Proposal for ERC721 Signatures to avoid NFT Art Theft

After being on twitter and in dabbling in the CryptoArt community I’ve come to learn that art theft is as prevalent online as it is in the offline art world.

I am proposing that Smart Contracts for ERC721 to be able to adopt a hashing function that can be used to sign the contracts and call a unique hash that matches the uploaded JSON data in the description.

My SmartContract makes use of the OpenZeppelin Box tutorial with a ‘broken’ random keccak256 hashing function. Though it can be defeated, the idea is that the artist would sign their art using a PGP-Key and the value stored in the modified ‘Box’ contract would use the PGP-Key as part of the algorithm to sign the NFT, it also uses a timestamp. The function would have to be an ‘onlyOwner’ function and be callable once NFT Art is uploaded to a marketplace. Once there a web3 call function can be initiated to match the contract’s stored value against the JSON stored value in the TokenURI metadata.

If artwork is stolen the new contract ‘Hash’ Call wouldn’t match the copied JSON description hash because the thief wouldn’t have the private PGP-Key of the artist.

// contracts/Box.sol
pragma solidity ^0.5.0;

contract Box {
    uint256 private value;
    uint256 private hash;

    // Emitted when the stored value changes
    event ValueChanged(uint256 newValue);

    // Stores a new value in the contract
    function store(uint256 newValue) public {
        value = newValue;
        emit ValueChanged(newValue);
    }

    // Reads the last stored value
    function retrieve() public view returns (uint256) {
        return value;
    }
    function random() public returns (uint256) {
      uint randomnumber = uint(keccak256(abi.encodePacked(now, msg.sender, value)));
      randomnumber = randomnumber + 1;
      hash = randomnumber;
      return randomnumber;
    }
    
    function showHash() public view returns (uint256) {
        return hash;
    }
}

My obstacle is that someone can call the public ‘showHash’ function and create a new contract where they simply store the hash as a string to be called and spoof the system. Any ideas on how to make this more secure?

1 Like

Hi @Proteu5,

Including an onchain hash of artwork at least gives proof of existence at a point in time. Though that doesn’t prevent a copy (or modified copy) from being sold.

You would also likely need a digital watermark that you could use to show that it was a copy,

Using these two pieces of data you could ask marketplaces to hide or flag unauthorized copies.

@eyemine be interested in your take on this.

1 Like

I’ve done some studying on Stegenogrphy, thats a great idea to use it as a digital watermark!

So far I have:

  1. Create Art
  2. Create SmartContract
  3. Deploy Contract
  4. Generate Hash on MainNet
  5. Sign Image with Stego-Watermark
  6. Update MetaData
  7. Stego-Watermark Matches Contract Hash with PGP Key

A Thief:

  1. Download image
  2. Clone SmartContract
  3. Generate Different Hash because the time is different.
    Or
  4. Their clones the hash and uses stego to sign the image.
  5. Fake appears on Market however the signatures don’t match because the signature doesn’t match the private PGP key of the artist.

I wonder if it’s possible for a Javascript engine/library to decrypt the stego-watermark and verify it against a call on the smartcontract.

This process is also cumbersome for artists to do, but maybe this role should lay with the minters and give way to quality of the mint process.

1 Like

Hi @Proteu5,

I wonder if the process could be simpler.

Artists could add a digital watermark and then create metadata on IPFS.

If each tokens metadata was stored on IPFS, then the URI to the metadata would include the IPFS hash. This would give proof of existence when the token was minted.

As the metadata would be onchain, the contract could optionally (only if needed), have functionality to change the metadata, either by the owner of the contract (could be a DAO) or by the holder of the contract. Any changes would then be recorded on chain.

Marketplaces would likely have incentives to protect the value of NFTs in their marketplace by tagging/flagging/hiding unauthorized copies.

1 Like

Very Interesting, I will look into implementing this. Thank you for your advice.