NFTs, Investing, Finance
The Whole NFT Ecosystem is WAY More Precarious Than Anyone Ever Talks About
But hey, it’s just trillions of dollars. Why be concerned?
Quick example … the Bored Apes. As of this writing, the floor is 107.5 ETH. Take that times 10,000 apes and you get market value of at least 1,075,000 ETH. At $2,781.89 per ETH (as of this writing), that’s $2.99 billion worth of digital art (and again, that’s a minimum valuation, as we’ve only used the floor price here and we’ve only considered the main apes — not the rest of the IP, which I’ll get to, below).
The world-famous apes are barely one year old now! If you’d been fortunate enough to have minted one and NOT sold it by now, your portfolio would likely look like this (for just ONE ape!):
- You’d have your bored ape. Min value: 107.5 ETH.
- You’d have been airdropped a serum and likely would have used it to create yourself a mutant ape. Thus, you’d have the mutant. Min value: 24.99 ETH.
- You’d have your Bored Ape Kennel Club airdrop. Min value: 8 ETH.
- You’d have claimed your $APE coin, which I believe would be 10,000 for the ape, 2,042 for the mutant, and 856 for the doggo. So, I believe that’s 12,989 total $APE, which as of this writing is worth $17.23 per coin. Min value: $223,800.47, or 80.44 ETH.
- And finally, you’d possibly have spent some of that $APE on some Otherside metaverse land. But, if not (according to the site), your BAYC and MAYC holding entitle you to claim two Otherdeeds for the cost of gas. So, for our purposes here, let’s say you didn’t spend your $APE, but you’re going to claim two lands (one for each of your apes). Current floor price is 3.7 ETH each. So, min value: 7.4 ETH.
Result: 228.33 ETH, or about $635k as of today. Not a bad rate of return on your 0.08 ETH (about $200) investment!
But back to my point…
When you own an ape (and/or just about any other NFT, aside from those that exist wholly on-chain), you actually own a hyperlink. For example, let’s look at Bored Ape #123. If we go to the contract and ask it where ape #123 lives, we get this:
It lives here: ipfs://QmeSjSinHpPnmXmspMjwiXyN6zS4E9zccariGR3jxcaWtq/123
Unless you’re using the Brave browser, your browser probably doesn’t want to show that link. But, you can see it in a normal browser by changing it up a bit, to this:
https://ipfs.io/ipfs/QmeSjSinHpPnmXmspMjwiXyN6zS4E9zccariGR3jxcaWtq/123
And there we can see what the contents are:
{"image":"ipfs://QmVP1tqb9jf6XCkZZXkqGfTAtS8KwXHKHvkePh62zyL65n","attributes":[{"trait_type":"Clothes","value":"Black Holes T"},{"trait_type":"Fur","value":"White"},{"trait_type":"Eyes","value":"Coins"},{"trait_type":"Background","value":"New Punk Blue"},{"trait_type":"Mouth","value":"Bored Cigar"},{"trait_type":"Hat","value":"Spinner Hat"}]}If we similarly edit that image link (to this: https://ipfs.io/ipfs/QmVP1tqb9jf6XCkZZXkqGfTAtS8KwXHKHvkePh62zyL65n), we can see it in all browsers:
So yeah, that’s Bored Ape #123. You can see how the traits listed above match up with what’s shown visually. And that’s all super cool; it’s how marketplaces like OpenSea get their content — all via that little file on the Interplanetary File System (IPFS).
I suppose once concern here might be: Well, what happens if the IPFS goes away in the future? And that’s a fair question because, as much as IPFS is decentralized and all, do we actually know that it will last forever?
End the end, though, even if the home for that metadata were replaced by something else, the smart contract would be able to save the day, as the smart contract provides for pointing to a custom metadata URI. You may notice that, while many NFT drops utilize decentralized solutions like IPFS, it’s also readily possible to use a centralized / custom API instead (e.g., VeeFriends, Cool Cats, World of Women, Yuga’s Otherside, and many others). So, one way or another, the set could live on if something happened to the IPFS.
Beyond that, there are other questions, though. One is: Who could change that metadata?
Well, if we go back to the Bored Apes code, to continue with this example, we would see this:
… and that means that the owner of the contract could change it. (And this is also typical of most NFT smart contracts.) So… Who’s the owner? Well, let’s ask the contract. It’s this wallet:
And what’s in that wallet? Well, lots of stuff. I imagine 99% of what’s in there is from junk airdrops. But there are also a lot of fairly valuable items, such as 30+ plots of land in the Sandbox Game. So, IDK if the person controlling that wallet actually uses it much or not. But, the more it is used (meaning it’s active on some PC somewhere), the more at-risk it is.
Why is an in-use wallet more at-risk? Well, just by default, for one. If the wallet is signed in, anyone with access to that PC could feasibly interact with the smart contract — and, since it’s the deployer/owner wallet, they could probably do more damage than “just” setting the metadata URI. But, beyond that, anytime the wallet is activated (meaning, its seed phrase is typed in), there’s some (even minimal) risk of, say, some kind of outside attack (e.g., maybe that PC becomes compromised).
Maybe Yuga is 100% secured. After all, with billions in market capitalization (and liability?) on the line, chances are good that the seed phrase for the wallet in question is locked deep in some vault somewhere and not merely pinned to a bulletin board above some rando dev’s desk.
But it does make you think. Or rather, it should! Of the many thousands of drops: How many haven’t thought to really, really properly backup and lock down the seed phrases and private keys that could absolutely, irrevocably ruin an entire NFT drop?
Is the answer 100% of them? (Clearly not.)
Do you think that rando on fiverr.com who’s volunteered to deploy your smart contract for an attractively meager fee is trustworthy? And can you trust him or her for five, ten, twenty years (or more)? Do they have an actual plan in place to safeguard your most precious data?
Maybe, maybe not.
(And, btw, I was only using the Bored Apes here as an example, simply because they’re the biggest. I don’t mean to imply any security concerns related to Yuga at all.)
We tend to think of the NFT space currently as this fairly evolved, yet still maturing phenom. And yes, every now and again, there are major screw-ups (like the Aku Dreams fiasco a few weeks back that locked $34 million into a smart contract). But, aside from the few OG outliers like the Punks, the vast majority of the NFT space is, at this point, less than one year old.
Statistically speaking, many massive disasters are yet to come.
Bottom Lines
Finally … I’m not here fear-mongering. I do NOT want this article interpreted that way (because, as a dev in the space, I’m of course a huge proponent of NFTs). Rather, my message is that we need to start paying attention to deeper details and ensure we’re doing things optimally. Ergo:
- Bottom line if you’re buying: Research the hell out of a project before you buy in. Among all of the other “DYOR” due diligence, obtain a feel (or better yet actual facts!) about their long-term security measures / procedures. I hate to always be the one out here talking about the lesser exciting aspects of NFT drops (like my articles on accountants, lawyers, and taxes), but as a dev on numerous drops now, I can see these issues coming. And frankly, as it’s now 2022 and we’ve gone through arguably the first US tax season after the initial blow-up of the NFT space, I’m surprised more aren’t openly talking about these things.
- Bottom line if you’re building: Vet your devs like crazy — 10x more than you think necessary. Only work with fully doxxed teams, and make sure to plan out every detail of who has access to what when it comes to wallets. Plan for the deep future of your drop. What happens in 5 years, 10 years, or X years later when your dev wants to retire from web3 and move to the Bahamas? Think and plan almost unreasonably long-term. After all, these NFT drops are sold to consumers with permanence in mind, and teams need to live up to that promise.
