70% of all digital art is centralized, including the world's most expensive NFT.
Part 1 - A hands-on guide to NFT metadata centralization risk vectors which permeate across the entire crypto ecosystem, courtesy of the continued FTX contagion.
Dear frontrunners,
In this two-part series, we explore the never-ending centralization risk vectors of NFTs, quantify the impact on the Ethereum chain, and review the types of storage solutions used by NFT hosting providers.
This piece outlines the scope of NFT centralization on the Ethereum blockchain. We frame this against the broader FTX NFT collapse, then provide 5 examples of trending NFT projects, most with vectors of centralization, including the world’s most expensive NFT.
Part 2 covers the types of storage facilities available to NFT creators, the evolution of on-chain storage, and the cost of moving centralized NFT providers to the blockchain.
I feel compelled to write this because it is now apparent that the FTX death spiral has impacted our friends in the NFT ecosystem. For those who need to review the FTX wealth destruction, FTT ponzi tokenomics, crypto firm collusion, media malfeasance, and the final capitulation, click on any of the aforementioned links.
The demise of the FTX platform revealed a recurring problem and centralization vector that permeates across the NFT ecosystem: storage providers are not decentralized.
FTX.us used a centralized storage provider for its NFT marketplace. All NFT marketplaces which sold NFTs hosted on FTX are now DOA.
Tomorrow Land’s NFT collection on Magic Eden (Solana):
Coachella Desert Reflections Magic Eden (Solana):
Even the 1 of 1 “test” NFT hand-crafted by SBF, which sold for $270,000 in 2021 on FTX’s NFT platform…
….now redirects to the FTX bankruptcy restructuring site:
Infact, Every NFT hosted on the FTX platform is now redirected to that site. Below is an example of Tomorrow Land’s #217 NFT metadata, a static URL hosted on FTX.
Tomorrow land Misty Winter # 217 - https://static.ftx.com/nfts/097b77b7-0612-471c-8fc8-100cc60a244d.png
The entire http://ftx.us/nfts/list & http://ftx.com/nfts/list directory redirect to the FTX bankruptcy proceedings site
The reality is that most NFTs are hosted on web2 rails, including yours. Anyone who has been in the crypto space for more than a season knows this, at least intuitively. NFTs serve as an easy onramp into web3, and after buying a couple of profile pics (PFPs) most users eventually ask the question, “where is this image stored?”
Opensea even published an analysis in 2021 deconstructing NFTs storage mechanisms with a big red flag, saying, “heyyyy your picture is probably hosted on google!” Even the father of cryptography and creator of Signal, Moxie Marlinspike, lambasted the state of web3 in an analysis that called out how so much of the “decentralized” NFT infrastructure was dependent on web2 rails:
MetaMask doesn’t actually do much, it’s just a view onto data provided by these centralized APIs. This isn’t a problem specific to MetaMask – what other option do they have? Rainbow, etc are set up in exactly the same way….
…All this means that if your NFT is removed from OpenSea, it also disappears from your wallet. It doesn’t functionally matter that my NFT is indelibly on the blockchain somewhere, because the wallet (and increasingly everything else in the ecosystem) is just using the OpenSea API to display NFTs, which began returning 304 No Content for the query of NFTs owned by my address! - Moxie Marlinspik
NFT centralization exposure via FTX is another reminder to reject web3 technology deployed on web2 rails. This is true for centralized exchanges, lending platforms, and NFTs.
How bad is it?
YourNFTs.org recently downloaded the metadata and images of all ~12,000,000 NFTs on the Ethereum blockchain. In addition to creating a 🔥🔥🔥 photomosaic of 40,000 NFTs (depicted below). YourNFTs also open-sourced a 5GB torrent of the 12 million NFTs for the broader community to analyze.
Publications like rightclicksave began the arduous journey of answering a question we all probably know the answer to: “How many NFTs are actually on the blockchain?”. The answer is unsurprising, not many. Almost 70% of all NFTs are stored with traditional cloud providers or accessed via web2 rails like https.
Of course, we are all doomed in the long run, but with forward-looking NFT storage practices we can ensure our art is not. While storing NFT data on chain may be ideal, it is not an economically viable solution for most works. HTTP-based storage solutions cannot guarantee NFT data will remain online or unchanged and are subject to a single point of failure. - Nick Hladek rightclicksave.com
A point of distinction for the reader, “HTTP”, for purposes of categorizing NFTs by storage type, can mean one of two things:
An NFT stored on a web2 provider like Google Cloud or AWS or
An NFT stored on a decentralized peer-to-peer file system like IPFS but accessed via an HTTP gateway
Should NFTs which are hosted on peer-to-peer file systems like IPFS but accessed via an HTTP-based service be classified as “http”? This is a topic for debate, and the difference in classification is impactful: Approximately ~2 million NFTs on Ethereum are hosted on IPFS but accessible via an HTTP gateway.
Let’s look at some examples and decide.
Example 1 - Valhalla Collection
An NFT stored on a web2 provider like Google Cloud or AWS
As of this writing, Valhalla is trending #1 on Opensea for Ethereum. According to its creators:
Valhalla is a crypto native brand for gamers. Valhalla represents more than a collection of digital avatars. It represents decades of gaming culture: the clutch plays, the ELO grind, the OT wins. Purchasing one of our avatars grants you access to our exclusive community of gaming enthusiasts and future drops.
An NFT collection framed as a community of gaming enthusiasts whereby the token holders are granted access to exclusive airdrops and member-only content. Cool.
When we look at Valhalla 3132, floor price of $912USD/.728ETH..
..and navigate to its smart contract 0x231d3559aa848Bf10366fB9868590F01d34bF240 and call tokenURI..
📚 sidenote: tokenURI is an ERC721 standard function tokenURI(uint256 _tokenId) which returns the location of the nft metadata
the following string is returned:
https://api.joinvalhalla.com/valhalla/3132 ..if we paste https://api.joinvalhalla.com/valhalla/3132 into our browser we get:
{"name":"Valhalla #3132","image":"https://valhalla-nft-production.s3.amazonaws.com/3132.png","attributes":[{"trait_type":"Ear","value":"Silver Drop Earrings"},{"trait_type":"Eye","value":"Scar"},{"trait_type":"Hair","value":"Black Ponytail"},{"trait_type":"Type","value":"Human"},{"trait_type":"Mouth","value":"Disgusted"},{"trait_type":"Tattoo","value":"Barcode Tattoo"},{"trait_type":"Clothes","value":"Leather Jacket"},{"trait_type":"FaceAcc","value":"White Bandaid"},{"trait_type":"Headgear","value":"Stacked Cap"},{"trait_type":"Background","value":"Warm Gray"}]}Note the string in the “image” parameter of the JSON blob. The storage provider of the #1 trending NFT on Opensea? A peer-to-peer decentralized network of nodes, perhaps? Nope. It’s AWS. The JSON object includes attributes that, could in theory, identify the uniqueness of the PFP but note how the actual image is not stored on the blockchain or a decentralized peer-to-peer file system.
Example 2 - The Legend of Cockpunch by Tim Ferris
An NFT stored on a web2 provider like Google Cloud or AWS
Tim Ferris recently dropped an NFT collection, “The Legend of Cockpunch” with a floor price of ~$766USD/.61ETH. From the collection:
The Legend of COCKPUNCH™ is the tale of a fantastical realm, a universe of the bizarre from the mind of bestselling author Tim Ferriss (https://tim.blog/about). Artwork and stories are the gateway drug in this Emergent Long Fiction (ELF) project.
An NFT collection incentivizing early adopters to join Tim as he launches his latest writing project, “Emergent Long Fiction”. Nice.
But when we explore this collection’s smart contract address 0xC178994cB9b66307Cd62dB8b411759Dd36D9C2EE using the same aforementioned steps from example 1, we see tokenURI return a string with an http address:
https://live---tim-ferriss-metadata-fc7dztaqfa-uw.a.run.app/metadata/2732When we open that url in our browser, the following payload is returned:
{"name":"The Legend of COCKPUNCH™ #2732","description":"The Legend of COCKPUNCH™ is the tale of a fantastical realm, a universe of the bizarre from the mind of bestselling author Tim Ferriss (https://tim.blog/about). Artwork and stories are the gateway drug in this Emergent Long Fiction (ELF) project. Learn more at https://cockpunch.com. Follow https://twitter.com/cockpunch and https://twitter.com/tferriss on Twitter.\n\nBefore buying this NFT, please read the NFT License Agreement at https://tim.blog/cockpunch-license. This explains your rights and restrictions.","image":"https://storage.googleapis.com/cockpunch-images/FullBodyImages/1525.jpg","external_url":"https://www.cockpunch.com","attributes":[{"trait_type":"Clan","value":"Wizard"},{"trait_type":"Beak","value":"Yellow"},{"trait_type":"Eyes","value":"Blue"},{"trait_type":"Bodywear","value":"Intersector Selector"},{"trait_type":"Facial Expression","value":"Vigilante"},{"trait_type":"Toenails","value":"Black"},{"trait_type":"Headgear","value":"Santa Claws"},{"trait_type":"Tail Feathers","value":"Threesome"},{"trait_type":"Weapon","value":"Ring of Canidae"},{"trait_type":"Gauntlet","value":"Fiveskin"},{"trait_type":"Background Color","value":"Red"}]}A similar story. This time the value of the image attribute is another centralized cloud provider: Google. Even The Cockpunch web site is hosted on Wordpress, come on Tim!
Let’s look at An NFT stored on a decentralized peer-to-peer file system like IPFS but accessed via an HTTP gateway
Example 3 - Beeple First 5000 Days
An NFT stored on a decentralized peer-to-peer file system like IPFS but accessed via an HTTP gateway
The First 5000 Days is a digital work of art created by Mike Winkelmann, known professionally as Beeple. It is the world’s most expensive single NFT. Selling on Christie’s for $69 million in 2021. The work is a collage of 5000 digital images created by Winkelmann for his Everydays series.
From the auction house website:
Christie’s is honored to present Beeple | The First 5000 Days, a single-lot sale that marks the first time a purely digital work of art, also known as an Non-Fungible Token (NFT), has ever been offered by a major auction house. On 1 May, 2007, Mike Winkelmann, a leading digital artist best known as Beeple, set out to create and post a new work of art every day of his life going forward, and has not missed a single day in 13 years. These works, which are now known as Everydays, form one of the most celebrated bodies of work in the history of digital art. The First 5000 Days comprises every single individual image from Beeple’s first 5,000 Everydays arranged in a monolithic composition of the artist's own design. Running from 25 February to 11 March, this unique online sale is an important milestone in the development of the market for digital art.
Kudos to the marketer who crafted that literally piece of art. I couldn’t help but feel a tinge of FOMO.
When we explore the NFT smart contract 0x2A46f2fFD99e19a89476E2f62270e0a35bBf0756 and call tokenURI with the First 5000 Days tokenid “40913”, the following string is returned:
ipfs://ipfs/QmPAg1mjxcEQPPtqsLoEcauVedaeMH81WXDPvPx3VC5zUz
To view an IPFS enabled url you need a browser with native IPFS support, like Brave or Opera. Until browsers like chrome, safari, etc adopt IPFS native integration, the rest of us must prepend “https://ipfs.io” to the section after the 2nd ipfs and create:
https://ipfs.io/ipfs/QmPAg1mjxcEQPPtqsLoEcauVedaeMH81WXDPvPx3VC5zUz. Double-click the aforementioned link to see:
{"title": "EVERYDAYS: THE FIRST 5000 DAYS", "name": "EVERYDAYS: THE FIRST 5000 DAYS", "type": "object", "imageUrl": "https://ipfsgateway.makersplace.com/ipfs/QmZ15eQX8FPjfrtdX3QYbrhZxJpbLpvDpsgb2p3VEH8Bqq", "description": "I made a picture from start to finish every single day from May 1st, 2007 - January 7th, 2021. This is every motherfucking one of those pictures.", "attributes": [{"trait_type": "Creator", "value": "beeple"}], "properties": {"name": {"type": "string", "description": "EVERYDAYS: THE FIRST 5000 DAYS"}, "description": {"type": "string", "description": "I made a picture from start to finish every single day from May 1st, 2007 - January 7th, 2021. This is every motherfucking one of those pictures."}, "preview_media_file": {"type": "string", "description": "https://ipfsgateway.makersplace.com/ipfs/QmZ15eQX8FPjfrtdX3QYbrhZxJpbLpvDpsgb2p3VEH8Bqq"}, "preview_media_file_type": {"type": "string", "description": "jpg"}, "created_at": {"type": "datetime", "description": "2021-02-16T00:07:31.674688+00:00"}, "total_supply": {"type": "int", "description": 1}, "digital_media_signature_type": {"type": "string", "description": "SHA-256"}, "digital_media_signature": {"type": "string", "description": "6314b55cc6ff34f67a18e1ccc977234b803f7a5497b94f1f994ac9d1b896a017"}, "raw_media_file": {"type": "string", "description": "https://ipfsgateway.makersplace.com/ipfs/QmXkxpwAHCtDXbbZHUwqtFucG1RMS6T87vi1CdvadfL7qA"}}}The 5000 days NFT is accessible via the string in the imageURL parameter of the JSON blob: https://ipfsgateway.makersplace.com/ipfs/QmZ15eQX8FPjfrtdX3QYbrhZxJpbLpvDpsgb2p3VEH8Bqq but what is of importance is ipfsgateway.makersplace.com.
https://ipfsgateway.makersplace.com is an IPFS https gateway to provide compatibility with applications that do not support IPFS natively. What was surprising to me is that ipfsgateway isn’t even in the top 25 of hosts when we sort by availability and latency. WTF. This is a $69 million NFT accessed via a tier 3 gateway!
Rankings aside, http gateways are at best a workaround given the northstar is in-browser IPFS compatibility, but in the interim the IPFS gateways provide an HTTP-based service that allows IPFS-ignorant browsers and tools to access IPFS content.
We can visually depict this below:
Read NFT request via API
Authenticate if required
Redirect to HTTP/s gateway
IPFS platform receives jpeg from peer-to-peer nodes
JPG displayed to end-user
To be fair, the “First 5000 days” NFT is stored on a decentralized peer-to-peer network of nodes (IPFS), but it is accessed via an http gateway. Why would a globally recognized artist and premier auction house opt to store NFT metadata using this approach? To maximize reach? Didn’t know? Maybe crypto first principles of decentralization and a permissionless immutable ledger of transactions weren’t at the top of the beeple + christie priority list. Native IPFS storage is good, but HTTP gateway access is bad. It creates a risk vector with respect to the HTTP server experiencing downtime or getting compromised.
If either activity occurs, the NFT owner loses access to their $69 million work of art. All they’ll have to show for it is a JSON blob with metadata referencing a defunct url.
Note how this is in contrast to other marquee NFTs, like the Bored Apes Yacht Club (BAYC), which are stored and accessed via web3 rails
Example 4 - Bored Apes Yacht Club
An NFT stored and accessed on a decentralized peer-to-peer file system like IPFS
BAYC is a marquee brand in the NFT ecosystem. From the collection,
The Bored Ape Yacht Club is a collection of 10,000 unique Bored Ape NFTs— unique digital collectibles living on the Ethereum blockchain. Your Bored Ape doubles as your Yacht Club membership card, and grants access to members-only benefits, the first of which is access to THE BATHROOM, a collaborative graffiti board. Future areas and perks can be unlocked by the community through roadmap activation
The collection was successful in transcending from a PFP flex to cultivating a members-only community vis-a-vis its Yacht Club collection and most recently dropped its new APE Coin, an Ethereum token that grants its holders voting rights on the APECoin DAO and early access to the BAYC metaverse.
Unfortunately, more is not necessarily better, Yuga Labs, creators of the APE Coin, are now subject to a class action law suit for making false and misleading statements concerning Yuga’s growth prospects, financial ownership, and financial benefits for Yuga securities investors, as well as using celebrity promotors to lure in unsuspecting investors so that Yuga insiders could sell the unregistered Yuga securities in violation of the Securities Act. Questionable APECoin ponzi shilling aside, we can commend BAYC for its sufficiently decentralized approach to NFT storage.
If we look at BAYC 1886 with floor price of 86 ETH or ~$86,000 and explore its smart contract 0xBC4CA0EdA7647A8aB7C2061c2E118A18a936f13D…
…by calling tokenURI with parameter 1886, we see it returns the following string:
ipfs://QmeSjSinHpPnmXmspMjwiXyN6zS4E9zccariGR3jxcaWtq/1886similar to that of Beeple’s First 5000 days, but when we prepend “https://ipfs.io/” to the string (remember this is how we access IPFS URLs on browsers without native IPFS integration), we get this url:
https://ipfs.io/ipfs/QmeSjSinHpPnmXmspMjwiXyN6zS4E9zccariGR3jxcaWtq/1886, and when we enter it into our browser, we get this payload:
{"image":"ipfs://QmYoMhMsCjcn4UAhHc3HcAo6tuSdL6Sz2NcCCZWzwmX4x3","attributes":[{"trait_type":"Clothes","value":"Caveman Pelt"},{"trait_type":"Background","value":"Blue"},{"trait_type":"Mouth","value":"Bored Unshaven"},{"trait_type":"Fur","value":"Red"},{"trait_type":"Eyes","value":"Bloodshot"},{"trait_type":"Hat","value":"Irish Boho"}]}What is of significance is the image parameter is referencing an IPFS url, not an IPFS HTTP gateway, not AWS, not Google Cloud and not Dropbox. When we take the parameter “ipfs://QmYoMhMsCjcn4UAhHc3HcAo6tuSdL6Sz2NcCCZWzwmX4x3” and prepend “https:/ipfs.io/” to it we get:
https://ipfs.io/ipfs/QmYoMhMsCjcn4UAhHc3HcAo6tuSdL6Sz2NcCCZWzwmX4x3 and when we click the aforementioned link, what do we get? BAYC 1886!
BAYC is a sufficiently decentralized NFT project. What’s so astonishing to me is how BAYC failed to deliver this same level of decentralization for its sister project Mutant Ape Yacht Club.
Example 5 - Mutant Ape Yacht Club
An NFT stored on a decentralized peer-to-peer file system like IPFS but accessed via HTTP.
Mutant Apes are the sister collection to BAYC and were created by the same parent organization Yuga Labs. From the collection:
The MUTANT APE YACHT CLUB is a collection of up to 20,000 Mutant Apes that can only be created by exposing an existing Bored Ape to a vial of MUTANT SERUM or by minting a Mutant Ape in the public sale.
Bored Apes had the option to pair their unique NFT with a Serum NFT by way of a smart contract integration. This pairing mechanism destroys the Serum token and creates a new, mutant-inspired NFT in the image of the original Ape. All without actually changing the initial NFT in any way.
Each of the 10,000 BAYC holders received one Mutant Ape, while 10,000 new Mutant Ape NFTs were minted at sold at auction. Not a bad payday for the BAYC holders already in the top 1% of the Ethereum community.
Today Mutant Apes have a floor price of 14ETH or ~$18,000. But do the Mutant Ape NFTs share the same level of “sufficient decentralization” as their BAYC brothers? The answer is no.
When we explore the metadata of the mutant apes, for example #29620…
…by navigating to its smart contract 0x60E4d786628Fea6478F785A6d7e704777c86a7c6 and calling tokenURI by passing 29620 as a parameter, we see the following string is returned, it is surprisingly, https:
https://boredapeyachtclub.com/api/mutants/29620
When we enter https://boredapeyachtclub.com/api/mutants/29620 into our browser, the following JSON payload is returned:
{"image":"ipfs://QmQDnxUxijpgbgy7jNeRgRhNGuLdP5xqufYZXe5dCAGjgB","attributes":[{"trait_type":"Background","value":"M1 Yellow"},{"trait_type":"Fur","value":"M1 Black"},{"trait_type":"Eyes","value":"M1 Bored"},{"trait_type":"Mouth","value":"M1 Bored"},{"trait_type":"Earring","value":"M1 Silver Hoop"}]}…which includes a string containing an IPFS URL. I’ve looked through the BAYC developer docs, and cannot find a single reason as to why the BAYC collection is accessed and stored via IPFS and while its sister NFT, owned by the same company Yuga Labs, is stored via IPFS but accessed by HTTP. Again, why the divergence in approach?
This leads us back to our original question.
Should NFTs which are hosted on peer-to-peer file systems like IPFS but accessed via an HTTP-based service be classified as “http” storage types, or are they sufficiently decentralized?
We have just reviewed five different marquee/tier 1 NFT collections, each having a different storage and access mechanism:
My position is that any NFT accessed on the web2 rail system is centralized. Although the Beeple NFT does have sufficient information in its payload (the IPFS URL attribute, picture metadata, digital media signature) to ascertain its authenticity, if the http gateway becomes inaccessible, the ability to view the NFT is lost. What value is an immutable ledger of transactions if the transaction metadata on the blockchain (the http gateway in this example), is inaccessible or broken?
My conclusion after performing this analysis is that maybe NFT creators would rather spend their energy on novel and creative ways to mint new projects. Perhaps their interests are in cultivating and growing an ecosystem of dedicated fans, and not so much in adhering to crypto's first principles of a decentralized, permissionless peer-to-peer network.
Until a forcing function enters the NFT equation that requires creators to store their metadata in decentralized file systems, we must accept this hard truth, the majority of NFTs on the Ethereum blockchain (and all blockchains) are exposed to vectors of centralization risk, such as those just experienced in the collapse of the FTX NFT exchange.
Want to learn more? In part 2 of this two-part series, we cover the types of storage facilities available to NFT creators, the evolution of on-chain storage, and the cost of moving centralized NFT providers to the blockchain. Click here to access part 2.
To knowledge and wisdom,
John Cook
December 11th, 2022
San Francisco, CA
www.frontruncrypto.com
Article cover generated by DALL-E: “An expressive oil painting of a digital artist having breakfast with a bored ape and a cryptopunk”
