Buying NFTs on Solana (SOL) in relative safety
Updated 2021–10–06 (new version of Phantom)
When purchasing an NFT, you are interacting with a contract (ok, on Solana they are called Programs). That contract could do a lot of things; mint an NFT, transfer finds, even drain your entire wallet and transfer all your NFTs to someone else. YOU DO NOT KNOW FOR SURE WHAT THAT CONTRACT/PROGRAM WILL DO.
Later, I will go into looking over a transaction before hitting the approve button.
Scary, right? We need to limit our exposure. In security terms, we are limiting risk so that we can minimize exposure from a possible threat actor.
What we want is to put just enough cryptocurrency into an isolated wallet for the mint to succeed. The wallet needs enough to cover the costs of the transaction and any processing fees and no more — anything else increases our risk.
The wallet should have the minimum amount needed to make the purchase with an extra ‘buffer’ for transaction costs.
The generally accepted buffer amount is .1 SOL, but in reality the transaction costs are about 0.012 SOL (As of October 1st 2021). So, if you want to participate in a mint with a stated cost of 1 SOL, it is recommended to put 1.1SOL in the burner wallet or risk rejected transactions due to insufficient funds.
The wallet should have no NFTs, no other coins, nothing. (I know I am repeating myself. This is important!)
This is known as a burner wallet.
You can make as many burner wallets as you want. Thinking about buying 10 NFTs in the latest sale and want to limit your exposure? Make 10 burner wallets and put the same minimum amount in each. Once you verify the first transaction went through and you received the NFT you can continue.
A problem with the current structure of NFT mints
Many NFT debut mints operate on a countdown timer. When the timer reaches 0 there is a mad dash as everyone tries to mint at the same time. The cool thing is it builds a lot of hype. The bad part is that it creates perfect conditions for a malicious actor to take all the proceeds and give nothing back — known as a rugpull. These conditions also encourage Phantom end users to turn on the infamous ‘auto-approve’ switch so that users are not prompted for their password when sending funds. Note: Phantom recently moved the “Auto-Approve” option to under “settings(the gear icon)” →” Trusted Apps”. Auto-Approve is no longer available when first connecting a wallet to a site. This is a good thing for security, but makes winning the NFT minting race next to impossible.
There have been several rugpulls recently with @soldoggo being a particularly bad one. Make sure to Do Your Own Research (DYOR).
Things that can help filter out some of the scams include DYOR/due diligence
• Well-known and respected team.
• Team has been building their project steadily over time.
• Good communication.
• Uses Discord, Twitter, possibly Telegram, or even Slack.
• Roadmap that looks realistic and possible. (A brand new project promising immersive VR with the Unreal 5 engine exclusively using their NFT in a few months is not real.)
• An active, engaged community that posts more than ‘wen mint’, ‘hi’, and ‘gm’ in discord/twitter.
• A great big plus — if they host a GitHub site where they post their work.
• Another great big plus — the devs/artists host streams where they discuss the project or show off their work.
• Plans to use standardized mint mechanisms like Metaplex.
- Constant viral campaigns to recruit more people. This is a personal pep peeve. I can’t have ‘Allow DMs’ in Discord any more because of this. Many, many projects are guilty of this.
- Hiring certain Twitter and other social media shillers that guarantee followers. Quick hint — if the twitter name has ‘shill’ in it, there is an issue!
- Very young Twitter/Discord account with thousands or tens of thousands of followers. This CAN happen organically — it’s unusual, though, and should be traced back to what caused it. Was there a key influencer that gave a shout-out? Ok, as long as you are aware of the influencer.
- No website, a highly generic site, or not using a unique domain name. If the site is hosted on Wix or WordPress, probably safer to avoid it. If the project is just starting with the mint more than a month away, this may be ok. Otherwise — nope!
Things to look for before hitting ‘Approve’ for the Mint transaction
First, make sure you are using the official link to the minting page! Leading up to the sale malicious actors will start sending DMs, posting on Twitter, possibly even e-mailing you — anything possible to get you to visit their scam page and send them your SOL instead. Make sure you know the official twitter account, Project Discord and website. Do not fall for some bad actor sending you a Direct Message with a pre-launch link or other garbage. These scams can look VERY convincing — DON’T BE FOOLED. If you aren’t sure, post in the official Discord group about a possible scam and provide as much information as possible. NO MATTER WHAT, NEVER GIVE OUT YOUR SEED PHRASE FOR ANY WALLET — EVEN BURNER WALLETS. No one needs that information for any reason. NO EXCEPTIONS. If your personal deity comes down out of the clouds and offers you eternal bliss for your seed phrase, I want you to tell them @MadmanTimmy said they should go pound sand and to bring it up with him personally.
Ok, enough of that rant.
You are on the project website and ready to mint your NFT. What should you look for?
Just before hitting the “Approve” button, look over the transaction. It should have several things:
(Shout out to @hoaktrades for coming up with this idea.)
Several instructions should be visible (5 for Metaplex CandyMachine, which is used by most projects). If you see only one instruction there is a huge issue — DO NOT PROCEED! This is what happened with the @soldoggo rugpull. There was ONE transaction and that transaction was “TRANSFER”. Any guesses what TRANSFER does?
Bad shit, that’s what TRANSFER does.
You should see the following instructions for a legitimate mint transaction using Metaplex Candy Machine:
• Create Account
• Initialize Mint
• Create token account
• Mint to
• This last one is a bit odd. I’ve seen people say ‘Mint Nft’ but that is wrong. You will see ‘unknown’. The thing to look for is the Program Id, which should start with “cndy”. See below circled in red.
Here is what it should look like in Phantom. Note — you will need to scroll down in your wallet to see everything:
Let’s dig just a little deeper. See that entry under “Create account” in the “Lamports” section? The number above is 1461600. That is the cost to do this specific minting, This is NOT THE COST OF THE NFT and not the total that will be removed from your wallet.
A Lamport is the smallest possible fraction of a SOL: 0.000000001 SOL to be exact. That’s eight 0’s followed by a 1. Making the cost to create the account 0.0014616 SOL. There are other costs that do NOT appear, like the amount transferred to the NFT author. I’m trying to get that changed!
Unfortunately, there appears to NOT be any indication of how much SOL will be transferred out of your wallet other than the initial transaction cost. I have opened a ticket with Phantom in an effort to get this changed (Ticket #2090).
Once you have completed minting
If you do not see your NFT image right away, don’t panic!
It is common for the team to ‘lock down’ discord for the hour leading up to the mint and even an hour after the mint. That is to stop scammers and people who like to spread Fear Uncertainty and Doubt (FUD).
Once the minting transaction is complete, go take a look at your NFT. It is possible all the back-end infrastructure will take some time to get the image uploaded to the final destination. I have seen this take 20 min or so. If it isn’t there after 45 minutes, check Discord and Twitter — they may have an issue. Politely mention the issue in the appropriate Discord channel. Give the team time to figure out what is going on and PAY ATTENTION to helpful troubleshooting tips. The NFT team will be under massive stress so don’t unload a boatload of wrath if things get a bit messy.
Securing your new precious NFT. . asset. . . thing
Once everything with the NFT is working, transfer your token to your main hardware wallet. This secures the token and prevents loss from malicious actors or accidents. Make sure to do this BEFORE reusing the burner wallet.
Yes, reusing a burner wallet is ok. Just make sure to move all the important stuff to your hardware wallet first!
If you have a significant amount of wealth in one hardware wallet, consider getting another hardware wallet. Don’t keep significant wealth all in one place. How much? If the price of another hardware wallet is insignificant compared to the amount it secures.
Well after the Mint
In the weeks after the mint, keep an eye on the community Discord and Twitter. There may be airdrops, contests or registration events for cool perks. Many NFT projects also plan on doing future ‘airdrop’ NFTs that you get just for holding their NFT!
In short — pay attention and stay involved to achieve maximum benefit.