How to prevent Purchaser to buy an NFT directly on Smart Contract without going through the Web Portal

JF0001 · November 21, 2021, 9:07pm

I have created a Dapp using OpenZeppelin Contracts, where users can purchase NFTs and then eventually resale them. The seller needs to initially authorise my Smart Contract (SC) to sale ALL his items on his behalf (similarly to what is done on OpenSea), by calling via my Web Portal the setApprovalForAll method on the SC. Upon putting a specific NFT for sale, the seller enters the price he wishes to sell his item for on the same Portal. However, what prevents another user who wishes to purchase the NFT, to buy it directly on the SC without going through my Portal, at a lower price than the one at which the seller wishes to sale for, which has been specified only on my Web Portal? If I include and update the selling price on the Smart Contract, the seller will need to pay gas every time that an item is put up for sale at a specific price. Am I missing something.

Currently, the Token Transfer is initiated by the purchaser from my web portal using the following code:

this.contInst.methods.tokTransfer(tokOwner, this.account, TokenId, PriceBN, ComBN).send({
  from: this.account, // Corresponds to Purchaser Account
  value: this.web3.utils.toWei(PriceStr, 'ether')
 })

And my Smart Contract contains the following code:

 function tokTransfer(address payable from, address to, uint256 tokenId, uint256 price, uint256 commission) whenNotPaused() nonReentrant() external payable {
    require(msg.value >= price);
    this.safeTransferFrom(from, to, tokenId);
    AddressUpgradeable.sendValue(from, price.sub(commission));
 }

Thank you. J

Skyge · November 22, 2021, 1:30am

Sorry, I am not sure what do you mean, but I think this is different to traditional web, for example, if you want to buy somethings on the Amazon, you have got to login their website to buy, cause this is centralized, but for the block chain, the smart contract is the only entrance, your web is just a convenient way, I can also write a script to interact with the contract. That's the decentralization.

JF0001 · November 22, 2021, 1:59am

Thank you @Skyge Yes, I understand this. But this is exactly what I mean. I am using my Web Site as a convenience where a user can decide to sell a specific NFT minted on the Blockchain to other users for example. He will specify on my Web Site the price at which he wishes to sell the said NFT. He will have beforehand approved my Smart Contract to sell any of his NFTs on his behalf, via the setApprovalForAll function, which will be called from my site. However, once he has approved these sales what prevents other users to interact with my Smart Contract directly, via scripts, to purchase an item on sale, but at a lower price than what the user wanted to sell it for (and specified only on my Web Site and not on the Blockchain)? What prevents anyone to call my function tokTransfer above in my Smart Contract, directly via a script, passing it whichever price he desires, to initiate the NFT transfer?

Is this scenario prevented with the _msgSender?

Thanks again. J

Topic		Replies	Views
Transfer Ownership of an NFT, as well as the Price and Commission in a Single Transaction Support	9	4080	March 4, 2021
I would like to transfer NFTs from one person to another using my app Smart Contracts	1	333	June 15, 2022
Implementation of sellable NFT Contracts	5	4763	January 29, 2021
How can I ensure that any user can buy NFT's that the owner sells and keep royalties fixed? Smart Contracts	7	491	June 26, 2023
How to prevent token to get sold for certain period of time? Smart Contracts	8	1062	March 8, 2022

How to prevent Purchaser to buy an NFT directly on Smart Contract without going through the Web Portal

Related topics