TLDR: It’s hard to check who owns which NFT. A JPG is still a JPG, even it has a fancier way of linking to it.
Also, big shout out to Eike for spending 2 hours looking at this nonsense with me.
To get our brains going, we decided to run a small mental exercise. Can you build a web3 Gravatar that also verifies your NFT ownership status? Gravatar is what Slack, GitHub and WordPress use to keep your profile pic and some details about you, so you don’t have to upload them individually. It’d be an easy B2B SaaS thingy, with a potential small exit to Discord or whatnot.
Essentially, NFT ‘art’ is a meme to me at this point, but here is the problem: how can I tell whether someone’s profile pic is an authentic NFT?
Twitter recently announced this as a feature. We thought it’d be pretty daft if all companies that wanted to join the hype train had to build their own solution. Why not build something that would be useful to all of them? This isn’t a serious startup idea, but a well-defined problem to get our brains going.
Anyway, it turns out it’s a hard problem. And that’s surprising. Isn’t the whole point of NFTs to ascribe ownership? There is only one Bored Ape Yacht Club #1859 and, yes, when you buy it (for >$15k), it will be in a wallet (fancy web3 word for account) you own. Surely that’s easy to check?
There are two problems:
linking your wallet to your social media identity
verifying that the JPG was not just re-uploaded
The first one is easy. You can prove that you own the wallet by encrypting a pre-defined message with your wallets private key. In cryptography, you need four keys to share a secret between two people (a public and private key for each). To encrypt Alice’s message to Bob, she uses her private key and Bob’s public key in combination. For Bob to decrypt, he needs to use his private key and Alice’s public key. Then Alice could ask “what was in the message?” and that way she would know she’s talking to someone who has Bob’s private key, probably Bob. In practice, you’d log in with your MetaMask or whatever. That could you link your wallet to your the link a JPG of an ape.
The second one gets complicated in theory, but in practice its trivial. In theory, anyone could re-upload something to the blockchain. I can take that BAYC #1859 ape JPG, reupload it, and then mint it (fancy web3 word for uploading to blockchain). You can tell it’s not the ‘real’ one because it’s in a much later block (uploaded later), but you’d have to check for duplicates. And getting meaningful information from blockchains is annoying and there was over 20 terabytes of NFTs linked in 2021 already, so good luck.
The alternative is that you know which collection belongs to. You would have to rely on off-chain evidence such as the collection’s social media presence to determine whether it’s the correct thing. Kind of hard to do, especially across many chains.
Fortunately, the NFT ‘art’ space is broken. It’s stupidly centralised. There are a few marketplaces through which everything goes. OpenSea (80% market share!) can delete stuff from their service. It will remain on the blockchain, but so what? Someone would have to manually look it up. And with <20% market access it would lose a lot of value.
Why fortunately? Because this also means that OpenSea and the like can moderate content. For instance, they deleted alleged BYAC copycats before. They’re still on-chain, but checking this wasn’t a trivial task, and getting to the actual JPG wasn’t easy either.
All in all, this means that instead of a decentralised trustless system, you go through a centralised trust-based system. And even with that, it’s really hard to show that you own a particular NFT ‘artpiece’. But hey, at least it means we don’t have to worry that anything breaks, because it’s so broken already.