Operator Filter Registry

Introduction

This repository contains a number of tools to help token contracts manage the operators allowed to transfer tokens on behalf of users - including the smart contracts and delegates of marketplaces that do not respect creator earnings.

This is not a foolproof approach - but it makes bypassing creator earnings less liquid and easy at scale.

How it works

Token smart contracts may register themselves (or be registered by their "owner") with the OperatorFilterRegistry. Token contracts or their "owner"s may then curate lists of operators (specific account addresses) and codehashes (smart contracts deployed with the same code) that should not be allowed to transfer tokens on behalf of users.

Creator Earnings Enforcement

OpenSea will enforce creator earnings for smart contracts that make best efforts to filter transfers from operators known to not respect creator earnings.

This repository facilitates that process by providing smart contracts that interface with the registry automatically, including automatically subscribing to OpenSea's list of filtered operators.

When filtering operators, use of this registry is not required, nor is it required for a token contract to "subscribe" to OpenSea's list within this registry. Subscriptions can be changed or removed at any time. Filtered operators and codehashes may likewise be added or removed at any time.

Contract owners may implement their own filtering outside of this registry, or they may use this registry to curate their own lists of filtered operators. However, there are certain contracts that are filtered by the default subscription, and must be filtered in order to be eligible for creator earnings enforcement on OpenSea.

Note on EIP-2981

Implementing EIP-2981 is not sufficient for a token to be eligible for creator earnings on OpenSea.

While sometimes described as "on-chain," EIP-2981 only provides a method to determine what the appropriate creator earnings should be for a sale. EIP-2981 does not provide any mechanism of on-chain enforcement of those earnings.

Filtered addresses

Entries in this list are added according to the following criteria:

• If the application most commonly used to interface with the contract gives buyers and sellers the ability to bypass creator earnings when a similar transaction for the same item would require creator earnings payment on OpenSea.io
• If the contract is facilitating the evasion of on-chain creator earnings enforcement measures. For example, the contract uses a wrapper contract to bypass earnings enforcement.

Deployments

Usage

Token contracts that wish to manage lists of filtered operators and restrict transfers from them may integrate with the registry easily with tokens using the OperatorFilterer and DefaultOperatorFilterer contracts. These contracts provide modifiers (onlyAllowedOperator and onlyAllowedOperatorApproval) which can be used on the token's transfer methods to restrict transfers from or approvals of filtered operators.

See the ExampleERC721 and ExampleERC1155 contracts for basic implementations that inherit the DefaultOperatorFilterer.

Getting Started with Foundry

This package can be installed into a Foundry project with the following command

forge install ProjectOpenSea/operator-filter-registry

With default remappings provided by forge remappings, the default operator filterer can be imported into your project with the following statement

import "operator-filter-registry/DefaultOperatorFilterer.sol";

See NPM section below for further details.

Getting started with NPM

This package can be found on NPM to integrate with tools like hardhat.

Installing

with npm

npm i operator-filter-registry

with yarn

yarn add operator-filter-registry

Default usage

Add to your smart contract in the import section:

import "operator-filter-registry/src/DefaultOperatorFilterer.sol";

Next extend from DefaultOperatorFilterer

contract MyNft is
  DefaultOperatorFilterer,
  // remaining inheritance here
{

Finally, override the ERC721 transfer and approval methods (modifiers are overridable as needed)

    function setApprovalForAll(address operator, bool approved) public override onlyAllowedOperatorApproval(operator) {
        super.setApprovalForAll(operator, approved);
    }

    function approve(address operator, uint256 tokenId) public override onlyAllowedOperatorApproval(operator) {
        super.approve(operator, tokenId);
    }

    function transferFrom(address from, address to, uint256 tokenId) public override onlyAllowedOperator(from) {
        super.transferFrom(from, to, tokenId);
    }

    function safeTransferFrom(address from, address to, uint256 tokenId) public override onlyAllowedOperator(from) {
        super.safeTransferFrom(from, to, tokenId);
    }

    function safeTransferFrom(address from, address to, uint256 tokenId, bytes memory data)
        public
        override
        onlyAllowedOperator(from)
    {
        super.safeTransferFrom(from, to, tokenId, data);
    }

Smart Contracts

OperatorFilterRegistry

OperatorFilterRegistry lets a smart contract or its EIP-173 Owner register a list of addresses and code hashes to deny when isOperatorBlocked is called.

It also supports "subscriptions," which allow a contract to delegate its operator filtering to another contract. This is useful for contracts that want to allow users to delegate their operator filtering to a trusted third party, who can continuously update the list of filtered operators and code hashes. Subscriptions may be cancelled at any time by the subscriber or its Owner.

updateOperator(address registrant, address operator, bool filtered)

This method will toggle filtering for an operator for a given registrant. If filtered is true, isOperatorAllowed will return false. If filtered is false, isOperatorAllowed will return true. This can filter known addresses.

updateCodeHash(address registrant, bytes32 codeHash, bool filtered)

This method will toggle filtering on code hashes of operators given registrant. If an operator's EXTCODEHASH matches a filtered code hash, isOperatorAllowed will return true. Otherwise, isOperatorAllowed will return false. This can filter smart contract operators with different addresses but the same code.

OperatorFilterer

This smart contract is meant to be inherited by token contracts so they can use the following:

• onlyAllowedOperator modifier for transferFrom and safeTransferFrom methods.
• onlyAllowedOperatorApproval modifier for approve and setApprovalForAll methods.

On construction, it takes three parameters:

• address registry: the address of the OperatorFilterRegistry contract
• address subscriptionOrRegistrantToCopy: the address of the registrant the contract will either subscribe to, or do a one-time copy of that registrant's filters. If the zero address is provided, no subscription or copies will be made.
• bool subscribe: if true, subscribes to the previous address if it was not the zero address. If false, copies existing filtered addresses and codeHashes without subscribing to future updates.

Please note that if your token contract does not provide an owner with EIP-173, it must provide administration methods on the contract itself to interact with the registry otherwise the subscription will be locked to the options set during construction.

onlyAllowedOperator(address operator)

This modifier will revert if the operator or its code hash is filtered by the OperatorFilterRegistry contract.

DefaultOperatorFilterer

This smart contract extends OperatorFilterer and automatically configures the token contract that inherits it to subscribe to OpenSea's list of filtered operators and code hashes. This subscription can be updated at any time by the owner by calling updateSubscription on the OperatorFilterRegistry contract.

Please note that if your token contract does not provide an owner with EIP-173, it must provide administration methods on the contract itself to interact with the registry otherwise the subscription will be locked to the options set during construction.

OwnedRegistrant

This Ownable smart contract is meant as a simple utility to enable subscription addresses that can easily be transferred to a new owner for administration. For example: an EOA curates a list of filtered operators and code hashes, and then transfers ownership of the OwnedRegistrant to a multisig wallet.

Validation

When the first token is minted on an NFT smart contract, OpenSea checks if the filtered operators on that network (Ethereum Mainnet, Goerli, Polygon, etc.) are allowed to transfer the token. If they are, OpenSea will mark the collection as ineligible for creator earnings. Otherwise, OpenSea will enforce creator earnings on the collection.

If at a later point, OpenSea detects orders being fulfilled by filtered operators, OpenSea will mark the collection as ineligible for creator earnings going forward.

The included validation test runs the same checks that OpenSea does when first creating a collection page, and can be extended with custom setup for your token contract.

The test can be configured to test against deployed contracts on a network fork with a .env file following the sample.env. You may need to supply a custom [rpc_endpoints] in the foundry.toml file for forking to work properly.

To run only the validation tests, run

forge test --match-contract ValidationTest -vvv

See the Foundry project page for Foundry installation instructions.

Audit

The contracts in this repository have been audited by OpenZeppelin. You may read the final audit report here.

License

MIT Copyright 2022 Ozone Networks, Inc.