Ownership, Authenticity and Cloning of NFTs for the Greater Good

2022-08-12

~13 minutes to read

permalink

It’s a pretty common opinion outside the crypto community that the Non-Fungible Token (NFT) as technology has absolutely no purpose. I disagree, even though a number of its current uses are, almost exclusively, different versions of tricking the uninformed into throwing lots of money into technology they don’t understand. However, they do present a clear path to monetization for artists, something I'll get into after delving into the technical details. For now, let's focus on two problems with NFTs as implemented today.

The ownership problem

Right now, the most common use is to demonstrate "ownership” of an image. However, "ownership" in this context doesn’t mean much because it doesn’t necessarily include the copyright or the license to use an image. It could, but the legal details get complicated quickly. Storing legal contract details alongside the asset would be interesting, but could create a patchwork of different rights issues, as the NFT moves between different owners and different jurisdictions.

Given the above, it’s a little confusing as to what purchasing an NFT actually entitles an owner to. As someone who has a pretty thorough understanding of how this technology works, I also have no idea what -if anything- is captured by the ownership of an NFT. As far as I've seen, this question has been left intentionally unanswered by the purveyors of NFTs. The most charitable answer seems to be that it entitles the owner to a transaction on the blockchain, and the ability to transfer the token to someone else. That's it.

I'd like to contrast this with the most obvious comparison, digital items in video games. If I purchase a card in Hearthstone or stash tab in Path of Exile, it's completely transparent that I'm purchasing an entry in a database that entitles my account to the usage of the item in-game. The item's usability is either temporary or tied to the lifetime of my account, which is tied to the lifetime of the game's servers. Putting that all together simply: I'm purchasing a license to use the digital item until either it expires or my account expires.

While the sellers of NFTs may try to convince unsuspecting buyers that NFTs will last as long as there are participants in the underlying network, the lifetime of an NFT's usability may or may not be tied to the lifetime of the service it was minted from. That depends on the implementation of the NFT contract because there's nothing stopping the contract writer from including logic that requires the minting service or the contract owner to be functional. There's also nothing preventing services (or users) from minting brittle NFTs that rely on centralized infrastructure (as we'll see later).

With all of that in mind, it seems that the only tangible and permanent benefit of purchasing an NFT today is a transaction on the blockchain with your wallet ID on it. No guarantee of usability in the future, no clear declaration of the lifetime of the token, either.

Considering that the practical benefit of owning an NFT boils down to an entry in a ledger, it seems that the "non-fungible” part of "non-fungible token” is true in the sort of sense that my $20 bill is non-fungible relative to your $20 bill because mine is in my wallet and yours is in your wallet. However, according to NFT experts, the situation is slightly different. They might say that, in the same way that my wife isn't interchangeable with my neighbor's wife, one NFT is not interchangeable with another.

Or are they? Let's explore.

The authenticity problem

According to the concept of an NFT, the answer to the above question must be no, but the implementations we have today don't prevent creating multiple NFTs with the exact same data. Since the content is identical, we can't decide which one is authentic based on the token data itself. This implies that we need some kind of authority (organization, digital mechanism or etc.) to tell us which one is "real" and which one is a duplicate. On the other hand, if someone tried to swap out my wife with my neighbor's wife, both I and my neighbor would take issue because they are tangibly different. NFTs are not verifiably authentic based solely on their content.

The most quick-to-mind counterargument would be that one can verify an NFT’s contract details; however, the same issues with NFT authenticity bubble up to the contract itself. There isn't anything preventing a bad actor from deploying a visibly identical contract and generating counterfeit NFTs. There are possibilities for addressing this kind of issue, but none of the NFT contracts deployed today seem to do so, and migrating existing NFTs into a new, more secure contract would require even more trust than the current system does. The technologies in place today just don't have the mechanisms baked in to provide self-evident authenticity. This is a notoriously difficult problem to solve, and interested readers may delve into other projects.

To draw a real-world comparison, we can imagine something like counterfeit trading cards. A poor counterfeit might be clearly inauthentic, but a perfect counterfeit might require some authority (like the manufacturer) to prove or disprove authenticity (by establishing a chain of trust from the factory line to the end-user). This is sometimes hinted at with ideas like difficult to replicate, tamper-evident, sealed packaging. The idea is that only the manufacturer has the specific packaging, so a product sealed in such packaging must be from the legit manufacturer.

Returning to the digital goods example from above, the only way to receive something like a Hearthstone card is to purchase it in-game. The existence of the item as part of my in-game collection is akin to a seal of authenticity from the manufacturer. Short of glitches or hacks, the only way to obtain the card is to purchase it from the manufacturer, and it's up to them to maintain the integrity of the system.

A recent example would be Old School Runescape's Twisted Bow glitch, where one of the game's most expensive items was mistakenly placed by developers where anyone could grab as many copies as they wanted. This resulted in a rollback of the game's servers to a state before the glitch occurred, returning the guarantee of the authenticity of the item. This draws an interesting parallel to the Ethereum hard fork, which effectively rolled back a multi-million dollar set of transactions by a bad actor who had found issues with a contract deployed on the network.

Coming back to the point, the authenticity of a given object (physical or digital) has to be established either by the content of said object or by an authority over the authenticity of the object. A hash of some data is authentic by its content (we can verify the hash) while a collectible card may require an authority to verify it.

By their nature, NFTs require an authority that is unfulfilled by marketplaces and exchanges.

What is an actual NFT?

To get a clearer idea of the issue, let’s look at what an Ethereum-based NFT actually is. If you'd like to follow along at home, pick your favorite multi-million dollar NFT and find its token ID and contract address. I'll be using XCOPY's Right-click and Save as guy.

An image of the NFT "Right Click Guy" by XCOPY. I promise I copied the link and not your IP XCOPY

I found this particular NFT listed on Opensea.io, which is an NFT marketplace. Right click guy's page has a transaction ledger towards the bottom.

An image of the transaction ledger of "Right Click Guy" on opensea.io. The minting transaction can be seen at the bottom

The bottom ledger entry has a convenient link to the Etherscan page of the minting transaction here. If you're following along at home, you may need to manually navigate to the minting contract by address and use the token ID to find the correct token minting transaction.

An image of the transaction that minted "Right Click Guy". The input data field has been decoded to show the URI of the NFT

Decoding the input data gives us a token URI (a link) to an InterPlanetary FileSystem (IPFS) gateway of the NFT itself. The exact contents of the NFT are as follows:

{
  "name": "Right-click and Save As guy",
  "createdBy": "XCOPY",
  "yearCreated": "2018",
  "description": "Why would I buy it when I can right click and save as?",
  "image": "https://ipfs.pixura.io/ipfs/QmTA9VN19dxgFEF1H1dJZvmBCFsZRryBBnLKfUJZzFXNmU",
  "tags": [
    "portrait",
    " gif",
    " why"
  ]
}

If you've never seen an NFT before, this may be a little underwhelming. It's literally just a JSON file with an entry on a blockchain pointing to it. It has an image field with a fragile IPFS gateway link and some metadata. Most of the "functionality" of an NFT (trading and ownership establishment) is implemented in the minting contract and not the token itself.

As an aside, this is a sad implementation of an NFT because the JSON file -the literal NFT- being referenced isn't actually the IPFS address of the file, it's a link to Pixura's proprietary gateway. This means that this NFT will no longer function correctly if Pixura ever decides to take its gateway offline. This is opposed to providing an IPFS protocol link, which will work as long as the file is pinned to IPFS. Even worse, someone could hijack that gateway server and link to all sorts of awful stuff. This particular NFT would be more durable if it used centralized storage! That seems opposed to the decentralized nature of blockchain technologies, but I'll leave the moral ponderings to the reader.

Looking at the above, the issue is clear. Anyone could copy and paste that JSON into a new file, pin it to IPFS and mint a copy of the NFT. Even worse, someone slightly smarter could just take the original IPFS link and mint an exact duplicate NFT that points to the same JSON file on IPFS. That means that the authenticity of the NFT is necessarily dependent on some central authority, which, again, runs contrary to the decentralized nature of blockchain technology.

Cloning NFTs for great good

Of course, we can't just stop at saying someone could do it. We have to do it ourselves and demonstrate why NFTs as tradable, dubious representations of art ownership should not be valuable.

The tl;dr is that you can clone my git repo, follow the instructions in the readme and begin minting NFTs using the contract I deployed to the Goerli testnet. You can view the contract on etherscan.io and see the transaction I used to mint the duplicate Right Click Guy token.

The scripts work as follows:

I have no plans to modify this code or deploy the contract to the Ethereum mainnet; even though I think NFTs shouldn't be valuable, real people are spending real money and I would like to avoid being solely responsible for trivializing the scamming process.

Scanning through the transaction, we can find the same type of details present in the original transaction we pulled the IPFS link from:

The input data field for the minting transaction of the new Right Click Guy clone

My version of the NFT is actually a little better in a couple important ways

  • You can see the recipient wallet address as well as the IPFS link in the input data.
    • Because the transaction can never be changed, one can more easily identify this token from duplicates by keeping track of the original recipient.
    • This doesn't solve the authority problem, but it does certainly make it more convenient to verify.
      • This detail makes designing a more robust authenticity system significantly more simple. An authority could mint tokens directly into a designated wallet to set the recipient ID and then demonstrate ownership of said wallet before a purchase by sending a small transaction from that same wallet.
  • The token URI is an IPFS protocol link and not an HTTP link to someone's gateway.
    • As long as this JSON file is pinned to IPFS, this link will work.
    • As long as I retain a bit perfect copy of the original JSON file, I can reupload and pin it to IPFS to "reactivate" the link. Because IPFS links are generated by file content, the same file will always reside at the same URI

These differences make the NFT significantly more durable, but I did not solve the issue of the image field using a gateway link because fixing that would require changing the file itself, a no-go since that would change the IPFS URI.

Given that, and as a gesture of goodwill, I would like to extend Mr./Ms./Mx. XCOPY an invitation to claim a mainnet version of this more durable Right Click Guy NFT, deployed on a contract that is not usable by the public, at my expense and at none of their own.

Getting paid is hard

As much as I dislike the current implementations of NFTs, they do accomplish one thing better than almost any other format has: artists get paid. Modern artists have to jump through so many hoops to get paid, and anything from shilling sponsorships to farming ad revenue or selling "fans only" content is on the table. Most of these methods leverage the artist's reputation and audience engagement as the product being sold rather than the art itself.

If you're not interested in being used as a weapon in the psychological warfare being carried out on consumers, your options are slim. Not nothing, but certainly slim.

Selling NFTs in a marketplace with an (almost) direct-to-consumer business model cuts out a lot of the typical garbage that an artist may have to deal with in more direct bartering situations. It also goes a long way in connecting artists to people who want to purchase art, which is invaluable and a significant improvement over the current strategy of trying to cultivate a Twitter following and linking to commission forms or patreons.

NFTs as "status symbols" or tokens of proof of supporting a favorite artist seems like a pretty cool idea, and there's definitely an untapped business opportunity in creating a more supporting-the-artist-centric model of an NFT marketplace. Given the ease of deploying contracts and websites, this could be a couple of months’ worth of weekends for a pair of competent developers!

As a final concrete example, when I decided to get an avatar commissioned for a personal brand, I spent hours digging around on Reddit and Twitter looking for artists before I found @JoghsArt. The process for getting work done involved a couple of days worth of back and forth negotiating usage rights, pricing, and drafts. Joghs was easy to work with, so this process was relatively painless but the only records we have of the rights negotiation are my personal records, a private Discord conversation, and (hopefully) Joghs’ personal records: there’s no public record of what rights I purchased. For the reasons stated previously, navigating the legal issues around rights assignments involving NFTs would be tough but a marketplace with a less grandiose vision could solve the problem of connecting artists and consumers almost trivially.