We know that in MetaMask, when you generate a new account, you will get a set of mnemonics.

This article will explain the process of generating mnemonics.

Let’s see the code first.

function genMnemonic() {
    const randomWallet = ethers.Wallet.createRandom();
    const mnemonic = randomWallet.mnemonic.phrase;
    console.log(mnemonic);
    return mnemonic;
}

static createRandom(provider?: null | Provider): HDNodeWallet {
    const wallet = HDNodeWallet.createRandom();
    if (provider) { return wallet.connect(provider); }
    return wallet;
}

static createRandom(password?: string, path?: string, wordlist?: Wordlist): HDNodeWallet {
    if (password == null) { password = ""; }
    if (path == null) { path = defaultPath; }
    if (wordlist == null) { wordlist = LangEn.wordlist(); }
    const mnemonic = Mnemonic.fromEntropy(randomBytes(16), password, wordlist)
    return HDNodeWallet.#fromSeed(mnemonic.computeSeed(), mnemonic).derivePath(path);
 }
 
static fromEntropy(_entropy: BytesLike, password?: null | string, wordlist?: null | Wordlist): Mnemonic {
    const entropy = getBytes(_entropy, "entropy");
    const phrase = entropyToMnemonic(entropy, wordlist);
    return new Mnemonic(_guard, hexlify(entropy), phrase, password, wordlist);
}

function entropyToMnemonic(entropy: Uint8Array, wordlist?: null | Wordlist): string {

    assertArgument((entropy.length % 4) === 0 && entropy.length >= 16 && entropy.length <= 32,
        "invalid entropy size", "entropy", "[ REDACTED ]");

    if (wordlist == null) { wordlist = LangEn.wordlist(); }

    const indices: Array<number> = [ 0 ];

    let remainingBits = 11;
    for (let i = 0; i < entropy.length; i++) {

        // Consume the whole byte (with still more to go)
        if (remainingBits > 8) {
            indices[indices.length - 1] <<= 8;
            indices[indices.length - 1] |= entropy[i];

            remainingBits -= 8;

        // This byte will complete an 11-bit index
        } else {
            indices[indices.length - 1] <<= remainingBits;
            indices[indices.length - 1] |= entropy[i] >> (8 - remainingBits);

            // Start the next word
            indices.push(entropy[i] & getLowerMask(8 - remainingBits));

            remainingBits += 3;
        }
    }

    // Compute the checksum bits
    const checksumBits = entropy.length / 4;
    const checksum = parseInt(sha256(entropy).substring(2, 4), 16) & getUpperMask(checksumBits);

    // Shift the checksum into the word indices
    indices[indices.length - 1] <<= checksumBits;
    indices[indices.length - 1] |= (checksum >> (8 - checksumBits));

    return wordlist.join(indices.map((index) => (<Wordlist>wordlist).getWord(index)));
}

May be you will find the code is too long to understand. Let’s split it.

Before splitting. You should first know the basic steps of generating mnemonics

1. generate random 16 bytes array

2. split 16 bytes array to 11 bits array

3. map every 11 bits data to a word

What is mnemonics

Mnemonics is s a set of easy words to help user to remember their account.

There are 2048 words in all mnemonics datasource, and each account has 12/24 mnemonics.

So if we want to map a number to a mnemonics, this number should be a 11 bit data. Cause 11 bit data can get 2048 different numbers.

Generate random data

So, every mnemonic should be represented by 11 bits

The code use randomBytes(16) to generate a uint8array.

You will get 16 bytes, every bytes has 8 bit. So you will get totally 16 * 8 = 128 bits.

Well, now you can slip 128 bits to 11 * 11 bits. But we need 12 mnemonics, there are only 11 words.

We need 132 bits to split to 12 mnemonics(132 / 11 = 12). We need 4 more bits to fill it.

That’s the checksum, every 32 bits should have a bit of checksum.

Split bytes

This picture explain how to change the random bytes into the list of mnemonics.

Actually the function entropyToMnemonic is the implemented code.

function entropyToMnemonic(entropy: Uint8Array, wordlist?: null | Wordlist): string {
    assertArgument((entropy.length % 4) === 0 && entropy.length >= 16 && entropy.length <= 32,
        "invalid entropy size", "entropy", "[ REDACTED ]");

    if (wordlist == null) { wordlist = LangEn.wordlist(); }

    const indices: Array<number> = [ 0 ];
        // every mnemonic need 11 bits to map word
    let remainingBits = 11;
    for (let i = 0; i < entropy.length; i++) {
        // 
        if (remainingBits > 8) {
            indices[indices.length - 1] <<= 8;
            indices[indices.length - 1] |= entropy[i];

            remainingBits -= 8;

        // This byte will complete an 11-bit index
        } else {
            indices[indices.length - 1] <<= remainingBits;
            indices[indices.length - 1] |= entropy[i] >> (8 - remainingBits);

            // Start the next word
            indices.push(entropy[i] & getLowerMask(8 - remainingBits));

            remainingBits += 3;
        }
    }

    // Compute the checksum bits
    const checksumBits = entropy.length / 4;
    const checksum = parseInt(sha256(entropy).substring(2, 4), 16) & getUpperMask(checksumBits);

    // Shift the checksum into the word indices
    indices[indices.length - 1] <<= checksumBits;
    indices[indices.length - 1] |= (checksum >> (8 - checksumBits));

    return wordlist.join(indices.map((index) => (<Wordlist>wordlist).getWord(index)));
}

indices[indices.length - 1] <<= 8; let the data left shift 8 bits to allow the next byte(8bit) to have a position to insert.

indices[indices.length - 1] |= entropy[i] >> (8 - remainingBits); insert the remained bits of a byte.

remainingBits += 3; seems confusing, we can derive this formula.

nextRemainingBits = 11 - (8 - lastRemainingBits)

So,

nextRemainingBits = 11 - 8 + lastRemainingBits = 3 + lastRemainingBits

CheckSum

indices[indices.length - 1] <<= checksumBits; indices[indices.length - 1] |= (checksum >> (8 - checksumBits));

Finally, when the randomBytes has been split, there are still 4 bits(16/4) need to fill.

It is filled by the high 4 bits of checksum.

Checksum just need the first 8 bits of sha256(entropy).

sha256(entropy).substring(2, 4) may be confusing. Actually sha256 return a string like this “0x1a2b3c”, we need to exclude 0x, so we need the substring(2,4).

And then, we will get the high CheckSumbits of Checksum, then add it into the low CheckSumBits bit of finally mnemonic

Actually you can simply understand the ERC-721 is NFT.

This is the link of EIP-721.https://eips.ethereum.org/EIPS/eip-721

Official explanation of ERC-721 is “Non-Fungible Token”, which means every token is specially. That means you can use NFT to represent unique image, stock, or even real estate.

Practical Application

You can find plenty of tutorial of ERC-721. And this blog will show you the practical application.

Fist of all, let’s see the solidity code of a contract which implemented the ERC-721 protocol.

// SPDX-License-Identifier: MIT
pragma solidity ^0.8.20;

import {ERC721URIStorage, ERC721} from "@openzeppelin/contracts/token/ERC721/extensions/ERC721URIStorage.sol";

contract Merkamigos is ERC721URIStorage {
    uint256 private _nextTokenId;

    constructor() ERC721("Merkamigos", "MKG") {}
}

It’s very easy to implement the ERC-721 by inheriting the ERC721URIStorage, but we want to find out what is happening in it.

Let’s see the constructor first.

constructor()

When the contract was deployed, the constructor() would be executed.

And you may confuse of the grammar.

In solidity, if a contract inherit from the parent contract, and it’s parent contract has a constructor function with parameters, it is necessary to call the parent contract constructor within the child contract constructor and provide parameters.

constructor() ERC721("Merkamigos", "MKG") {}

Now let’s see the constructor() of it’s father contract.

abstract contract ERC721 is Context, ERC165, IERC721, IERC721Metadata, IERC721Errors {
    using Strings for uint256;

    // Token name
    string private _name;

    // Token symbol
    string private _symbol;

    /**
     * @dev Initializes the contract by setting a `name` and a `symbol` to the token collection.
     */
    constructor(string memory name_, string memory symbol_) {
        _name = name_;
        _symbol = symbol_;
    }

    /// @inheritdoc IERC721Metadata
    function name() public view virtual returns (string memory) {
        return _name;
    }

    /// @inheritdoc IERC721Metadata
    function symbol() public view virtual returns (string memory) {
        return _symbol;
    }
    
     /**
     * ......
     */
}

We can find the private parameters: _name and _symbol.

_name is the name of NTF and _symbol is the symbol of NTF.

In OpenSea, you can find all NTF have the name and symbol, it is achieved by these two parameters’s getter function, name() and symbol().

And our example contract is named as ‘Merkamigos’ and symboled as ‘MKG’.

Public functions

We find that there is no other function of parameter in our example contract. It is caused by

father contract-ERC721URIStorage and ERC-721.

We can explicitly find the public function on REMIX.

!image.png

approve

abstract contract ERC721 is Context, ERC165, IERC721, IERC721Metadata, IERC721Errors {		
        /// @inheritdoc IERC721
    function approve(address to, uint256 tokenId) public virtual {
        _approve(to, tokenId, _msgSender());
    }
        /**
     * @dev Approve `to` to operate on `tokenId`
     *
     * The `auth` argument is optional. If the value passed is non 0, then this function will check that `auth` is
     * either the owner of the token, or approved to operate on all tokens held by this owner.
     *
     * Emits an {Approval} event.
     *
     * Overrides to this logic should be done to the variant with an additional `bool emitEvent` argument.
     */
    function _approve(address to, uint256 tokenId, address auth) internal {
        _approve(to, tokenId, auth, true);
    }

    /**
     * @dev Variant of `_approve` with an optional flag to enable or disable the {Approval} event. The event is not
     * emitted in the context of transfers.
     */
    function _approve(address to, uint256 tokenId, address auth, bool emitEvent) internal virtual {
        // Avoid reading the owner unless necessary
        if (emitEvent || auth != address(0)) {
            address owner = _requireOwned(tokenId);

            // We do not use _isAuthorized because single-token approvals should not be able to call approve
            if (auth != address(0) && owner != auth && !isApprovedForAll(owner, auth)) {
                revert ERC721InvalidApprover(auth);
            }

            if (emitEvent) {
                emit Approval(owner, to, tokenId);
            }
        }

        _tokenApprovals[tokenId] = to;
    }
}

The caller can use approve() to specify another address to own the auth of controlling the token. _tokenApprovals records the mapping of tokenId to approvals. Notice that there is only an address can be approved to a token.

SafeTransferFrom

abstract contract ERC721 is Context, ERC165, IERC721, IERC721Metadata, IERC721Errors {		
        /// @inheritdoc IERC721
    function safeTransferFrom(address from, address to, uint256 tokenId) public {
        safeTransferFrom(from, to, tokenId, "");
    }

    /// @inheritdoc IERC721
    function safeTransferFrom(address from, address to, uint256 tokenId, bytes memory data) public virtual {
        transferFrom(from, to, tokenId);
        ERC721Utils.checkOnERC721Received(_msgSender(), from, to, tokenId, data);
    }
}

The safeTransferFrom apply four parameters.

In the safeTransferFrom function, it calls transferFrom first.

/// @inheritdoc IERC721
    function transferFrom(address from, address to, uint256 tokenId) public virtual {
        if (to == address(0)) {
            revert ERC721InvalidReceiver(address(0));
        }
        // Setting an "auth" arguments enables the `_isAuthorized` check which verifies that the token exists
        // (from != 0). Therefore, it is not needed to verify that the return value is not 0 here.
        address previousOwner = _update(to, tokenId, _msgSender());
        if (previousOwner != from) {
            revert ERC721IncorrectOwner(from, tokenId, previousOwner);
        }
    }
    
    function _update(address to, uint256 tokenId, address auth) internal virtual returns (address) {
        address from = _ownerOf(tokenId);

        // Perform (optional) operator check
        if (auth != address(0)) {
            _checkAuthorized(from, auth, tokenId);
        }

        // Execute the update
        if (from != address(0)) {
            // Clear approval. No need to re-authorize or emit the Approval event
            _approve(address(0), tokenId, address(0), false);

            unchecked {
                _balances[from] -= 1;
            }
        }

        if (to != address(0)) {
            unchecked {
                _balances[to] += 1;
            }
        }

        _owners[tokenId] = to;

        emit Transfer(from, to, tokenId);

        return from;
    }
    
    function _checkAuthorized(address owner, address spender, uint256 tokenId) internal view virtual {
        if (!_isAuthorized(owner, spender, tokenId)) {
            if (owner == address(0)) {
                revert ERC721NonexistentToken(tokenId);
            } else {
                revert ERC721InsufficientApproval(spender, tokenId);
            }
        }
    }
    
    /**
     * @dev Returns whether `spender` is allowed to manage `owner`'s tokens, or `tokenId` in
     * particular (ignoring whether it is owned by `owner`).
     *
     * WARNING: This function assumes that `owner` is the actual owner of `tokenId` and does not verify this
     * assumption.
     */
    function _isAuthorized(address owner, address spender, uint256 tokenId) internal view virtual returns (bool) {
        return
            spender != address(0) &&
            (owner == spender || isApprovedForAll(owner, spender) || _getApproved(tokenId) == spender);
    }

In transferFrom, it first checks if the to address is 0.

Then it calls update() to check if the caller has auth to control the NTF.

In _checkAuthorized() , the function check if the caller is the owner of NTF, or if the caller has been approved by the owner of NFT.

Then it calls _approve(address(0), tokenId, address(0), false); to clear the approve of the NFT. Because when the NTF has been transferred, the old approvers should be cleared to avoid old approvers can still control the NFT without the permission from new owner.

Then, it add 1 on the new owner’s balance, and reduce 1 on the old owner’s balance. Then it declares the NTF’s owner has been changed.

Finally, it calls ERC721Utils.checkOnERC721Received to check if the to address can accept the NFT. Notion that only the contract address should be checked.

if (to.code.length > 0) {
            try IERC721Receiver(to).onERC721Received(operator, from, tokenId, data) returns (bytes4 retval) {
                if (retval != IERC721Receiver.onERC721Received.selector) {
                    // Token rejected
                    revert IERC721Errors.ERC721InvalidReceiver(to);
                }
            } catch (bytes memory reason) {
                if (reason.length == 0) {
                    // non-IERC721Receiver implementer
                    revert IERC721Errors.ERC721InvalidReceiver(to);
                } else {
                    assembly ("memory-safe") {
                        revert(add(reason, 0x20), mload(reason))
                    }
                }
            }
        }

Every contract which can receive NFT should achieve onERC721Received function and return the specific data- bytes4(keccak256("onERC721Received(address,address,uint256,bytes)"));

If the contract does not achieve the function, it will throw an error.

setApprovalForAll

/// @inheritdoc IERC721
    function setApprovalForAll(address operator, bool approved) public virtual {
        _setApprovalForAll(_msgSender(), operator, approved);
    }
    
    /**
     * @dev Approve `operator` to operate on all of `owner` tokens
     *
     * Requirements:
     * - operator can't be the address zero.
     *
     * Emits an {ApprovalForAll} event.
     */
    function _setApprovalForAll(address owner, address operator, bool approved) internal virtual {
        if (operator == address(0)) {
            revert ERC721InvalidOperator(operator);
        }
        _operatorApprovals[owner][operator] = approved;
        emit ApprovalForAll(owner, operator, approved);
    }

When some address x calls the setApprovalForAll, it can specify an address to control all NFTs of the owner address x.

This function do not need to check the ownership cause the owner is the caller, the caller do not have the motivation to attack itself.

Summary

In this article, we introduce all state-changing ****function in ERC-721.

We will introduce the view/pure function in ERC-721 in next article.

In this article, I will summary some gas optimization tips.

1 Storage Optimization

In Ethereum, storage data is written in contract account, which will cost the most gas fee.

1.1 Reduce writing storage data

We can use memory to storage middle data, instead of always writing storage data.

uint256 a = storageVar;  // read storage
a += 10;                  // memory operation
storageVar = a;           // write storage

1.2 Merge Variable

Solidity aligns storage slots on 32-byte boundaries, multiple uint8 or bool values can be packed into the same slot.

struct Packed {
    uint128 a;
    uint128 b;
}

1.3 Use memory instead of Storage

Use memory instead of Storage except the storage variable is necessary.

2 For-each Optimization

Use mapping instead of for-each searching array.

Mapping does not occupy continuous storage space, and read/write operations are relatively inexpensive.

3 Function call Optimization

3.1 Short circuit

If there are other judgment conditions before function call, we can prioritize judgment of prerequisite conditions.

if (a > 10 && expensiveCheck()) { ... }

3.2 Function modifier

External is cheaper than Public.

Pure and View not cost gas fee.

4 Data type Optimization

Use minimum sufficient data type. Like uint8, uint16 are more storage space-efficient than uint256.

5 Event Optimization

5.1 Index

Use as little as possible indexed parameter.

Index will cost more gas fee.

5.2 Emit

Avoid frequent emit large events

6 Contract Structure Optimization

6.1 Use contract library

6.2 Inheritance chain flattening

Multi-level inheritance will increase deployment Gas.

7 Bytes And Array

7.1 Bytes is more efficient than string

7.2 Swap And Pop

Use swap-and-pop instead of dynamic deletion.

But this way will disorder the sequence.

function remove(uint index) public {
    arr[index] = arr[arr.length - 1];
    arr.pop();
}

8 Unchecked

Using unchecked to skip overflow checking can save gas fee.

unchecked { i++; }

https://share.cryptozombies.io/zh/lesson/2/share/kevin?id=Y3p8NjIzMTk2

In this section, I will show my new contract and the knowledge behind the code.

pragma solidity ^0.4.19;

contract ZombieFactory {

    event NewZombie(uint zombieId, string name, uint dna);

    uint dnaDigits = 16;
    uint dnaModulus = 10 ** dnaDigits;

    struct Zombie {
        string name;
        uint dna;
    }

    Zombie[] public zombies;

    mapping (uint => address) public zombieToOwner;
    mapping (address => uint) ownerZombieCount;

    function _createZombie(string _name, uint _dna) internal {
        uint id = zombies.push(Zombie(_name, _dna)) - 1;
        zombieToOwner[id] = msg.sender;
        ownerZombieCount[msg.sender]++;
        NewZombie(id, _name, _dna);
    }

    function _generateRandomDna(string _str) private view returns (uint) {
        uint rand = uint(keccak256(_str));
        return rand % dnaModulus;
    }

    function createRandomZombie(string _name) public {
        require(ownerZombieCount[msg.sender] == 0);
        uint randDna = _generateRandomDna(_name);
        randDna = randDna - randDna % 100;
        _createZombie(_name, randDna);
    }

}

pragma solidity ^0.4.19;
import "./zombiefactory.sol";
contract KittyInterface {
  function getKitty(uint256 _id) external view returns (
    bool isGestating,
    bool isReady,
    uint256 cooldownIndex,
    uint256 nextActionAt,
    uint256 siringWithId,
    uint256 birthTime,
    uint256 matronId,
    uint256 sireId,
    uint256 generation,
    uint256 genes
  );
}
contract ZombieFeeding is ZombieFactory {

  address ckAddress = 0x06012c8cf97BEaD5deAe237070F9587f8E7A266d;
  KittyInterface kittyContract = KittyInterface(ckAddress);

  function feedAndMultiply(uint _zombieId, uint _targetDna, string _species) public {
    require(msg.sender == zombieToOwner[_zombieId]);
    Zombie storage myZombie = zombies[_zombieId];
    _targetDna = _targetDna % dnaModulus;
    uint newDna = (myZombie.dna + _targetDna) / 2;
    if (keccak256(_species) == keccak256("kitty")) {
      newDna = newDna - newDna % 100 + 99;
    }
    _createZombie("NoName", newDna);
  }

  function feedOnKitty(uint _zombieId, uint _kittyId) public {
    uint kittyDna;
    (,,,,,,,,,kittyDna) = kittyContract.getKitty(_kittyId);
    feedAndMultiply(_zombieId, kittyDna, "kitty");
  }

}

Inheritance

contract ZombieFeeding is ZombieFactory {}

When we create a contract with “is”, it is called inheritance.

And in son contract, we can call function or member variables in father contract.

Address

Hexadecimal literals that pass the address checksum test is address.

The msg.sender also return an address.

We can also get a contract on chain by address.

Interface

contract KittyInterface {
  function getKitty(uint256 _id) external view returns (
    bool isGestating,
    bool isReady,
    uint256 cooldownIndex,
    uint256 nextActionAt,
    uint256 siringWithId,
    uint256 birthTime,
    uint256 matronId,
    uint256 sireId,
    uint256 generation,
    uint256 genes
  );
}

Interface looks like a common contract, but the function in interface don’t have body. The function in interface only has the declaration.

And we can call the contract by interface like this.

KittyInterface kittyContract = KittyInterface(ckAddress);
 (,,,,,,,,,kittyDna) = kittyContract.getKitty(_kittyId);

keccak256

In solidity, we can only compare if the strings are equal by keccak256.

keccak256 is a hash algorithm.

And this is my crypto zombie. You can click this link to see it.

https://share.cryptozombies.io/zh/lesson/1/share/kevin?id=Y3p8NjIzMTk2

In this section, I will show my contract and the knowledge behind the code.

pragma solidity ^0.4.19;

contract ZombieFactory {

    event NewZombie(uint zombieId, string name, uint dna);

    uint dnaDigits = 16;
    uint dnaModulus = 10 ** dnaDigits;

    struct Zombie {
        string name;
        uint dna;
    }

    Zombie[] public zombies;

    function _createZombie(string _name, uint _dna) private {
        uint id = zombies.push(Zombie(_name, _dna)) - 1;
        NewZombie(id, _name, _dna);
    }

    function _generateRandomDna(string _str) private view returns (uint) {
        uint rand = uint(keccak256(_str));
        return rand % dnaModulus;
    }

    function createRandomZombie(string _name) public {
        uint randDna = _generateRandomDna(_name);
        _createZombie(_name, randDna);
    }

}

Version

At the top of the contract, there is a version of solidity.

pragma solidity ^0.4.19;

The version can help complier check if it’s version is match the code.

Type

uint dnaDigits = 16;

Here is the type in solidity.

booleans

The value of booleans are constants true and false.

integers

There are int and uint to distinguish signed or un signed.

And there are int8, int16, int24… to int256, the step is 8. So as uint.

int and uint is the aliases of int256 and uint256.

string

strings are written by quotes like “hello”

Operator

There are basic operators in solidity like + - * / %.

Especially, ** means exponentiation.

Struct

struct Zombie {
    string name;
    uint dna;
}

In solidity, we can define our own type by struct.

And we can also define member variables in the struct.

Array

Zombie[] public zombies;
uint id = zombies.push(Zombie(_name, _dna)) - 1;

If we need to define array, we can use [] behind the type like this.

The array variable contains the function push. Which can add an element in to the array and return the length of array now.

Function

function _generateRandomDna(string _str) private view returns (uint) {
    uint rand = uint(keccak256(_str));
    return rand % dnaModulus;
}

Function is a block of codes which can be executed.

The declaration of func is

function (<parameter types>) {internal|external} [pure|view|payable] [returns (<return types>)]

pure function can not achieve any variable in the contract.

and view function can only watch but can’t change the variable of contract.

Event

event NewZombie(uint zombieId, string name, uint dna);

function _createZombie(string _name, uint _dna) private {
    uint id = zombies.push(Zombie(_name, _dna)) - 1;
    NewZombie(id, _name, _dna);
}

If we want do something when the solidity was executed, we can use event.

The javascript can listening the event in contract.