After being on twitter and in dabbling in the CryptoArt community I’ve come to learn that art theft is as prevalent online as it is in the offline art world.
I am proposing that Smart Contracts for ERC721 to be able to adopt a hashing function that can be used to sign the contracts and call a unique hash that matches the uploaded JSON data in the description.
My SmartContract makes use of the OpenZeppelin Box tutorial with a ‘broken’ random keccak256 hashing function. Though it can be defeated, the idea is that the artist would sign their art using a PGP-Key and the value stored in the modified ‘Box’ contract would use the PGP-Key as part of the algorithm to sign the NFT, it also uses a timestamp. The function would have to be an ‘onlyOwner’ function and be callable once NFT Art is uploaded to a marketplace. Once there a web3 call function can be initiated to match the contract’s stored value against the JSON stored value in the TokenURI metadata.
If artwork is stolen the new contract ‘Hash’ Call wouldn’t match the copied JSON description hash because the thief wouldn’t have the private PGP-Key of the artist.
// contracts/Box.sol
pragma solidity ^0.5.0;
contract Box {
uint256 private value;
uint256 private hash;
// Emitted when the stored value changes
event ValueChanged(uint256 newValue);
// Stores a new value in the contract
function store(uint256 newValue) public {
value = newValue;
emit ValueChanged(newValue);
}
// Reads the last stored value
function retrieve() public view returns (uint256) {
return value;
}
function random() public returns (uint256) {
uint randomnumber = uint(keccak256(abi.encodePacked(now, msg.sender, value)));
randomnumber = randomnumber + 1;
hash = randomnumber;
return randomnumber;
}
function showHash() public view returns (uint256) {
return hash;
}
}
My obstacle is that someone can call the public ‘showHash’ function and create a new contract where they simply store the hash as a string to be called and spoof the system. Any ideas on how to make this more secure?