July 15, 2022

Beosin: Is the leasable NFT ERC-4907 safe?

Introduction of ERC4907 Standard

On June 29, the new ERC standard "EIP-4907" launched by Double Protocol has passed the final review of the Ethernet development team, becoming the 30th ERC standard with the status of "Final" on Ethernet.


The standard makes the NFT ownership and use rights divorced, the NFT owner can give the right to use for other users, while the user is not able to transfer, sell, destroy and other operations on the NFT. The new ERC4907 standard also implements an automatic cancellation function at the expiration of the right to use, which greatly reduces the cost of use.


The new ERC4907 standard has a new structure that stores the user address and authorization deadline and a variable that stores the mapping of the NFT token ID to the structure compared to the common ERC721 standard.

setUser() function, the function passes in three parameters, respectively, NFT token ID (tokenId), user address (user) and authorization deadline (expires), its function is the NFT owner for the NFT token to set the user and the duration of use.

First, the function determines whether the caller is the owner of the specified NFT token, then creates a new instance of the structure, and saves the user address and expiration date into the structure.


When the right to use expires, it is not necessary to send a transaction to cancel the right to use again, but to compare the current block time with the expires variable, eliminating the need for a cumbersome transaction process and transaction costs.


For example, when querying the NFT token user, it will first judge the relationship between the current block time and the size of the expires variable, if it is still within the validity period, the queried user is the current NFT token user, if the usage period has expired, it will return 0 address.


Double Protocol is a fully decentralized and open source marketplace for NFT leasing protocols and Metaverse and GameFi assets. Users can lease NFTs through this marketplace.

Flowchart of Double Protocol leasing contract function calls.

Double Protocol project has a lessor to create a lease order and lessee to place an order function of the contract Market, the lessor can call the contract 53 line function mintAndCreateLendOrder and provide NFT information, time information, price information, payment method and other parameters to create a lease order for NFT.

The contract calls the 95-line function _mintV, which checks the NFT information passed in by the lessor against the NFT owner.

After all checks are passed, the contract calls the 34-line function mintVNft in the ComplexDoNFT contract to transfer the NFTs to be leased to the leasing platform.

After that, call the 174 line function _createLendOrder in the Market contract, the function first judge the relationship between the caller and NFT, and then judge and update the time parameters passed in by the lessor, and finally, the function writes the data into the lease order according to the NFT information, time information, price information, etc. At this time, the lease order is created successfully, and the lessee can choose to lease accordingly according to the order information.

The contract provides a function for lessees to place orders for leasing. Lessees can place orders by calling the 268 line function fullfillOrderNow in the Market contract and passing in NFT information, time information, and user address information.


The function first reads whether the order related to NFT passed in by the user is valid, after that, it determines whether the NFT is a private lease, and if so, it determines whether the lessee is a private lessee specified by the lessor, then the time parameter is judged and updated, and finally the function related to the cost and the function related to setting the user are called.

The function fulfillOrderNow function in line 295 function attributePayment for the fee calculation and payment function, the function first calculate the transaction needs to pay the fee, after subtracting the transaction costs to calculate the actual payment costs, and finally the contract in line 366 will send the lease fee to the lessor.

fulfillOrderNow function in line 296 function mint function is to set the lease information, call the BaseDoNFT contract in line 164 function mint.

where the mint function calls the mintDoNft function at line 210.

After several calls, the function will call to the newDuration function, which will set the lease time information for the leased NFT and provide data for setting the user later.

Finally, the mint function calls the checkIn function at line 215, which calls the checkIn function at line 92 of the ComplexDoNFT contract to first check whether the NFT information matches the time information, and if it is valid, set the address specified by the lessee as the user and write the previously set time information as the lease expiration time.

3 Risks of the New ERC4907 Standard

1. The NFT token owner can change the user and usage period at any time

The ERC4907 standard does not check whether the leased tokens are in leased status when setting the user, so that the owner can lease the tokens to other users at any time and change the user and the usage period if the current leasing behavior already exists and is within the valid period, so that the previous user cannot continue to use the NFT tokens within the usage period.

2. The NFT token owner can transfer or sell the tokens during the leasing stage

During the leasing phase of an NFT token, the owner can transfer or sell the token at will, and the user will lose access to the leased NFT.

3. Compatibility issues

There are some projects in the market that need to hold some kind of NFT to participate, and after the ERC4907 standard comes online, the leaser does not realize to enter the project by leasing NFT, and if the project has such a need, it needs to upgrade some new features.


For the first two risks, it is suggested that the project owner should control the lessor's authority according to the actual business when applying the standard. For example, when a token is in the rental validity stage, the lessor cannot rent the token to others or sell it again, and a new "default" algorithm process can be added, so that if the lessor changes the lessor or sells the token during the rental period, the current lessee will be required to pay the corresponding percentage of fees or liquidated damages.For the third risk, it is recommended that when updating new functions, projects should fully understand the functions implemented in ERC4907 and combine with their existing business logic to design and implement a secure business logic to avoid introducing security risks during the upgrade process.

Related Project

Related Project Secure Score

Guess you like
Learn More
  • Beosin 2022 Q2 Web3 Security Report

    July 15, 2022

  • Are NFT tools safe? What we can learn from the Premint hack?

    July 19, 2022

  • How to Steal User’s Signature in NFT Phishing Attacks

    June 14, 2022

  • Beosin Has Completed Security Audit Service of Doge Chain

    June 28, 2022

Join the community to discuss.