Mutable Metadata
This week I want to talk about NFT metadata and how fragile it is.
I expect most of y’all reading this have bought an NFT at some point in the last 6 months.
Maybe you bought into the project vision, founders, or hype.
Maybe you bought it for the art.
If you did, then what I’m going to talk about may come as a shock.
A project owner can change the image any time they want.
You have no control over the metadata of your NFTs.
That beautiful image of a Cool Cat, CloneX, or even the famed Bored Ape, could disappear at a moments notice if the contract owner feels the urge.
Let that sink in.
WTF did you just buy?!
How can this be true?
Yeah there’s always the rug risk for any NFT project but you thought you’d always have the art even if the founders dip with the ETH.
Hate to break it to you but most collections store metadata off-chain meaning it’s not written into the contract and can be changed at any time.
The NFT community seems to have accepted this as the way to do things, or maybe people just don’t understand how NFTs and metadata are linked.
Let’s dive into that.
Where TF is My Metadata?!
I mentioned above that most collections store metadata off-chain.
This means it’s not part of the smart contract and isn’t stored on the Ethereum ledger.
The good news is that this saves you money.
It depends on the exact implementation, but storing metadata on-chain costs gas.
A lot of contract interactions cost gas and the majority of the cost comes from state changes.
For a simple transaction, say you send 1 ETH between wallets, there’s a state change as 1 ETH + gas is subtracted from Wallet A’s balance and 1 ETH is added to Wallet B’s balance.
This is the backbone of Ethereum, or any Blockchain really: the state of addresses (wallets or contracts) are stored on a distributed ledger and any transaction that changes state must be confirmed by miners.
For this to work miners need to be rewarded for their work which is why we have transaction fees, AKA gas.
So think about this, the image for BAYC #0 is 133 KB.
It costs 640,000 gas units to store 1 KB of data on-chain 1 so with gas ~50 Gwei that’d cost 0.032 ETH.
Therefore it’d cost 4.256 ETH to store this image of BAYC #0 on-chain.
NO FUCKING THANKS MATE.
Storing data on-chain would provide more security for token-holders as the metadata is verifiable, any changes will be captured on the Ethereum ledger, and it could even be locked, impervious to change.
But this doesn’t justify the cost involved, regardless of whether token buyers or project owners pay the cost.
It’s just not tenable to store metadata on-chain until we have lower gas costs.
Ok, so where is your metadata then?
Could be anywhere with an internet connection really.
AWS, Google Cloud, Microsoft Azure, on a dusty old server in some dude’s mom’s basement, or maybe it’s on the InterPlanetary File System (IPFS).
That sounds real fancy.
Is my data stored on Mars?!
No, no it’s not.
IPFS is a distributed file storage system that anyone can use, similar to a Blockchain in the sense that it’s run by a series of nodes hosted all over the world.
Anybody can run a node and provide file storage for others.
The idea is that your data will “exist forever” but the reality is it will exist as long as some IPFS node holds a copy of your data.
This is another factor of the rug risk.
Your traditional cloud services are centralised and your data will only exist as long as they exist (and the NFT project owner pays their bill), and your data will be available on IPFS as long as it’s being hosted by a node.
And most of the publicly available nodes are themselves centralised companies that charge you a fee to store your data. These are sometimes called “pinning services” and Pinata is a popular example.
Sound familiar?
Your data will only exist as long as the pinning service exists.
Now there are other storage alternatives like Arweave but we’re not going to talk about those today.
Mainly because I know jack-all about them 🙃.
We’ll get to them in future.
Let’s get back to the point at hand.
Where TF is your metadata?!
Probably a traditional cloud storage provider or pinned to IPFS by a pinning service.
And the NFT project owner likely holds the keys to your metadata, which could disappear if they stop paying their cloud storage or Pinata bill…
Sound kinda fragile IMO.
Frozen Metadata
Now some platforms are trying to offer reassurance that your NFT metadata won’t or can’t be rugged.
Look at OpenSea, they have the “frozen metadata” feature comprised of a snowflake icon on your frozen NFTs.
OpenSea says:
Freezing your metadata will permanently lock and store it on decentralized file storage, which allows your data to be accessible for other clients to view and use. This means, your item will forever be safely stored and will never be lost or missing.
The emphasis is theirs.
By the way, I don’t intend to hate on OpenSea, it’s just a platform that most people in the NFT space use so it makes a good example.
Their statement about “freezing metadata” is intended to make me feel more comfortable about the NFTs I’m buying and reassure me that any NFTs with the snowflake icon are “safe”.
Buuuuuut if we dig into it, I’m not sure it holds true.
They say “Freezing your metadata will permanently lock “ it.
How?
Not sure, they don’t offer an explanation of the internal mechanics.
Bored Ape Yacht Club is one of the collections that have frozen their metadata on OpenSea, but I don’t see any transaction or related changes to their contract.
Why is this important?
For metadata to be truly frozen I’d expect to see some change in contract state, specifically something that disabled the `setBaseURI` function.
This function allows project owners to change token URIs as it determines what the start of the full token URI looks like:
Changing the Base URI will cause marketplaces like OpenSea, Rarible, LooksRare etc. to look elsewhere for the tokens metadata, potentially to completely different metadata.
Here’s the BAYC setBaseURI function source code:
function setBaseURI(string memory baseURI) public onlyOwner { _setBaseURI(baseURI); }AFAICT there’s nothing to stop the owner from changing baseURI despite OpenSea's "frozen" metadata claims.
I’m beginning to think that the OpenSea “frozen metadata” only exists within the walls of OpenSea itself. Maybe the platform doesn’t respond to changes in the base URI once a collection owner freezes metadata, thereby freezing metadata for everyone who uses OpenSea.
But that brings lots of questions to mind including:
These are important questions, but I want to circle back to the reason I wrote this article: NFT owners have no control over their token metadata.
When you buy a BAYC you’re dependent on the contract owner not to change the Base URI and rug you.
Metadata can be changed, it’s generally not stored on-chain, and often can’t be verified.
Something to be aware of next time you consider splashing your ETH on a shiny, new PFP.
Thank you for reading Brainflow!
Subscribe for free to receive new posts and support my work.
Originally published at https://brainflow.substack.com on February 7, 2022.
