Nowadays everybody’s focus seems to be on general-purpose smart contract blockchains, particularly Ethereum.

That makes sense, the entrance barrier is not too high, solidity is fairly simple, the costs to deploy a Dapp is low, a lot of dev tools are available and people in the space are familiar with it.

But every general-purpose blockchains comes at a cost, let’s see how.

If deployment of arbitrary code on a blockchain is allowed and no security measures are in place some troublesome code might be deployed, an example being a piece of code that runs forever. Some of this security measures might be familiar to you under the name of “gas fees”.

The issue should be quite clear. If a deployed Dapp is less general than the hosting blockchain (which must be the case) then the Dapp is paying for security measures it itself doesn’t need.

The comeback of blockchains development

The ecosystem efforts and resources seems to be focused on making Ethereum scale with the goal of lowering gas fees. For the reasons stated above to me this is approaching the problem from a dead angle. In addition to this all the so-called Layer 2 are making the ecosystem extremely complex from an UX point of view.

So what can we do?

What about Dapps building and running on their own self-tailored blockchains? This is what was happening in the cryptocurrencies space in the pre-ethereum era.

However, as seen in the past, taking this road comes with some issues:

1. Blockchains development requires great expertise to get right and great expertise is expensive.

2. Upgrading our Dapp would mean having to upgrade the blockchains which requires some degree community off-chain coordination.

3. Gathering a community of miners or validators to keep the blockchain safe and decentralised is also expensive and resource intensive.

4. Blockchains cannot communicate, which means our Dapp would be completely isolated from the world.

In the following sections we are going to tackle this 4 problems.

Substrate: problem 1 & 2.

Parity is a company that developed a Bitcoin client, an Ethereum client and the Polkadot client. By doing this they noticed most the code in the 3 clients was the same.

So they took the overlapping code and made a framework out of it: Substrate.

Blockchain development is easier

Substrate makes blockchain development way easier, the entrance barrier is still high but way lower than implementing a blockchain from scratch. Which means it solves problem 1: Blockchains development requires great expertise to get right and great expertise is expensive.

Forkless upgrades

In addition to this blockchains built using substrate allow for upgrades that can be deployed as a normal transaction. No forks needed. This gets rid of problem 2: Upgrading our Dapp would mean having to upgrade the blockchains which requires some degree community off-chain coordination.

Polkadot: problem 3 & 4.

Polkadot is a blockchain developed using substrate. It’s a so-called layer 0. It allows for other blockchains to attach to it.

Shared security

Blockchains connected to polkadot, called parachains, inherit it’s security and decentralization. Remember that a system is as secure as its weakest point. Connecting to polkadot is still expensive, but way less expensive than building your own community of miners and validators. This gets rid of problem 3: Gathering a community of miners or validators to keep the blockchain safe and decentralised is also expensive and resource intensive.

Interoperability

Blockchains connected to polkadot are able to communicate and send arbitrary messages to each other. This creates a rich ecosystem of blockchains that can interoperate with each other and gets rid of problem 4: Blockchains cannot communicate, which means our Dapp would be completely isolated from the world.

Conclusions

I believe Substrate and Polkadot are approaching the problem from a good angle. However the ecosystem is still ripe: it’s lacking tools for developers and the UX for non-technical people is kind of bad. As of now it’s probably not worth it to port your project to this ecosystem, but it’s worth keeping an eye on.

First of all, I don’t consider this person to necessarily be a skilled hacker. It’s probably just a random dev which was playing with opensea API. But how did he pull this off?

⚠️ Opensea API is now protected against this kind of attack.

The exploit in theory

Opensea allows for gas-free NFT listing via a user generated off-chain signature of the NFT collection, the NFT ID and the NFT price. When this signature is sent to a smart contract it triggers the selling for the price specified in the signature. This signature is stored on Opensea centralised databases, an anybody who has access to this signature can buy the NFT for the specified price. This wouldn’t be a problem in most cases.

The problem arose when the user generated multiple signatures for different prices for the same NFT. The Opensea interface only showed the signature for the higher price but the Opensea API also showed the signature for the lowest price.

This means that it was possible to buy NFTs for a lower price than the listed one if a signature with a lower price existed using Opensea APIs.

The exploit in practice

First we install opensea-js.

With this library we can interact with opensea API using NodeJS.

This is the code that can be used to get informations about selling orders on a specific NFT:

const { orders, count } = await seaport.api.getOrders({
    side: "1",
    asset_contract_address: "0xBC4CA0EdA7647A8aB7C2061c2E118A18a936f13D",
    token_ids: ["9991"],
});

After we run it the orders variable will contain a bunch of informations including something called basePrice:

{
...
"basePrice": "770000000000000000",
"extra": "0",
"currentBounty":
"100000000000",
"currentPrice": "84200000000000000000",
"createdTime": "1643912802",
"listingTime": "1643912697",
"expirationTime": "1646331916",
...
}

Wait. The basePrice is 770000000000000000 wei which is 0.77ETH but the listing price on the opensea interface is currentPrice which is 84.2ETH . There is something fishy going on here.

What happens if we try to buy this NFT with the opensea APIs? Let’s write the code to do this:

const order = orders[0];
const accountAddress = "0x...";
const transactionHash = await seaport.fulfillOrder({
  order,
  accountAddress,
});

Boom. We just bought an NFT valued at 84.2ETH for 0.77ETH. Now we just need to list it again for a quick ~83ETH.

The technology that allows a community of people to collectively own and manage a treasury lies in blockchains.

It’s possible to use a technology such as Ethereum to deploy a bunch of code which:

1. It’s able to own some assets (a treasury)

2. Creates a bunch of shares (a token) which represents ownership of the treasury

Once this code gets deployed members will all have access to a token which will represent their share in the DAO. How to distribute tokens is usually up to the founders or a pre-existing community.

In DAOs any member can make and vote proposals, which can then be voted on if you own some tokens.

Let’s suppose we make a proposal about building a website to sell bananas. If the proposal gets approved we can then have access to part of the treasury and start collaborating with other members of the DAO (or anyone, really) on how to bring the project to life. Fast forward 6 month and the website is live. We will probably receive some tokens for the value we added. In addition to that our contribution increased the net value of the whole DAO. In which, of course, you own a part.

Contributing to a DAO means your goal is to add as much value as possible based on the skillset you have and the goal of the DAO. You can potentially define your own role and your own responsibilities. You can contribute to multiple DAOs, join and leave when you prefer. It’s the ownership economy.