Where’s my “NFT” gone? Potential pitfalls of NFT ownership

EU, UK

NFTs have received a lot of attention in the last year, so much so that Collins Dictionary named “NFT” their word of the year for 2021. But it is worth noting that ownership of an NFT often ultimately amounts to ownership of the contents of a website link. A hypothetical (and peculiar) scenario may shed some light...

Imagine you’re looking to buy a rare, classic sports car. You find a seller, who tells you that the car is permanently stored in a vault with a trusted third-party company. That works for you: the car is an investment only and you’re not looking to drive it. You check out the storage facility and the car is there, as promised. You agree a sum and the seller sends you a digital receipt containing language about transferring ownership of the contents of the storage spot (let’s call it STORAGE-123). Excitedly, the salesman tells you that new technology means the digital receipt sent to you cannot be copied or tampered with: the digital receipt is immutable and unique. Convinced by this extra security, you complete the transaction.

You return a year later to check out your car and proceed to show the trusted third-party company your digital receipt. They take you to your spot and, low and behold, your car is gone. None of the staff members know where it is and the original seller is uncontactable. At least you have your unique digital receipt! You hand it to a staff member and he shakes his head. He explains: “this digital receipt just gives you ownership of whatever is found at STORAGE-123 and that appears to be, in this case, nothing. You own nothing”. What?! How can that be?

Panicked and confused, you phone your sister, who recently bought a piece of art stored in a separate third-party vault with a similar immutable and unique digital receipt. The art is stored in spot STORAGE-456. You rush over to the third-party vault and locate STORAGE-456. You can’t quite believe your eyes. There is no art. All you can see lying in STORAGE-456 is a rug. Yes, a rug. Your sister waves the digital receipt at a staff member who explains: “the digital receipt states that you own the contents of STORAGE-456. It looks like you own that rug”. THE RUG? WHAT ABOUT THE ART?!

This far-fetched scenario for physical assets is in fact a real risk for NFTs. And not just a hypothetical one. For example, NFT creator “neitherconfirm” minted a collection of artworks on OpenSea, only to later effect a “rug pull” and replace the artistic images with pictures of rugs. In another scenario, Moxie Marlinspike (founder of Signal) created an NFT that depicted different images depending on the IP address of the requester (as explained here and see below). Not quite what the purchaser was hoping for.

NFT article image

Screenshot of Moxie Marlinspike’s NFT in its various forms

To explain how this risk can materialise and what can be done to safeguard underlying content, we need to take a step back.

Your NFT might be just be a link

One of the purported attractions of blockchain technology is its immutability: once something is recorded on the blockchain, it cannot be changed. And an NFT recorded on a blockchain is immutable. However, the reality is that there are very few NFTs where the underlying content is actually embedded into the NFT and stored directly on the blockchain. Larger files are too expensive to include in the NFT itself (i.e. the code) due to mining costs, so standard practice is to include a link to where the file can be found.

What does this mean? Well, the NFT you own guarantees that whatever is at the end of the link in the NFT is yours. The NFT is like the digital receipt we mentioned above: it is not the car.

Risk of link rot

The underlying content of the NFT might be hosted on a normal cloud-based storage web address or even on the NFT seller’s website. The controller of the website address has enormous power. They can change or entirely remove the contents of that web address (intentionally or accidentally). They may move the content somewhere else. The domain name may lapse if they fail to pay their renewal fees and the content will then become unavailable. This risk is known as link rot.

The end result is the same as in our imaginary example above: the underlying content may completely disappear or be changed so that it has no resemblance to the original work.

What should a prospective NFT purchaser do?

An NFT purchaser will ideally want a guarantee that the underlying content will not be changed or removed. A potential solution is to only purchase NFTs that have been frozen. This means that the contents of the link can never be altered and can be achieved by binding the link to the content itself using “content addressing” rather than “location-based addressing” with decentralised storage like IPFS (the Interplanetary File System). Decentralised storage should also solve the problem of the link no longer working because of, for example, the website being shut down. In our hypothetical example above, this is the equivalent of the digital receipt stating: you own the contents of this link, which will always be this exact car.

Well how do I know if my NFT (i.e. the underlying content) is held in decentralised storage? NFT platforms such as OpenSea may indicate that an NFT is frozen in the “details” section of an advertised NFT. Alternatively, review the smart contract itself using a search engine such as Etherscan. If the smart contract includes an IPFS URL (e.g. starting with https://ipfs.io/ipfs/), then the NFT will be accessible on decentralised storage. For high-value NFT purchases, it may also be worth obtaining advice from a third party to perform due diligence prior to purchase (CMS’s IP team has previously carried out due diligence on NFTs on behalf of various clients).

Why decentralised storage may not be a silver bullet

Unfortunately, even if you purchase a “frozen” and “decentralised” NFT, you may still come into difficulty accessing the underlying content of your NFT. Decentralised storage still requires at least one “host” of the content (albeit IPFS ultimately envisages many more hosts). Services offered by companies such as Pinata may assist in ensuring that the underlying content is always available by “pinning” your NFT but, at least currently, problems remain. In particular, some NFT owners have been unable to access NFTs stored on IPFS (see here, for example).

Takeaways

There are NFT sellers that can be trusted and often the risk of missing or edited content connected to an NFT will not materialise. However, the large sums being spent on NFTs and the infancy of the technology can breed bad actors. Caution is therefore advised. As with everything in this space, developers and service providers continue to put forward technical innovations to address issues outlined in this article. However, undertaking due diligence or obtaining advice from a third party prior to purchasing an NFT would nonetheless appear a sensible solution and options such as NFT insurance may become more prevalent in the coming years.

Disclaimer: this article does not constitute legal and/or financial advice. Any references to companies or platforms are used for illustrative purposes only and do not constitute endorsements.