The issue of NFT security is central to the long-term health of the creator economy. Earlier this year, Nate Nelson contributed the following expert analysis which highlighted the vulnerabilities that continue to plague NFT collecting. As part of ClubNFT, RCS is here to support readers in preserving their own collections. One way to do this is by downloading a copy of all the digital assets associated with your NFTs using ClubNFT’s free tool. Remember: Not your storage, not your NFTs...
Think about the most valuable thing you own. Your wedding ring, perhaps, or your car. A collection of vintage memorabilia. Your crypto wallet. Would you ever entrust such a valuable possession to somebody else on your behalf? Would you ever leave it somewhere where it could be lost? No, of course not.
Except it may well be that you already have. Right now, your most valuable possession may not be where you think it is. Arguably, you don’t really possess it at all.
Jason Bailey — otherwise known as Artnome — was an early collector of non-fungible tokens (NFTs). It was 2017, and the notion of a blockchain-based digital something (media file? artwork?) was little more than a gimmick: A proof of concept for a small community of eccentrics within the fledgling crypto community. Bailey was drawn to the idea from a technical perspective:
I spent that first year flying around the world, talking to people about how the blockchain is amazing because you will never lose your NFT. It’s on the blockchain distributed across all these computers and like it doesn’t matter if the marketplace goes out of business. That’s the whole point of Web3. You own it, right? It will never go away. (All quotes Jason Bailey.)
This was the promise of blockchain: Complete and unfettered ownership over your property — whether it be coins, media files, or anything in between — in perpetuity. No government or corporation or person could take away your Bitcoin, or your CryptoKitty, no matter what.
And so Bailey started buying up some cool little items for a few dollars, or a few dozen dollars, a pop. For example, when an artist by the name “XCOPY” auctioned off his first set of glitch artwork, Bailey jumped in and bought three of them. Unlike XCOPY’s current work, these were abstract and reminded Jason of work by painters like Gerhard Richter. Plus, they were the first — the genesis tokens. Imagine if XCOPY went on to become well-known? These little tokens would be worth something someday.
But then 2018 happened.
I was going around preaching from stages. [...] But it turns out there are a lot of bad things that can happen.
The greatest ever crypto bull run turned into the worst ever downturn. Bitcoin soared, then fell back down 66%, taking the rest of the market up and down with it. In fact, the rest of the market felt the effects even worse. Promising ICOs went bust, longstanding cryptocurrencies faded out of the canon, and crypto businesses — including NFT marketplaces — shuttered. There was R.A.R.E. Art Network, Digital Objects, Editional, and Ascribe, where Bailey bought his XCOPYs.
A bunch of pretty well-known marketplaces went out of business and my NFTs were no longer accessible. [...] People have tried to figure out what exactly happened there, where those NFTs went or where the tokens went. And in the case of marketplaces like Ascribe we’re still not entirely sure what exactly happened.
It was annoying, granted, but Bailey didn’t feel too hard done by. “I was like ‘Ha!’” he recalled, “not crying like too hard in mid-2018 because I had spent tens of dollars, and these things were really pretty experimental back then.”
Today, in 2022, those lost NFTs would be worth exponentially more than he ever imagined. In September, the collector Cozomo de’ Medici bought an XCOPY NFT for $3.9 million. In December, another XCOPY original, Right-click and Save As guy sold to the same collector for $7 million. One can only imagine what XCOPY’s very first NFTs on Ascribe might have gone for in today’s market. Instead of realizing those gains, though, Bailey’s tokens are lost. Probably forever. Because he never really possessed them in the first place.
How do you know that you “own” something? Your watch, for example: You own it because you wear it on your wrist, right? If you lose it, or it’s stolen, it’s no longer yours. The same, presumably, applies to NFTs. As long as you have your wallet seed, and nobody else does, you own your NFTs.
Except not really. Your wallet doesn’t actually store NFTs, it stores keys. Those keys allow you to interact with the blockchain, but even the blockchain doesn’t actually have your $7 million JPEG.
That’s because moving or storing any significant amount of data is far slower, more arduous and more expensive on blockchains than with more traditional means. The Bitcoin network, famously, processes no more than a single megabyte of transaction data every ten minutes. Meanwhile, storing one megabyte’s worth of data on Ethereum can cost thousands of dollars at recent market rates. (For reference, one megabyte might hold a minute’s worth of mp3 audio, or some fraction of an HD image.) It rarely makes sense to store, say, an XCOPY NFT on-chain.
What blockchains are designed for — what they’re best at — is simple record-keeping. Alice trades an XCOPY to Bob, Bob sells it to someone else, and so on. Alice, Bob, and, crucially, the NFT, are only known to the system as hash values. Tokens. So when Alice trades the XCOPY to Bob she’s not trading a piece of visual art, or a file, she’s trading a string that looks like this…
f056aca1a9bd62f1e5a37fa7edfbc79527f4ff0efe7ba08fccb6ebf297cbfa46
…and points to a location on the internet where the file is stored. That’s where her XCOPY is. And that can be anywhere.
If the creator of the NFT is following best practices, then the media associated with your NFT is stored with the InterPlanetary File System (IPFS). IPFS is a decentralized storage network, and a perfectly reliable one at that. But, as with any storage system, it requires payment in exchange for that digital real estate you’re asking for.
Do you see where this is going?
As long as a marketplace is around, they’ll pay for their IPFS storage costs. But if they ever go belly up — as Ascribe and so many others have — those payments will be abandoned and, in turn, so will your media. You might still own the hash associated with that media, but who’s going to pay you for a string of letters and numbers associated with nothing?
IPFS isn’t free, magic storage if someone has to pay, right? They have to keep it up.
Maybe you personally own some valuable NFTs. Are you comfortable with the fact that you don’t actually possess the media you believe you own? That all the money you’ve spent — all the returns you expect — are contingent on the security and balance sheet of a third-party company?
To many NFT investors, this isn’t a theoretical question.
It was Fall 2021, and the NFT ecosystem was thriving. Established brands like OpenSea and Rarible had long become household names, moving millions and then billions of dollars in inventory every month. But one lesser-known marketplace was soaring past all the rest.
Hic et Nunc (HEN) had only launched in March 2021, well into the NFT boom. Remarkably, by May, it had already attracted more daily users than OpenSea. Nearly 50,000 creators and buyers flocked to it for its low transaction fees, made possible by running through Tezos rather than Ethereum. It helped HEN pull in $50 million in revenue in just over half a year.
And then, on November 12th, it all ended. Suddenly, without warning, all at once.
Only a day earlier, thousands of users were transacting and managing their NFTs as usual. Now the site wasn’t just down. HEN’s creator, Raphael Lima, was unreachable. His Twitter bio changed to, simply, “discontinued.”
Everyone panicked. Of course they did! If the marketplace was gone, were all their NFTs gone, too?
<blockquote class="twitter-tweet"><p lang="en" dir="ltr">can i sell my nfts that i bought before platform pulled rug? <a href="https://t.co/WCPTuiKRT7">https://t.co/WCPTuiKRT7</a></p>— Khaled (@Ez_Dealz_) <a href="https://twitter.com/Ez_Dealz_/status/1459787994962006020?ref_src=twsrc%5Etfw">November 14, 2021</a></blockquote><script async src="https://platform.twitter.com/widgets.js" charset="utf-8"></script>
HEN’s smart contract code was open source on Github, and its transaction data, of course, remained secure on the Tezos network. That made it possible for a third-party company called DNS to step in and create a (mostly) functional mirror site. But what about the NFT media itself?
Like other major marketplaces, HEN stored its media with IPFS. This was good and bad news for investors. The good news was that, even though HEN’s website was defunct, its NFTs weren’t, because they were stored separately. The bad news was that, with HEN gone, nobody was covering the costs necessary to keep those NFTs in storage. And so the community had to pick up the slack.
We [at ClubNFT] thought the best thing we could do to help protect collectors was actually to reach out to Infura –– who Hic et Nunc uses to actually store its half-million NFTs — and to tell Infura, “Hey, we’re willing to foot the IPFS bill for every NFT on Hic et Nunc.”
We don’t want to see all these people’s NFTs disappear.
Investors were lucky. Through fast action, cooperation, philanthropy and some technical magic, the damage was contained. Under other circumstances — if HEN used other means of storage, or if the community wasn’t there to pick up the pieces — those files could’ve been lost forever.
And, in the end, some still were.
We want to put as much of the control around NFTs and collecting NFTs into the collector’s hands as possible. So they don’t have to experience what I experienced, right? Losing my art but, in this case, also losing arguably millions of dollars in the process.
What’s the first thing you learn when buying cryptocurrencies? Not your keys, not your coins. The same rule applies to NFTs. Jason Bailey learned that lesson the hard way. And without a reliable way to hold onto their own data, more collectors will meet with the same fate going forward.
I think what happened is the space grew too quickly, right? I think a lot of people might agree with me on that one where we went from 2021 where there were […] fewer than 100,000 Ethereum NFT wallets collecting NFTs, to a $40B NFT market. You know, Saturday Night Live, Ellen, like everybody talking about NFTs and people kind of running in really quickly that didn’t necessarily have a background in crypto.
[...]
Actually it’s not even just the new folks. I know collectors that have spent millions of dollars, hundreds of thousands of dollars and I ask them, like, “How do you think about this? What are you doing to back up your assets?” And they essentially say, “I lose sleep over it.”
Not your storage, not your NFTs.
Doesn’t quite have the same ring to it. But try to remember it anyway.
Nate Nelson is a freelance writer for some of the world’s leading technology companies, dev teams and crypto YouTubers. He writes and produces “Malicious Life,” a Top Tech podcast on Apple and Spotify, and co-hosts “The Industrial Security Podcast,” the leading show in its field. You can find his work on Forbes, Medium and publications around the web.