Is there a way to only allow minting from a website's domain? Like a CORS policy for smart contracts


I have an NFT contract that uses merkle proofs to ensure that everyone who mints an NFT has been whitelisted. My mint function takes `merkleProof` as a parameter and runs `isValidMerkleProof(merkleProof, whitelistMerkleRoot)` to ensure that the minter's address has already been added to the whitelist. This is a great system, and thank you to whoever invented merkle proofs, and thank you to whoever started using merkle proofs for NFTs, but it can be a little bit inconvenient for NFT drops. In order to do a whitelisted NFT drop, I have to have a sign up period. I collect email addresses for people who are interested in minting. Then I send these people individial discrete links where I collect their Metamask addresses and add their Ethereum addresses to a large array. When this address collection period is finished I make a merkle root of the address array and deploy the NFT with the merkle root set to the value I've calculated. The problem is that I'm asking the minters to do a lot of steps before they actually get their minted NFT. It would be more convenient if I could just write an NFT solidity contract that only accepts mint function calls from my mint site's domain, like a CORS policy for a solidity smart contract. I could set up Cloudflare protection on my domain (or just add a captcha), so only real humans using a web browser could make contract calls to mint NFTs. Does such a thing exist? Or is there any way more convenient way to mint NFTs in a way that protects against bots?

Answers 1

While you cannot directly implement CORS policies in smart contracts as they are a feature of web browsers and servers, there are alternative ways to achieve your goal of domain-locked minting with bot protection. Here are a couple of suggestions: **1- Server-side minting with signed messages:** You can require users to provide a signed message (proof) generated by your server to call the mint function in your contract. Only your server knows the secret key to generate this proof. This way, users need to pass the captcha on your website to obtain a valid signed message required for minting. The process would look like this: a. The user passes the captcha on your website. b. Your server generates a signed message for the user's Ethereum address. c. The user submits the signed message as a parameter to the mint function on your contract. d. The contract verifies the signed message before minting the NFT. **2- Meta-transactions:** Use meta-transactions to enable users to sign their intent to mint an NFT. Your server, upon verifying the captcha, can relay this message to your contract. This way, users will still pay for their own gas fees, but the minting process is gated by your server's verification. This process involves the following steps: a. The user signs a message containing their intent to mint an NFT. b. The user passes the captcha on your website. c. Your server relays the user's signed message to the contract after verifying the captcha. d. The contract verifies the message and mints the NFT. Both of these approaches add an extra layer of protection to your minting process, ensuring that only real users who pass the captcha can mint NFTs. Keep in mind that these methods are not foolproof, and it is essential to thoroughly audit your smart contracts to ensure their security and proper functioning.