Analysis of eip-2535 diamond agreement from the Saudi NFT event

2022 year 7 month 10 Number , A fiery  NFT  project TheSaudis Open the freemint Activities （ White list users can cast their... For free NFT）. And on mint After the event , A name RIGHTBLOCK Of users have sold this NFT, After finding out, the project party quickly locked in the user and made changes to the contract, so as to bring a large number of NFT Move it back , They later promised to take these NFT Give feedback to community users .

So why can the project party put the NFT What about the transfer ？ After our analysis, we found that NFT The contract of the project adopts EIP-2535 The agreement is also called the diamond agreement , The project party used the agreement to rewrite the function of the contract , In order to achieve these NFT The transfer of . Next, the slow fog security team will introduce the diamond agreement （EIP-2535） The details of the .

Smart contract breakthrough 24kb The maximum size limit , And make it easier for the contract to update functions .

Understand the diamond agreement , First of all, there are several related concept definitions to know ：

• diamond （diamond）:  Diamonds can be understood as agency contracts （Proxy）, It is also the main contract to interact with users

• section （facet）:  Just as real diamonds have different sides , A diamond contract also has different aspects , Each function of diamond contract needs to call a contract corresponding to a section , So it can also be understood as realizing the contract （Implementation）

• Diamond cutting （diamondCut）:  The diamond protocol standard extends a function called diamond cutting , Its main role increases from diamonds 、 Replace or delete facets and functions , It can be understood as the upgrade of the contract （Upgrade）

• Magnifier （The Loupe）:  The magnifying glass function in the diamond protocol standard is mainly to return information about the section and the existence of diamonds , This information is stored inside the diamond contract ——DiamondStorage in

The whole diamond model is similar to the following figure ：

Create diamond contracts by using diamond standard specifications , This contract can use any number of code of other faceted contracts just like the code of the current contract .

In this diamond contract, different functions need to call the corresponding codes of different facet contracts to realize , And the function of diamond cutting can be used to modify the function in the diamond contract （ add to 、 Replace or delete ）.

This is different from the way most of the market use an agent contract and an implementation contract to realize interaction and upgrading .

This function will first call LibDiamond Library enforceIsContractOwner Function to determine whether the caller is contractual owner, If it is owner If called, it will call LibDiamond Library diamondCut Function to update the function of diamond contract .

Following up on this function, we found that diamond cutting will vary according to the incoming action To judge and add 、 Replace or delete functions , So next, follow up and see the transaction in which the project party calls this function .

We found that a new aspect contract was introduced 0x70d8ccaf6b50b051ab1e8fa238626163e45a8b03（ Not open source ）, Incoming action Set to 1 It should call replaceFunctions To implement the replacement function .

from replaceFunctions Function can be analyzed that this function will first add a new aspect for the incoming address , Then read the old section corresponding to each function selector passed in from the storage loop to delete , And add the facet of these functions as the incoming new facet address .

So far, we can know The Saudis The project party used the diamond cutting function to rewrite the transfer function , In this way, users RIGHTBLOCK Hand NFT Transfer back to your account .