Convention around _setApprovalForAll

Hi!

I'm creating an 1155 contract, where I'm calling _setApprovalForAll on every token transfer, such that an external address (my dApp's address) is always an approved operator on the tokens held by the recipient of the transfer.

I'd also like to note that I was unable to do this by extending the 1155 contract provided by the openzeppelin npm package, rather I had to copy the 1155 contract from the OpenZeppelin github into my repo, and extend that - indicating a recent breaking change with the npm package?

My main reason for this discussion is to source feedback/opinions from the community about the social perception of this approach. I'd like to implement this to provide a better user experience on my dApp. Token holders are able at any time to remove our dApp's address from managing their tokens - but I'm wondering if this has been tried before, and with transparency.

Let me know if I should be more specific with this question.

This was a problem in the contract, it's fixed in the latest release.


Doing _setApprovalForAll automatically is indeed risky. If you do that, you are greatly increasing the attack surface for the token, because if your dapp contract is vulnerable it places all token holders at risk. That said, if you are careful and responsible in the development of your dapp contract, and you're transparent about the automatic approval, I think it can be okay.

I would consider softening the automatic approval from happening on every transfer to just happening on mint, if you could do that.

Thank you, that makes sense! Went ahead and softened it.

Internal _setApprovalForAll is available now in the latest release, which was published yesterday.