0x7A6f
January 28th, 2022

Today, the ZORA Core team is releasing the first module proposal available for a community review – Offers v1.0. This module aims to provide on-chain liquidity for NFTs via escrowed buy orders. Using this module, any potential buyer will be able to make an offer for any valid ERC-721 on Ethereum.

This module is the first to undergo a public community review. Since ZORA modules are one-way deployed, it’s paramount that they are audited before deployment. To incentivize reviews, ZORA DAO will be honoring vulnerability reports with up to 25 ETH in bug bounty payouts.

The module code is available on Github, and more information about the rubric for bug bounties is available via the Contributions section of our README. Audits can be submitted via the comment section of the Offers V1.0 pull request.

0x7A6f
January 25th, 2022

Summary

At approximately 3:20 PM EST on January 24 2022, the 0x Protocol team reached out privately and directly to disclose a vulnerability in ZORA’s AsksV1 module. Importantly, no user funds have been lost and no users are at immediate risk of losing funds. However, ZORA identified up to 31 users who have the potential to be at risk in the future. This report outlines the vulnerability, the steps we’ve taken to mitigate, and the timeline of events as they unfolded.

The Vulnerability

ZORA’s AsksV1 module (also referred to as “Buy Now”) allows a user to list any NFT for sale for a fixed price and currency. A potential buyer is then able to fill that listing by calling a method on the AsksV1 contract. When called, the ZORA contract transfers the purchasing funds out of the buyer’s account and sends them to the seller for payment. In return, the ZORA contract then transfers the listed NFT out of the seller’s account to the buyer. The two method signatures are shown below:

0x7A6f
May 28th, 2021

With the release of Auction House, Zora is working to move ownership from centralized auction houses to decentralized auction houses. However, the smart contracts are only the first piece of the puzzle, and we're setting out to fill in the blueprints for anyone to spin up and remix their own auction house experience.

Creators and curators can now seamlessly create their own permissionless, customizable auction house experiences. Zora has created a suite of technical tools for accessing, rendering, and contextualizing both auction information and media information.

These libraries are open for the world to use and improve – MIT-licensed and developed in public.

0x7A6f
May 12th, 2021

In recent months, NFTs have gone through a moment of cultural zeitgeist, commanding the attention and adoption of creators and communities all over the internet. Still in its infancy, the NFT ecosystem is mostly dominated by a small number of closed marketplaces—crypto middlemen and web3 gatekeepers that have launched closed-source systems on public blockchains.

The state of current marketplaces:

  • Closed source
  • Unverified on Etherscan
  • Permissioned access
  • Super admin permissions
  • Opaque
  • Limited developer access
  • Restricted to platform NFTs