Improved NFT Standard

[mikedotexe]

This GitHub discussion is a continuation from several conversations that resulted in a short thread on the NEAR Governance Forum here:
https://gov.near.org/t/nft-standard-discussion/853/13

Handy reference links:

• Mintbase's ERC-721 Reference including a Rust interface
• OpenZeppelin implementation of ERC-721
• EIP/ERC-721 from Ethereum.org
• EIP-1155 for multi-tokens which is a considering particularly for universal identifiers.

Other NEAR-related links:

• A simple NFT implementation (not created after recent discussions)
• Fungible Token library implementation of the Storage Management standard
• NEP-4, the old NFT standard that does not include approvals per token ID

---

As we step through the different facets of an NFT standard and extension standards, let's keep in mind two NFT scenarios:

1. An art NFT that can be sold on multiple markets.
2. An NFT that acts as a deed. (Think a car title, plot of land, etc.)

These may help guide what we determine to be necessary in an NFT Core standard or not.

Core (with Storage Management)

Data structures / fields

pub type TokenId = String;

pub struct Token {
    pub owner_id: AccountId,
}

pub struct Core {
    pub tokens: LookupMap<TokenId, Token>,
    owner_id: AccountId,
    token_storage_usage: StorageUsage, // u64, how much it costs to add an entry to the "tokens" map if the owner's account is max length of 64 characters.
}

Methods

The following have the same workflow as the explained in the Fungible Token Core spec, except with nft_transfer_call there is no value returned from the receiver contract. Instead, the contract shall panic if it's unable to transfer an NFT to an individual. An execution that doesn't panic indicates a successful transfer.

Note on enforce_owner_id in the methods below: if given, the method MUST panic if current owner does not match the provided enforce_owner_id value. This prevents an accidental transfer race condition.

pub fn nft_transfer(
    &mut self,
    receiver_id: AccountId,
    token_id: TokenId,
    enforce_owner_id: Option<ValidAccountId>,
    memo: String
) {}

fn nft_transfer_call(
    &mut self,
    receiver_id: ValidAccountId,
    token_id: TokenId,
    enforce_owner_id: Option<ValidAccountId>,
    memo: Option<String>,
    msg: String,
) -> Promise {}

pub fn on_nft_transfer: (
    &mut self,
    receiver_id: ValidAccountId,
    token_id: TokenId,
    enforce_owner_id: Option<ValidAccountId>,
    memo: Option<String>
) {}

Metadata

pub struct NFTMetadata {
    spec: String, // required, essentially a version like "nft-1.0.0"
    name: String, // required, ex. "Mochi Rising — Digital Edition" or "ML Course Completion, Spring 2021"
    media: Option<String>, // preferably decentralized URL (can be centralized, though) to associated media
    icon: Option<String>, // Data URL, this could be, for instance, a thumbnail of a piece of art
    reference: Option<String>, // URL to a JSON file with more info
    reference_hash: Option<String> // Base64-encoded sha256 hash of JSON from reference field
}

pub struct Token {
    pub owner_id: AccountId,
    pub meta: NFTMetadata, // NEW FIELD
}

Note that when this NFT contract is created and initialized, the associated token_storage_usage will be higher than the previous Core example because of the added metadata fields. The fields name and icon in particular are indeed variable. The frontend can account for this by adding extra deposit when minting. This could be done by padding with a reasonable amount, or by the frontend using the RPC call detailed here that gets genesis configuration and actually determine precisely how much deposit is needed.

Approvals

This is a point for continued work, following some healthy debate on the topic. A critical objective is to have a token able to add multiple approvals. In example form, a piece of art is an individual token on an NFT contract and this piece of art can allow Volcano Art and Petroglyph Art shops to list the piece for purchase.

One approach suggested was that the Token object has a flag, something like has_approvals: bool. Then separately, another mapping exists linking owner » approvers. The combination of these two is used to determine if a market can take a particular token. This leaves some wiggle room for trust.

Example of this problem: Clark Little is an ocean photographer that embraces selling his work as NFTs. Alice visits a market website selling his work and finds a print she'd like to buy. She waits for her partner to come home before purchasing, leaving the tab open. Simultaneously, Surfrider, a beach cleanup organization asks if Clark would donate a couple prints for a raffle. Clark agrees, delists two prints from all market websites, and adds the surfrider account as an approver. surfrider will take care of all the details regarding the raffle, transferring it to the winner, etc. Alice finalizes her decision and clicks the (stale) website UI to purchase a print that was delisted, since the market is among the approvers and the two prints have the flag of has_approvals the transfer goes through.

Conclusion: in order to avoid introducing trust and inconsistency, approvals need to be tied per token. This would look like:

pub struct Token {
    pub owner_id: AccountId,
    pub metadata: String,
    pub approved_account_ids: HashSet<AccountId>, // if the number of approvers is expected to be large, a NEAR collection instead of HashSet
}

Enumeration

Similar to how non-fungible tokens in Ethereum work, enumeration is conceptually an "extension" standard. See ERC-721 spec for reference. (Search for "metadata extension")

pub struct Contract {
    …
    pub tokens_per_owner: LookupMap<AccountId, UnorderedSet<TokenId>>,
}

pub fn nft_total_supply(&self) -> U64 {}

pub fn nft_tokens_owned_by(&self, account_id: ValidAccountId) -> Vec<TokenId> {}

pub fn nft_paged_tokens_owned_by(&self, account_id: ValidAccountId, start_item: TokenId, num_items: U64) -> Vec<TokenId> {}

Universal token identifiers

Royalties

Given the use case of a property deed NFT where royalties wouldn't apply so much, this makes sense as its own standard. This section needs to be fleshed out more, but below is provided some code from a couple resources to help kickstart the standard discussion.

Taking some ideas from Mintbase and the Staking Pool contract regarding the safe representation of a fraction:

use uint::construct_uint;
use near_sdk::Balance;

construct_uint! {
    /// 256-bit unsigned integer.
    pub struct U256(4);
}

#[derive(BorshDeserialize, BorshSerialize, Serialize, Deserialize, Clone)]
#[serde(crate = "near_sdk::serde")]
pub struct Fraction {
    pub numerator: u32,
    pub denominator: u32,
}

impl Fraction {
    pub fn assert_valid(&self) {
        assert_ne!(self.denominator, 0, "Denominator must be a positive number");
        assert!(
            self.numerator <= self.denominator,
            "The fraction must be less or equal to 1"
        );
    }

    pub fn multiply(&self, value: Balance) -> Balance {
        (U256::from(self.numerator) * U256::from(value) / U256::from(self.denominator)).as_u128()
    }
}

And the the Fraction struct can be used as a royalty field on a token, like:

pub struct Royalty {
  pub split_between: UnorderedMap<AccountId, Fraction>,
  pub percentage: Fraction,
}

[robert-zaremba]

[Resolved] Change Proposal: use memo in both transfer functions and add msg in transfer_call

Same motivation as in NEP-141

• memo is useful for accounting and linking transaction with other kind of data.
• msg is useful to send a purpose of the transfer to the contract with possible extra instruction (eg order ID).

Update interface:

pub fn nft_transfer(&mut self, new_owner_id: AccountId, token_id: TokenId, msg: String) {}
pub fn nft_transfer_call: (&mut self, new_owner_id: AccountId, token_id: TokenId, msg: String, memo: Option<String>) -> Promise {}

[chadoh]

I agree with this memo & msg proposal, but the suggested interface seems to have a few problems

• has msg on nft_transfer instead of memo
• nft_transfer_call should have memo before msg (matches FT & nft_transfer)
• memo should be optional for both functions
• We should use receiver_id to match FT (this is done above)

Updated interface, using TypeScript (I believe this is favored for specs?) would be:

function nft_transfer(
    receiver_id: string,
    token_id: string,
    memo: string|null
): void {}
function nft_transfer_call(
   receiver_id: string,
   token_id: string,
   memo: string|null,
   msg: string
): Promise {}

[robert-zaremba]

Yes, I swapped memo with msg.

[robert-zaremba]

There is no other team and chain which mastered NFTs than Flow -> we should have a better look at their NFT standard: https://github.com/onflow/flow-nft

[chadoh]

pub struct NFTMetadata {
  spec: String, // required, essentially a version like "nft-1.0.0"
  name: String, // required, ex. "Mochi Rising — Digital Edition" or "ML Course Completion, Spring 2021"
  media: Option<String>, // preferably decentralized URL (can be centralized, though) to associated media
  icon: Option<String>, // Data URL
  reference: Option<String>, // URL to a JSON file with more info
  reference_hash: Option<String> // Base64-encoded sha256 hash of JSON from reference field
}

pub struct Token {
  pub owner_id: AccountId,
  pub meta: NFTMetadata, // NEW FIELD
}

Suggestion: rename NFTMetadata to TokenMetadata. Calling it "NFTMetadata" makes it seem like it applies to the entire contract, not individual tokens within the contract.

And actually, it seems like maybe the two concepts have been mixed a bit?

• spec, name, icon, and reference(_hash) all seem like they apply at the contract level
• media seems like it only makes sense at the token level
• name, icon and reference(_hash) seem like they may also be permissible (though not required) at the token level

[chadoh]

I see that the proposal above includes a enforce_owner_id on nft_transfer_call but I see no description of it here. What is this?

[chadoh]

Conclusion: in order to avoid introducing trust and inconsistency, approvals need to be tied per token

I agree with this approach

[zahhar]

How about extending TokenMetadata with:

• media_hash (Base64 sha256 hash from Media content) - to ensure it does not change meanwhile,
• iat or issued_at (UNIX Timestamp, or UTC DateTime) - issued (minted)
• exp or expires_at (UNIX Timestamp, or UTC DateTime) - expiration time
• nbf or starts_at (UNIX Timestamp, or UTC DateTime) - valid not before
• upd or updated_at (UNIX Timestamp, or UTC DateTime) - last updated

Probably iat and upd timestamps can be derived from blocks when respective action happened, I do not know. Anyhow often we might need times, but storing them in off-chain metadata (e.g. in reference JSON that needs to be downloaded, decoded and processed) will be too slow and "expensive".

[evgenykuzyakov]

pub fn nft_transfer(
  &mut self,
  receiver_id: AccountId,
  token_id: TokenId,
  memo: String
) {}

Is missing enforce_owner_id, which is also required. Since nft_transfer also can be called by approval.

Please take a look at latest on NFT Simple: https://github.com/near/core-contracts/tree/ec632f03de777381710d9a145c01720bd23cdf02/nft-simple

Which contains approval methods and storage management logic.

[oysterpack]

can we level set the discussion here? ... I think it would be useful and productive to prototype the design with real code - nft-simple is a good place to start ... "the proof is in the pudding".

To help get folks on the same page, I have extracted the interfaces from the project to re-basline the discussion:

pub type TokenId = String;

#[derive(BorshDeserialize, BorshSerialize, Serialize, Deserialize)]
#[serde(crate = "near_sdk::serde")]
pub struct Token {
    pub owner_id: AccountId,
    pub metadata: String,
    pub approved_account_ids: HashSet<AccountId>,
}

pub trait NonFungibleTokenCore {
    fn nft_transfer(
        &mut self,
        receiver_id: ValidAccountId,
        token_id: TokenId,
        enforce_owner_id: Option<ValidAccountId>,
        memo: Option<String>,
    );

    /// Returns `true` if the token was transferred from the sender's account.
    fn nft_transfer_call(
        &mut self,
        receiver_id: ValidAccountId,
        token_id: TokenId,
        enforce_owner_id: Option<ValidAccountId>,
        memo: Option<String>,
        msg: String,
    ) -> Promise;

    fn nft_approve_account_id(&mut self, token_id: TokenId, account_id: ValidAccountId) -> bool;

    fn nft_revoke_account_id(&mut self, token_id: TokenId, account_id: ValidAccountId) -> bool;

    fn nft_revoke_all(&mut self, token_id: TokenId);

    fn nft_total_supply(&self) -> U64;

    fn nft_token(&self, token_id: TokenId) -> Option<Token>;
}

#[ext_contract(ext_non_fungible_token_receiver)]
trait NonFungibleTokenReceiver {
    /// Returns `true` if the token should be returned back to the sender.
    /// TODO: Maybe make it inverse. E.g. true to keep it.
    fn nft_on_transfer(
        &mut self,
        sender_id: AccountId,
        previous_owner_id: AccountId,
        token_id: TokenId,
        msg: String,
    ) -> Promise;
}

#[ext_contract(ext_self)]
trait NonFungibleTokenResolver {
    fn nft_resolve_transfer(
        &mut self,
        owner_id: AccountId,
        receiver_id: AccountId,
        approved_account_ids: HashSet<AccountId>,
        token_id: TokenId,
    ) -> bool;
}

Food for thought ...

We have been using the approach of designing the standards by defining the JSON RPC API interfaces using typescript. That is necessary, but that is only part of the story. We need to also define the Rust smart contact interfaces. Thus, I would propose going forward that we start with the Rust smart contract interfaces and then map that to the JSON RPC API, which should fall out of the Rust smart contract interfaces.

[oysterpack]

Questions

1. How does a user know which NFT tokens he owns?
2. How does a user know which tokens he is approved for?

[chadoh]

This seems like it would be part of the upcoming Enumeration extension. I believe this discussion's description has been updated with this information.

[oysterpack]

Issues with Token data structure

pub type TokenId = String;

#[derive(BorshDeserialize, BorshSerialize, Serialize, Deserialize)]
#[serde(crate = "near_sdk::serde")]
pub struct Token {
    pub owner_id: AccountId,
    pub metadata: String,
    pub approved_account_ids: HashSet<AccountId>,
}

1. it is not scalable and resource efficient
   • each time the token is loaded it needs to load all approved account IDs and the metadata into memory.
   • this also makes gas estimation unpredictable. The cost to transfer NFT should be predictable. For example, the current implementation reads the token from storage:

pub(crate) fn internal_transfer(
        &mut self,
        sender_id: &AccountId,
        receiver_id: &AccountId,
        token_id: &TokenId,
        enforce_owner_id: Option<&ValidAccountId>,
        memo: Option<String>,
    ) -> (AccountId, HashSet<AccountId>) {
        let Token {
            owner_id,
            metadata,
            approved_account_ids,
        } = self.tokens_by_id.get(token_id).expect("Token not found");

2. The internal representation should be kept separate from the API data model.
3. metadata has no standard schema defined, which makes it more difficult and expensive for integrations

[chadoh]

internal representation should be kept separate from the API data model

Can you elaborate on this point?

it is not scalable and resource efficient

@evgenykuzyakov would we be able to use LazyOption for calls to anything other than nft_metadata and nft_token, as we do for FT?

[oysterpack]

#[derive(BorshDeserialize, BorshSerialize, Serialize, Deserialize)]
#[serde(crate = "near_sdk::serde")]
pub struct Token {
    pub owner_id: AccountId,
    pub metadata: String,
    pub approved_account_ids: HashSet<AccountId>,
}

fn nft_token(&self, token_id: TokenId) -> Option<Token>;

The Token::approved_account_ids poses a potential problem because it is unbounded. The token works fine under the assumption that the number of approved accounts will be kept small and be bounded, i.e., e.g., allow a max of 10 approved account IDs. If there is a max upper bound, then it should be explicit and enforced by the contract. Does the entire set of approved account IDs even need to be returned as part of the nft_token() API, i.e., should there be separate query functions for approved account IDs?

The same goes for metadata. What are the expectations for metadata?

As a general rule, leaving anything unbounded creates vulnerabilities.

1. This makes gas cost unpredictable because the CPU, memory, and storage IO will vary based on the data structure size. For example, the amount of data (number of bytes) returned per API call should be consistent. For unbounded data structures, more robust query APIs are needed that support paging though the data result set.
2. Storage usage and storage staking costs must always be carefully managed. This is the easiest way to exploit or break a contract on NEAR. I see that the simple NFT does require payment to cover storage for approved account IDs. but there are some hard coded assumptions in the computations. This is fine for prototype code, but not acceptable for production grade smart contracts ... as a side note, expecting every contract to implement custom storage management logic correctly is too error prone and time consuming for each contract to get it right - there needs to be generic solutions provided for contract developers

[thor314]

An update on the Royalty field we're using, described in yesterday's meeting.

#[derive(BorshSerialize, BorshDeserialize, Serialize, Deserialize, Debug, Clone, PartialEq)]
#[serde(crate = "near_sdk::serde")]
pub struct Royalty {
  /// Mapping of addresses to relative percentages of the overall royalty percentage
  pub split_between: HashMap<AccountId, SafeFraction>,
  /// The overall royalty percentage taken
  pub percentage: SafeFraction,
}

/// Royalty upper limit is 50%.
pub const ROYALTY_UPPER_LIMIT: u32 = 5000;

impl Royalty {
  /// Validates all arguments. Addresses must be valid and percentages must be
  /// within accepted values. Hashmap percentages must add to 10000.
  pub fn new(split_between: HashMap<AccountId, u32>, percentage: u32) -> Self {
    assert!(
      percentage <= ROYALTY_UPPER_LIMIT,
      "percentage: {} must be <= 5000",
      percentage
    );
    assert!(percentage > 0, "percentage cannot be zero");
    assert!(
      split_between.len() <= MAX_HASHMAP_LENGTH,
      "royalty mapping too long"
    );
    assert!(!split_between.is_empty(), "royalty mapping is empty");

    let mut sum: u32 = 0;
    let split_between: HashMap<AccountId, SafeFraction> = split_between
      .into_iter()
      .map(|(addr, numerator)| {
        assert!(env::is_valid_account_id(&addr.as_bytes().to_vec()));
        assert!(numerator > 0, "percentage cannot be zero");

        let sf = SafeFraction::new(numerator);
        sum += sf.numerator;

        (addr, sf)
      })
      .collect();
    assert!(sum == 10_000, "fractions don't add to 10,000");

    Self {
      percentage: SafeFraction::new(percentage),
      split_between,
    }
  }
}

Where SafeFraction is a single 4-digit number, which may be safely multiplied with another SafeFraction without resorting to storing a denominator field:

#[derive(
  BorshDeserialize, BorshSerialize, Serialize, Deserialize, Debug, PartialEq, Copy, Clone,
)]
#[serde(crate = "near_sdk::serde")]
pub struct SafeFraction {
  pub numerator: u32,
}

impl SafeFraction {
  /// Take a u32 numerator to a 10^4 denominator.
  ///
  /// Upper limit is 10^4 so as to prevent multiplication with overflow.
  pub fn new(numerator: u32) -> Self {
    assert!(
      (0..=10000).contains(&numerator),
      "{} not between 0 and 10,000",
      numerator
    );
    SafeFraction { numerator }
  }

  /// Fractionalize a balance.
  pub fn multiply_balance(self, value: Balance) -> Balance {
    self.numerator as u128 * value / 10_000
  }
}

impl std::ops::Mul for SafeFraction {
  type Output = MultipliedSafeFraction;
  fn mul(self, rhs: Self) -> Self::Output {
    MultipliedSafeFraction {
      numerator: self.numerator * rhs.numerator,
    }
  }
}

/// A SafeFraction that has been multiplied with another SafeFraction. Denominator is 10^8.
pub struct MultipliedSafeFraction {
  pub numerator: u32,
}

[thor314]

There are numerous problems with nft_resolve_transfer API and documentation. I've submitted a pull request documenting some suggestions for an API update.

Eg.
receiver_id should be removed from the arguments. approvals has an inappropriate type. The documentation references fungible tokens and incorrect argument names.

Here's a sample implementation. I would like to know how to check that the promise chain returns true. There's also a bug with the Near sdk, on impl blah for Contract with traits tagged with an ext_contract attribute.

#[ext_contract(ext_self)]
pub trait NonFungibleResolveTransfer {
  /// Finalize an `nft_transfer_call` chain of cross-contract calls.
  ///
  /// The `nft_transfer_call` process:
  ///
  /// 1. Sender calls `nft_transfer_call` on FT contract
  /// 2. NFT contract transfers token from sender to receiver
  /// 3. NFT contract calls `nft_on_transfer` on receiver contract
  /// 4+. [receiver contract may make other cross-contract calls]
  /// N. NFT contract resolves promise chain with `nft_resolve_transfer`, and may
  ///    transfer token back to sender
  ///
  /// Requirements:
  /// * Contract MUST forbid calls to this function by any account except self
  /// * If promise chain failed, contract MUST revert token transfer
  /// * If promise chain resolves with `true`, contract MUST return token to
  ///   `sender_id`
  ///
  /// Arguments:
  /// * `sender_id`: the sender of `ft_transfer_call`
  /// * `token_id`: the `token_id` argument given to `ft_transfer_call`
  /// * `approved_token_ids`: if using Approval Management, contract MUST provide
  ///   set of original approved accounts in this argument, and restore these
  ///   approved accounts in case of revert.
  ///
  /// Returns true if token was successfully transferred to `receiver_id`.
  #[private]
  fn nft_resolve_transfer(
    &mut self,
    owner_id: String,
    token_id: String,
    approvals: HashMap<AccountId, u64>,
  );
}

#[near_bindgen]
// near-sdk bug:
// cannot find trait `NonFungibleResolveTransfer` in this scope
// impl NonFungibleResolveTransfer for MintbaseStore {
impl MintbaseStore {
  #[private]
  pub fn nft_resolve_transfer(
    &mut self,
    owner_id: String,
    token_id: String,
    approvals: HashMap<AccountId, u64>,
  ) {
    assert_eq!(env::promise_results_count(), 1);
    match env::promise_result(0) {
      near_sdk::PromiseResult::Successful(_b) => {
        //todo:
        // how do I check that the promise chain resolves with "true"?
        // let b: bool = _b.into(); // nope
        if true {
          let token_idu64 = token_id.parse::<u64>().unwrap();
          let mut token = self.nft_token_internal(token_idu64);
          self.transfer_internal(&mut token, owner_id);
          approvals.into_iter().for_each(|(k, v)| {
            token.approvals.insert(k, v);
          });
        }
      }
      near_sdk::PromiseResult::Failed => {
        // revert transfer
        let mut token = self.nft_token(token_id).expect("no token");
        self.transfer_internal(&mut token, owner_id);
        approvals.into_iter().for_each(|(k, v)| {
          token.approvals.insert(k, v);
        });
      }
      near_sdk::PromiseResult::NotReady => {}
    };
  }
}

[chadoh]

I would like to know how to check that the promise chain returns true

You can use env::promise_result(0). Here's some (unreviewed by @evgenykuzyakov, could probably be improved) code I came up with:

// Get whether token should be returned
let must_revert = match env::promise_result(0) {
    PromiseResult::NotReady => unreachable!(),
    PromiseResult::Successful(value) => {
        if let Ok(yes_or_no) = near_sdk::serde_json::from_slice::<bool>(&value) {
            yes_or_no
        } else {
            true
        }
    }
    PromiseResult::Failed => true,
};

---

There's also a bug with the Near sdk, on impl blah for Contract with traits tagged with an ext_contract attribute.

What bug are you seeing? Is it that the ext_contract trait and your regular trait have the same name? I worked around this by setting the ext_contract trait to a unique name. Its name doesn't matter.

[thor314]

Bug is that by using the rust-idiomatic impl trait for Whatever, the methods are no longer call-able by other contract methods.

[thor314]

Sample rust trait declaration and implementation of the Typescript API.

/// Impl of NEP-171. Note that the impl makes the assumption that `TokenId` has
/// type `String`, where this contract internally uses `u64`, which is more
/// efficient. ref:
/// https://github.com/near/NEPs/blob/master/specs/Standards/NonFungibleToken/Core.md
pub trait NonFungibleContractCore {
  /// Simple transfer. Transfer a given `token_id` from current owner to
  /// `receiver_id`.
  ///
  /// Requirements
  /// * Caller of the method must attach a deposit of 1 yoctoⓃ for security purposes
  /// * Contract MUST panic if called by someone other than token owner or,
  ///   if using Approval Management, one of the approved accounts
  /// * `approval_id` is for use with Approval Management extension, see
  ///   that document for full explanation.
  /// * If using Approval Management, contract MUST nullify approved accounts on
  ///   successful transfer.
  ///
  /// Arguments:
  /// * `receiver_id`: the valid NEAR account receiving the token
  /// * `token_id`: the token to transfer
  /// * `approval_id`: expected approval ID. A number smaller than
  ///    2^53, and therefore representable as JSON. See Approval Management
  ///    standard for full explanation.
  /// * `memo` (optional): for use cases that may benefit from indexing or
  ///    providing information for a transfer
  //#[payable]
  fn nft_transfer(
    &mut self,
    receiver_id: AccountId,
    token_id: String,
    approval_id: Option<U64>,
    memo: Option<String>,
  );

  /// Returns `true` if the token was transferred from the sender's account.
  ///
  /// Transfer token and call a method on a receiver contract. A successful
  /// workflow will end in a success execution outcome to the callback on the NFT
  /// contract at the method `nft_resolve_transfer`.
  ///
  /// You can think of this as being similar to attaching native NEAR tokens to a
  /// function call. It allows you to attach any Non-Fungible Token in a call to a
  /// receiver contract.
  ///
  /// Requirements:
  /// * Caller of the method must attach a deposit of 1 yoctoⓃ for security
  ///   purposes
  /// * Contract MUST panic if called by someone other than token owner or,
  ///   if using Approval Management, one of the approved accounts
  /// * The receiving contract must implement `ft_on_transfer` according to the
  ///   standard. If it does not, FT contract's `ft_resolve_transfer` MUST deal
  ///   with the resulting failed cross-contract call and roll back the transfer.
  /// * Contract MUST implement the behavior described in `ft_resolve_transfer`
  /// * `approval_id` is for use with Approval Management extension, see
  ///   that document for full explanation.
  /// * If using Approval Management, contract MUST nullify approved accounts on
  ///   successful transfer.
  ///
  /// Arguments:
  /// * `receiver_id`: the valid NEAR account receiving the token.
  /// * `token_id`: the token to send.
  /// * `approval_id`: expected approval ID. A number smaller than
  ///    2^53, and therefore representable as JSON. See Approval Management
  ///    standard for full explanation.
  /// * `memo` (optional): for use cases that may benefit from indexing or
  ///    providing information for a transfer.
  /// * `msg`: specifies information needed by the receiving contract in
  ///    order to properly handle the transfer. Can indicate both a function to
  ///    call and the parameters to pass to that function.
  //#[payable]
  fn nft_transfer_call(
    &mut self,
    receiver_id: AccountId,
    token_id: String,
    approval_id: Option<String>,
    memo: Option<String>,
    msg: String,
  ) -> Promise;

  /// Returns the token with the given `token_id` or `None` if no such token.
  fn nft_token(&self, token_id: String) -> Option<Token>;
}

#[near_bindgen]
impl NonFungibleContractCore for MintbaseStore {
  fn nft_transfer(
    &mut self,
    receiver_id: AccountId,
    token_id: String,
    approval_id: Option<U64>,
    #[allow(unused_variables)] memo: Option<String>,
  ) {
    //assert_one_yocto(); // worsens user experience for security
    let token_id = token_id.parse::<u64>().unwrap();
    let mut token = self.nft_token_internal(token_id);
    let pred = env::predecessor_account_id();
    if pred != token.owner_id {
      // check if pred has an approval
      let approval_id: Option<u64> = approval_id.map(|i| i.into());
      assert!(self.nft_is_approved_internal(&token, pred, approval_id));
    }
    self.transfer_internal(&mut token, receiver_id);

    // log (optionally: use memo)
  }

  fn nft_transfer_call(
    &mut self,
    receiver_id: AccountId,
    token_id: String,
    approval_id: Option<String>,
    #[allow(unused_variables)] memo: Option<String>,
    msg: String,
  ) -> Promise {
    // assert_one_yocto();
    let token_idu64 = token_id.parse::<u64>().unwrap();
    let mut token = self.nft_token_internal(token_idu64);
    let pred = env::predecessor_account_id();
    if pred != token.owner_id {
      // check if pred has an approval
      let approval_id: Option<u64> = approval_id.map(|i| i.parse::<u64>().unwrap());
      assert!(self.nft_is_approved_internal(&token, pred.to_string(), approval_id));
    }

    self.transfer_internal(&mut token, receiver_id.to_string());
    // log (optionally: use memo)

    ext_on_transfer::nft_on_transfer(
      pred,
      token.owner_id.to_string(),
      token_id.to_string(),
      msg,
      &receiver_id,
      NO_DEPOSIT,
      DEFAULT_GAS,
    )
    .then(ext_self::nft_resolve_transfer(
      token.owner_id,
      token_id,
      token.approvals,
      &env::current_account_id(),
      NO_DEPOSIT,
      DEFAULT_GAS,
    ))
  }

  fn nft_token(&self, token_id: String) -> Option<Token> {
    self.tokens.get(
      &token_id
        .parse::<u64>()
        .unwrap_or_else(|_| env::panic(b"no such token")),
    )
  }
}