I have a use case where i'd like to update NFT's metadata from a program. How should i construct such instruction?
On a side note, could i use a PDA (owned by custom program) as update authority?
Yes, it's possible to edit the token metadata via CPI. It's also possible to use a PDA as the update authority, you just need to use the correct seeds when invoking the update instructions.
The update_metadata_accounts_v2 Rust binding can be found here
Here is an example of a PDA updating metadata https://github.com/Bonfida/name-tokenizer/blob/master/program/src/processor/create_nft.rs#L317=
Related
Having checked 2 main NEAR explorers, the official one and nearscan, I haven't found neither any way to see the byte code and source code of smart contracts on them, nor ability to interract with a smart contract, nor check what functions a smart contract has. On any Ethereum Explorer, and on a few others, all of this is possible.
Or perhaps I've missed something?
Is it correct that on NEAR explorers neither of the abovementioned features exist?
very good question.
You can use "Stats Gallery", this tool let you see Stats from an account (Or contract - which is an account with a contract deployed).
But let you interact with the Contract too.
https://stats.gallery/mainnet/nit.globaledu.near/contract?t=week
This is an example, you can see the functions of my "Feedback Contract".
Instead of this you can add a Testnet contract and try to call some functions, maybe the next one:
https://stats.gallery/testnet/alpha.neatar.testnet/contract?t=week
And the source code of the tool is here, just in case you want to know exactly how is does:
https://github.com/NEARFoundation/stats.gallery/blob/90c76d452bdb8ce12a7b1a4675df453f437494cc/src/composables/contract/useContract.ts
Saludos
I want to make some calculations and store their result in an account after user sends some money to my PDA. How can I do it? My understanding is that I cannot transfer funds from user inside a smart contract, and I can only transfer from my PDA to user, not vice verse, am I correct? Is it a proper solution, if I store my lamports amount in an account, and then inside my instrucition compare the previous value to the actual value, and from front end I run transfer of SOL and my instruction as 2 instructions of a single transaction?
First: You can send SOL/lamports within your program from a PDA, shown here, or program owned account to any account.
Secondly: You can use CPI within your program to transfer SOL/lamports from a system owned account to your program but you will need the source signer to do so.
So, if your instruction took the signer's account you could transfer SOL from their account to your PDA in one instruction (although you are invoking the transfer within your instruction to get the source SOL).
Is there a tool that can estimate how much gas a contract call will make before submitting to the NEAR network?
Currently the best estimation is to use runtime-standalone, which can process transactions without having to worry about consensus/networking. This means you can create accounts, deploy contracts, and invoke them and the outcome returned includes how much gas was burnt and used. The difference being burnt gas is used to execute the function call and used gas is how much was used by contract promise calls.
However, it's currently a MVP prototype and has only been used to test our core contract, here is it being used to test the lockup contract.
If your contract method doesn't invoke any batch promises and only normal promises,the mock runtime in near-sdk-as provides a way to create accounts and "deploy" contracts. It does this by internally using the binary of near-vm-runner-standalone, which is a rust crate. The binary provides a CLI to invoke a single transaction, which takes as input the current state of the contract being called, the contract's binary, the config file that defines the current context (who is calling the contract, how much gas is prepaid, etc), and a config for the cost of different fees. It then returns the updated state, the outcome of the transaction (e.g. how much gas was used and any receipts of transactions queued by promise calls).
The near-vm-runner-standalone is also published to npm with the package name: near-vm, which is what the mock runtime uses.
This is still an active area of development and we hope to turn runtime standalone into a useful easy to use tool for testing and gas estimation.
The easiest way to do it is to submit sample transaction with more than needed gas attached and then check in explorer how much gas was used, e.g. see
https://explorer.testnet.near.org/transactions/23dgV15pydiVhirWJ4He7TMoyRJM2DUXtcWb7VXFSy2G
300 Tgas was attached and 47 Tgas used for that given transaction.
I am Developing an onpremise solution for a client without any control and internet connection on the machine.
The solution is to be monetized based on number of allowed requests(REST API calls) for a bought license. So currently we store the request count in an encrypted file on the file system itself. But this solution is not perfect as the file can be copied somewhere and then replaced when the requests quota is over. Also if the file is deleted then there's manual intervention needed from support.
I'm looking for a solution to store the state/data in binary and update it runtime (consider usage count that updates in binary itself)
Looking for a better approach.
Also binary should start from the previous stored State
Is there a way to do it?
P.S. I know writing to binary won't solve the issue but I think it'll increase the difficulty by increasing number of permutation and combinations for places where the state can be stored and since it's not a common knowledge that you can change the executable that would be the last place to look for the state if someone's trying to mess with the system (security by obscurity)
Is there a way to do it?
No.
(At least no official, portable way. Of course you can modify a binary and change e.g. the data or BSS segment, but this is hard, OS-dependent and does not solve your problem as it has the same problem like an external file: You can just keep the original executable and start over with that one. Some things simply cannot be solved technically.)
If your rest API is within your control and is the part that you are monetizing surely this is the point at which you would be filtering the licensed perhaps some kind of certificate authentication or key to the API and then you can keep then count on the API side that you can control and then it wont matter if it is in a flat file or a DB etc, because you control it.
Here is a solution to what you are trying to do (not to writing to the executable which) that will defeat casual copying of files.
A possible approach is to regularly write the request count and the current system time to file. This file does not even have to be encrypted - you just need to generate a hash of the data (eg using SHA2) and sign it with a private key then append to the file.
Then when you (re)start the service read and verify the file using your public key and check that it has not been too long since the time that was written to the file. Note that some initial file will have to be written on installation and your service will need to be running continually - only allowing for brief restarts. You also would probably verify that the time is not in the future as this would indicate an attempt to circumvent the system.
Of course this approach has problems such as the client fiddling with the system time or even debugging your code to find the private key and probably others. Hopefully these are hard enough to act as a deterrent. Also if the service or system is shut down for an extended period of time then some sort of manual intervention would be required.
SecCodeCheckValidity:
Performs dynamic validation of signed code.
SecStaticCodeCheckValidity
Validates a static code object.
This function obtains and verifies the signature on the code specified
by the code object. It checks the validity of all sealed components,
including resources (if any). It validates the code against a code
requirement if one is specified. The call succeeds if all these
conditions are satisfactory. This call is only secure if the code is
not subject to concurrent modification, and the outcome is only valid
as long as the code remains unmodified. If the underlying file system
has dynamic characteristics, such as a network file system, union
mount, or FUSE, you must consider how secure the code is from
modification after validation.
So given this description for codesigning document from Apple, it is not clear what do they mean "dynamic characaterstics" here.
SecStaticCodeCheckValidity verifies if the application on-disk. In contrast, SecCodeCheckValidity verifies the application in-memory against the same requirements while it is running.
This attempts to prevent modification via hijacking, injection or other traditional methods of mutating in-memory code by checking if it is still code-signed with a valid signature.
I remember hearing that distinction somewhere during WWDC '09, correct me if I am wrong.
If you want to check whether some running code is signed by Apple and not some designated requirement specified by the programmer, you want:
SecRequirementCreateWithString(CFSTR("anchor apple"), ...)
and then pass the result from SecRequirementRef to SecCodeCheckValidity. There is no need to interact with the designated requirement in this case, since you've already decided what code is acceptable to you, which is anything signed by Apple.
In production code, you can use csreq(1) to compile a binary version of "anchor apple" and use SecRequirementCreateWithData instead of SecRequirementCreateWithString, which is faster.