Buying an NFT usually means you own a unique ERC 721 token that lives on Ethereum. The token is a smart contract that gives you ownership of digital goods or collectibles, such as a piece of digital art or a digital baseball card. NFTs can also assign ownership to physical goods like a house but that type of NFT is not discussed here.
In most cases, the object and its metadata are stored separately from the NFT that you buy. It is impractical and too costly to store the entire digital object on a blockchain.
Sometimes the only link between the NFT Smart Contract and the Object is a URL, meaning that the content stored at the URL can change without the owner knowing about it until after the fact.
When you buy an NFT, you own the right to digitally flex it — i.e. show it off to friends — online, but you don’t own the object itself unless it is so stipulated in your end user license agreement (EULA).
NFT Fine Print; Hard Lessons Ahead
Most buyers rarely see — let along sign — an EULA. But if one exists and they read it, they may be surprised to know that they normally can only ‘flex’ the object online and cannot typically make a copy of it for their physical T-Shirt or Coffee Cup, since the object is protected under copyright law.
An NFT buyer can be left owning a string of meaningless bits if the object linked to the NFT e.g. a digital baseball card, is stored on a central server, and that server becomes inaccessible and/or the file is corrupted.
NFT buyers are bound to learn more about this – probably the hard way – in the coming year. For example, it could happen if a budding artist who sells NFT art goes out of business and can no longer afford to keep the server where the art is stored up and running.
NFT Markets will become More Transparent and Trustworthy
The good news is that the market will become more transparent and trustworthy. NFT buyers will demand to know where and how their NFT objects are stored so that they can make an informed decision about whether they can trust the NFT seller to provide persistent secure storage as long as they so choose.
NFT sellers will eventually have many more easily accessible persistent storage options and over time will likely start shifting ownership for storage over to the buyers. Buyers who want to keep their objects around will have to sign up for low-fee storage subscription services, much like Apple’s iCloud storage service.
Points to consider when safeguarding NFT metadata and digital objects:
- Sellers should hash the digital objects that reside off-chain. The hash is essentially a digital signature or fingerprint for the content. (In IPFS, these content hashes are called CIDs, or content identifiers). The hash should be used to create the NFT that points to the hash in the off-chain storage system.
- Most well-known brands that transact in or sell NFTs do this, so that anyone can validate the file’s hash against the hash stored in the NFT, thus validating NFT ownership no matter where the file/object lives.
- Many known brands store NFT linked objects on their centralized servers, but that represents a single point of failure and of trust. Not exactly in line with the principles of democratized blockchains.
- NFT file/object storage should, and often do, use a distributed file system, e.g. IPFS, and nodes should be replicated across many servers. This way the system should be able to tolerate the disappearance of a single (or even a few) nodes that contain the NFT object.
- The integrity of the NFT object depends on the continual successful resolution of the IPFS file path to the blockchain. Some users report path failure. See IPFS Issues for examples.
- Buyers cannot assume that just because NFTs are cryptographically secured on a blockchain means that the NFT is legitimate. Already there are reports of ‘sleepminting’ attacks, proven at least theoretically, where NFTs are minted to a well-known user/artist wallet and transferred to a hacker’s wallet, without triggering any typical smart contract security checks. See Sleepminting and NFT Theft
- Hackers are bound to target NFTs more in the future, as the market becomes more active and lucrative. They are also bound to repeat history and exploit the most vulnerable access points, i.e. user account takeover, exploits of APIs, exploits of smart contract logic, and poisoning off-chain data. See our research note that analyzes the top 5 blockchain security threats Garbage In, Garbage Forever: Top 5 Blockchain Security Threats and summarizes existing mitigation measures. (See Figure below).
We expect the growth of NFT commerce to generate many offshoot services that support the ecosystem. These services should ideally be decentralized but centralized players will also offer them to earn additional revenues.
Here’s a partial list of what’s needed to secure and protect the use and trading of NFTs, and where we expect to see much innovation in the future:
- Storage: More distributed storage systems that support (for a fee) persistent storage and secure integration with blockchain networks. Over time, these will be as easy and cheap to buy as consumer cloud storage services are today.
- Escrow services: needed for example to hold NFTs in escrow when they are wrapped by other NFTs that add additional features to them.
- Owner Insurance: to insure against NFT object/file destruction or disappearance
- Custody: services that ensure NFT object/file safekeeping over time, much like bank vaults do today.
Be Prepared and Stay Aware
Next time you buy a cool digital shoe for your favorite avatar (see Nike NFT Patent), make sure the shoe will last as long as your avatar wants to wear it. That assurance will take more than good sneaker treads – it will also take reliable and persistent shoe storage. Not something you would normally think about when buying shoes today, but something that will become commonplace in the years to come.