New token standard "ERC721R" introduced, allowing NFT creators to refund users within a specific timeframe

The blockchain game developer CryptoFighters has introduced an upgraded version of the ERC-721 non-fungible token standard called "ERC721R," which will allow users to refund NFTs within a certain period of time, thereby reducing the frequent occurrences of Rug Pull events in the NFT market. As of the update on 4/12, developers have reported a vulnerability, but CryptoFighters has not responded yet.

ERC721R

ERC721R was introduced by the early blockchain game CryptoFighters Alliance. According to the official website, ERC721R brings a trustless refund mechanism that allows NFT minters to initiate refunds within the minting contract.

ERC721R allows users to determine the "refund amount percentage" and "refund deadline" themselves. Taking CryptoFighters as an example, minters can get a 100% refund within 45 days after minting.

The refund process is straightforward, similar to the staking/unstaking mechanism in proof-of-stake protocols. Users only need to return the NFT to the original minting contract before the refund deadline to reclaim the ETH spent during minting.

Projects currently utilizing ERC721R include:

• Podium
• Exodia Analytics
• CryptoFighters Alliance
• Curious Addys’ Trading Club

Pros and Cons

For users, the advantages of ERC721R are evident, as it reduces the rug pull risk for projects issuing NFTs and collecting significant ETH during the minting period.

For project owners, they can decide how to utilize the returned NFTs, such as reissuing them, using them as gifts to strengthen partnerships, or destroying them directly.

If projects mint NFTs using ERC721R, users may have more confidence in the project, leading to a more stable floor price and stronger community cohesion.

However, the mechanism of ERC721R seems to only protect primary market minters and whitelist holders, which may intensify whitelist competition in the NFT space.

CryptoFighters cited Chainanalysis data, indicating that rug pulls accounted for only 1% of all crypto scams in 2020, but surged to 37% last year, a figure that is likely to continue rising.

CryptoFighters emphasized that preventing more rug pull incidents is crucial for NFT adoption and acceptance by the mainstream.

Developer Highlights Vulnerability Warning

Developer @BenWAGMI stated that he discovered a critical vulnerability in ERC721R that could allow malicious actors to call the refund function and drain funds from all refund addresses.

@BenWAGMI pointed out: "Normally, after the refundEndTime expires, NFT developers can call the withdraw function to take the collected ETH. This step is fine." However, the refund function has a vulnerability.

@BenWAGMI explained that when a buyer calls the refund, the NFT minted by them is transferred to the refundAddress, an address specified and controlled by the developer, and then the corresponding amount of Ether is taken from the NFT contract. But if a malicious actor initially mints NFTs to the refundAddress, they can continuously call the refund function to drain funds from the refund addresses.