use strong randomness, and never reveal the metadata of an NFT before the NFT is purchased and settled.
  • The competition situation harms the interests of users, regardless of whether they participate in casting or not. Use sequential bidding and settlement (for example, lottery or batch auctions) to solve this problem.
  • Consider cost-effectiveness from the first minute. Ask whether any steps currently occurring on the chain can also occur off-chain to save your users money. The off-chain steps can include bidding and market settlement, provided that users can establish a certain degree of trust in the operator. It may be considered to be carried out in batches during the disclosure stage.

We hope to see NFT developers start experimenting with some of these ideas to develop more diverse distributions. Finally, we would like to thank those who have been sharing suggestions with the NFT community to help improve the quality of issuance:

  • Vitalik -Provides its interpretation of first-come, first-served fixed price sales
  • FairDrop-shared their proof of concept design for fair draw
  • dotta-provide suggestions for building a powerful front-end
  • Jay Pegs Auto Mart and SpankChain-Demonstrate novel bidding methods
  • Parallel-Demonstrates the best practice of off-chain lottery draw
  • 0xmons-provides advice and tools on designing fair distribution

Posted by:CoinYuppie,Reprinted with attribution to:
Coinyuppie is an open information publishing platform, all information provided is not related to the views and positions of coinyuppie, and does not constitute any investment and financial advice. Users are expected to carefully screen and prevent risks.

Leave a Reply